Releases: moritzzimmer/terraform-aws-lambda
v6.4.0
What's Changed
- refactor(deployment): use
aws_s3_bucket_acl
resource by @moritzzimmer in #62 - chore: upated tflint and added tfsec action by @moritzzimmer in #64
- feat: add input argument for cloudwatch_event_target by @ablotny in #63
New Contributors
Full Changelog: v6.3.0...v6.4.0
v6.3.0
What's Changed
- feat: added filter criteria for event source mappings by @moritzzimmer in #61
Full Changelog: v6.2.0...v6.3.0
v6.2.0
What's Changed
- feat: added possibility to disable CloudWatch logs by @moritzzimmer in #60
Full Changelog: v6.1.1...v6.2.0
v6.1.1
What's Changed
- chore: bumped dependencies by @moritzzimmer in #59
- fix(IAM): Add kinesis:ListShards IAM permission by @saefty in #58
New Contributors
Full Changelog: v6.1.0...v6.1.1
v6.1.0
What's Changed
- fix: allow Lambda Insights for arm64 and x86_64 architectures by @moritzzimmer in #52
Full Changelog: v6.0.1...v6.1.0
Version 6
In this major version release, deprecated terraform sub-modules and workarounds for aws provider versions < 2 have been removed.
Note: Terraform will destroy and then create a replacement of some of the resources when applying this version to existing 5.x
stacks, especially the Lambda function and it's IAM role.
In case of Error: error creating IAM Role (my-function-eu-west-1): EntityAlreadyExists: Role with name my-function-eu-west-1 already exists.
errors (old role hasn't been fully deleted inside AWS), please apply the changes again.
New features
CloudWatch logs
The possibility to declare CloudWatch logs subscription filters has been enhanced to support:
- multiple subscription filters
- configure properties from cloudwatch_log_subscription_filter
cloudwatch_log_subscription_filters = {
lambda_1 = {
//see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_subscription_filter for available arguments
destination_arn = module.destination_1.arn // required
}
lambda_2 = {
destination_arn = module.destination_2.arn // required
}
}
see example
In addition, the variable name to configure the retention time has been aliged to cloudwatch_logs_retention_in_days
.
GovCloud
Hardcoded partition identifiers in ARNs have been refactored to support creating Lambda functions in AWS GovCloud (#50)
Breaking changes
log_retention_in_days
has been renamed tocloudwatch_logs_retention_in_days
logfilter_destination_arn
has been replaced bycloudwatch_log_subscription_filters
(see above)- deprecated
event
variable has been removed, use specificcloudwatch_event_rules
,event_source_mappings
orsns_subscriptions
instead. Note: there is no replacement for the deprecateds3
sub-module - deprecated
ssm_parameter_names
variable has been removed, usessm
instead
What's Changed
- Version 6 by @moritzzimmer in #39
Full Changelog: v5.17.0...v6.0.0
AWS Graviton2
New Features
Added support for AWS Graviton2 architecture.
Example:
module "lambda" {
source = "moritzzimmer/lambda/aws"
architectures = ["arm64"]
description = "powered by AWS Graviton2"
filename = module.source.output_path
function_name = "arm64"
handler = "index.handler"
runtime = "nodejs14.x"
source_code_hash = module.source.output_base64sha256
}
What's Changed
- feat: added graviton support by @moritzzimmer in #49
Full Changelog: v5.16.0...v5.17.0
S3 Deployments
New Features
Enhanced the deployment
module to support continuous deployment of Lambda functions packaged on S3.
Example:
locals {
environment = "production"
function_name = "example-with-s3-codepipeline"
s3_key = "package/lambda.zip"
}
resource "aws_lambda_alias" "this" {
function_name = module.lambda.function_name
function_version = module.lambda.version
name = local.environment
lifecycle {
ignore_changes = [function_version]
}
}
module "deployment" {
source = "moritzzimmer/lambda/aws//modules/deployment"
alias_name = aws_lambda_alias.this.name
function_name = local.function_name
s3_bucket = aws_s3_bucket_object.source.bucket
s3_key = local.s3_key
}
module "lambda" {
source = "moritzzimmer/lambda/aws"
function_name = local.function_name
handler = "index.handler"
ignore_external_function_updates = true
publish = true
runtime = "nodejs14.x"
s3_bucket = aws_s3_bucket_object.source.bucket
s3_key = local.s3_key
s3_object_version = aws_s3_bucket_object.source.version_id
}
resource "aws_s3_bucket" "source" {
acl = "private"
bucket = "source-bucket"
force_destroy = true
versioning {
enabled = true
}
}
resource "aws_s3_bucket_public_access_block" "source" {
bucket = aws_s3_bucket.source.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
see see example for details
Noteworthy
- the dependency to external modules has been removed in favour of standard resources from the aws provider. Upgrading existing projects might result in
Error: Error creating S3 bucket: BucketAlreadyOwnedByYou: Your previous request to create the named bucket succeeded and you already own it.
errors. In this case runterraform apply
again. - public access to the internal S3 bucket used for CodePipeline has been removed
- container based deployments now publish a new version using
update-function-code
API call directly. The intermediate step with a wait function is not necessary anymore - upgraded to
python 3.9
in CodeBuild - CodeDeploy environment (compute type, image and type) are now configurable
Special thanks
Thanks @thisismana for collaborating on this feature
What's Changed
- feat: deployment pipeline for S3 based function packages by @moritzzimmer in #44
Full Changelog: v5.14.0...v5.15.0
Destination config support
New Features
Added support to configure a SNS or SQS destination for discarded batches in event source mappings (supported for DynamoDb and Kinesis.
Required IAM permissions with minimum priviledges to send SQS messages or publish to a SNS topic will be a added automatically by the module.
Example:
module "lambda" {
source = "moritzzimmer/lambda/aws"
description = "Example usage for an AWS Lambda with a DynamoDb event source mapping"
filename = data.archive_file.dynamodb_handler.output_path
function_name = "example-with-dynamodb-event-source-mapping"
handler = "index.handler"
runtime = "nodejs14.x"
source_code_hash = data.archive_file.dynamodb_handler.output_base64sha256
event_source_mappings = {
table_1 = {
event_source_arn = aws_dynamodb_table.table_1.stream_arn
maximum_retry_attempts = 3
// optionally configure a SNS or SQS destination for discarded batches, required IAM
// permissions will be added automatically by this module,
// see https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventsourcemapping.html
destination_arn_on_failure = aws_sqs_queue.errors.arn
}
}
resource "aws_sqs_queue" "errors" {
name = "${module.lambda.function_name}-processing-errors"
}
What's Changed
- feat: added support for on_failure destinations to event source mappings by @moritzzimmer in #43
Full Changelog: v5.13.0...v5.14.0
Lambda Insights and enhanced CloudWatch event rules
New Features
Amazon CloudWatch Lambda Insights
Amazon CloudWatch Lambda Insights can now be enabled for your zip
and image
deployment packages:
module "lambda" {
// see above
cloudwatch_lambda_insights_enabled = true
}
Please check the list of supported runtimes!
This module will add the required IAM permissions to the function role automatically for both package types.
In case of a zip
deployment package, this module will also add the appropriate extension layer
to your function (use cloudwatch_lambda_insights_extension_version
to set the version of this layer).
For image
deployment packages, the Lambda Insights extension needs to be added to the container image:
FROM public.ecr.aws/serverless/extensions/lambda-insights:12 AS lambda-insights
FROM public.ecr.aws/lambda/nodejs:12
COPY --from=lambda-insights /opt /opt
COPY app.js /var/task/
CloudWatch event rules
The possibilities to declare CloudWatch Event Rules inline have been enhanced with this release.
Using the new variable cloudwatch_event_rules
you can now:
- declare N event rules instead of only one
- use a Lambda alias as the event traget
- configure all attributes of the event rules inline
- required permissions to trigger Lambda by EventBridge will be generated
module "lambda" {
// see above
cloudwatch_event_rules = {
scheduled = {
schedule_expression = "rate(1 minute)"
// optionally overwrite arguments like 'description'
// from https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule
description = "Triggered by CloudTrail"
// optionally overwrite `cloudwatch_event_target_arn` in case an alias should be used for the event rule
cloudwatch_event_target_arn = aws_lambda_alias.example.arn
}
pattern = {
event_pattern = <<PATTERN
{
"detail-type": [
"AWS Console Sign In via CloudTrail"
]
}
PATTERN
}
}
}
see example for details
Deprecations
Using the event
variable to configure the cloudwatch-event
terraform sub-module is deprecated and will be removed in the next major release. You should be able to migrate to the new variable without downtime.
What's Changed
- added support for CloudWatch Lambda Insights by @moritzzimmer in #30
Full Changelog: v5.11.0...v5.12.0