v6.4.0

What's Changed

• refactor(deployment): use aws_s3_bucket_acl resource by @moritzzimmer in #62
• chore: upated tflint and added tfsec action by @moritzzimmer in #64
• feat: add input argument for cloudwatch_event_target by @ablotny in #63

New Contributors

• @ablotny made their first contribution in #63

Full Changelog: v6.3.0...v6.4.0

v6.3.0

What's Changed

• feat: added filter criteria for event source mappings by @moritzzimmer in #61

Full Changelog: v6.2.0...v6.3.0

v6.2.0

What's Changed

• feat: added possibility to disable CloudWatch logs by @moritzzimmer in #60

Full Changelog: v6.1.1...v6.2.0

v6.1.1

What's Changed

• chore: bumped dependencies by @moritzzimmer in #59
• fix(IAM): Add kinesis:ListShards IAM permission by @saefty in #58

New Contributors

• @saefty made their first contribution in #58

Full Changelog: v6.1.0...v6.1.1

v6.1.0

What's Changed

• fix: allow Lambda Insights for arm64 and x86_64 architectures by @moritzzimmer in #52

Full Changelog: v6.0.1...v6.1.0

Version 6

In this major version release, deprecated terraform sub-modules and workarounds for aws provider versions < 2 have been removed.

Note: Terraform will destroy and then create a replacement of some of the resources when applying this version to existing 5.x stacks, especially the Lambda function and it's IAM role.

In case of Error: error creating IAM Role (my-function-eu-west-1): EntityAlreadyExists: Role with name my-function-eu-west-1 already exists. errors (old role hasn't been fully deleted inside AWS), please apply the changes again.

New features

CloudWatch logs

The possibility to declare CloudWatch logs subscription filters has been enhanced to support:

• multiple subscription filters
• configure properties from cloudwatch_log_subscription_filter

  cloudwatch_log_subscription_filters = {
    lambda_1 = {
      //see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_subscription_filter for available arguments
      destination_arn = module.destination_1.arn // required
    }

    lambda_2 = {
      destination_arn = module.destination_2.arn // required
    }
  }

see example

In addition, the variable name to configure the retention time has been aliged to cloudwatch_logs_retention_in_days.

GovCloud

Hardcoded partition identifiers in ARNs have been refactored to support creating Lambda functions in AWS GovCloud (#50)

Breaking changes

• log_retention_in_days has been renamed to cloudwatch_logs_retention_in_days
• logfilter_destination_arn has been replaced by cloudwatch_log_subscription_filters (see above)
• deprecated event variable has been removed, use specific cloudwatch_event_rules, event_source_mappings or sns_subscriptions instead. Note: there is no replacement for the deprecated s3 sub-module
• deprecated ssm_parameter_names variable has been removed, use ssm instead

What's Changed

• Version 6 by @moritzzimmer in #39

Full Changelog: v5.17.0...v6.0.0

AWS Graviton2

New Features

Added support for AWS Graviton2 architecture.

Example:

module "lambda" {
  source = "moritzzimmer/lambda/aws"

  architectures    = ["arm64"]
  description      = "powered by AWS Graviton2"
  filename         = module.source.output_path
  function_name    = "arm64"
  handler          = "index.handler"
  runtime          = "nodejs14.x"
  source_code_hash = module.source.output_base64sha256
}

What's Changed

• feat: added graviton support by @moritzzimmer in #49

Full Changelog: v5.16.0...v5.17.0

S3 Deployments

New Features

Enhanced the deployment module to support continuous deployment of Lambda functions packaged on S3.

Example:

locals {
  environment   = "production"
  function_name = "example-with-s3-codepipeline"
  s3_key        = "package/lambda.zip"
}

resource "aws_lambda_alias" "this" {
  function_name    = module.lambda.function_name
  function_version = module.lambda.version
  name             = local.environment

  lifecycle {
    ignore_changes = [function_version]
  }
}

module "deployment" {
  source = "moritzzimmer/lambda/aws//modules/deployment"

  alias_name    = aws_lambda_alias.this.name
  function_name = local.function_name
  s3_bucket     = aws_s3_bucket_object.source.bucket
  s3_key        = local.s3_key
}

module "lambda" {
  source        = "moritzzimmer/lambda/aws"

  function_name                    = local.function_name
  handler                          = "index.handler"
  ignore_external_function_updates = true
  publish                          = true
  runtime                          = "nodejs14.x"
  s3_bucket                        = aws_s3_bucket_object.source.bucket
  s3_key                           = local.s3_key
  s3_object_version                = aws_s3_bucket_object.source.version_id
}

resource "aws_s3_bucket" "source" {
  acl           = "private"
  bucket        = "source-bucket"
  force_destroy = true

  versioning {
    enabled = true
  }
}

resource "aws_s3_bucket_public_access_block" "source" {
  bucket = aws_s3_bucket.source.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

see see example for details

Noteworthy

• the dependency to external modules has been removed in favour of standard resources from the aws provider. Upgrading existing projects might result in Error: Error creating S3 bucket: BucketAlreadyOwnedByYou: Your previous request to create the named bucket succeeded and you already own it. errors. In this case run terraform apply again.
• public access to the internal S3 bucket used for CodePipeline has been removed
• container based deployments now publish a new version using update-function-code API call directly. The intermediate step with a wait function is not necessary anymore
• upgraded to python 3.9 in CodeBuild
• CodeDeploy environment (compute type, image and type) are now configurable

Special thanks

Thanks @thisismana for collaborating on this feature

What's Changed

• feat: deployment pipeline for S3 based function packages by @moritzzimmer in #44

Full Changelog: v5.14.0...v5.15.0

Destination config support

New Features

Added support to configure a SNS or SQS destination for discarded batches in event source mappings (supported for DynamoDb and Kinesis.

Required IAM permissions with minimum priviledges to send SQS messages or publish to a SNS topic will be a added automatically by the module.

Example:

module "lambda" {
  source = "moritzzimmer/lambda/aws"

  description      = "Example usage for an AWS Lambda with a DynamoDb event source mapping"
  filename         = data.archive_file.dynamodb_handler.output_path
  function_name    = "example-with-dynamodb-event-source-mapping"
  handler          = "index.handler"
  runtime          = "nodejs14.x"
  source_code_hash = data.archive_file.dynamodb_handler.output_base64sha256

  event_source_mappings = {
    table_1 = {
      event_source_arn       = aws_dynamodb_table.table_1.stream_arn
      maximum_retry_attempts = 3

      // optionally configure a SNS or SQS destination for discarded batches, required IAM
      // permissions will be added automatically by this module,
      // see https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventsourcemapping.html
      destination_arn_on_failure = aws_sqs_queue.errors.arn
  }
}

resource "aws_sqs_queue" "errors" {
  name = "${module.lambda.function_name}-processing-errors"
}

What's Changed

• feat: added support for on_failure destinations to event source mappings by @moritzzimmer in #43

Full Changelog: v5.13.0...v5.14.0

Lambda Insights and enhanced CloudWatch event rules

New Features

Amazon CloudWatch Lambda Insights

Amazon CloudWatch Lambda Insights can now be enabled for your zip and image deployment packages:

module "lambda" {
  // see above

  cloudwatch_lambda_insights_enabled = true
}

Please check the list of supported runtimes!

This module will add the required IAM permissions to the function role automatically for both package types.

In case of a zip deployment package, this module will also add the appropriate extension layer
to your function (use cloudwatch_lambda_insights_extension_version to set the version of this layer).

For image deployment packages, the Lambda Insights extension needs to be added to the container image:

FROM public.ecr.aws/serverless/extensions/lambda-insights:12 AS lambda-insights

FROM public.ecr.aws/lambda/nodejs:12
COPY --from=lambda-insights /opt /opt
COPY app.js /var/task/

CloudWatch event rules

The possibilities to declare CloudWatch Event Rules inline have been enhanced with this release.

Using the new variable cloudwatch_event_rules you can now:

• declare N event rules instead of only one
• use a Lambda alias as the event traget
• configure all attributes of the event rules inline
• required permissions to trigger Lambda by EventBridge will be generated

module "lambda" {
  // see above

cloudwatch_event_rules = {
    scheduled = {
      schedule_expression = "rate(1 minute)"

      // optionally overwrite arguments like 'description'
      // from https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule
      description = "Triggered by CloudTrail"

      // optionally overwrite `cloudwatch_event_target_arn` in case an alias should be used for the event rule
      cloudwatch_event_target_arn = aws_lambda_alias.example.arn
    }

    pattern = {
      event_pattern = <<PATTERN
      {
        "detail-type": [
          "AWS Console Sign In via CloudTrail"
        ]
      }
      PATTERN
    }
  }
}

see example for details

Deprecations

Using the event variable to configure the cloudwatch-event terraform sub-module is deprecated and will be removed in the next major release. You should be able to migrate to the new variable without downtime.

What's Changed

• added support for CloudWatch Lambda Insights by @moritzzimmer in #30

Full Changelog: v5.11.0...v5.12.0