terraform-aws-lambda

Production-grade Lambda with packaging, SnapStart, function URLs, event sources, canary deployments, and observability
Terraform ≥ 1.5.0 AWS Provider ≥ 5.20.0 arm64 Default X-Ray + KMS

Executive Summary

This module deploys AWS Lambda functions with comprehensive support for three packaging modes (local Zip via archive_file, S3, and container images from ECR), SnapStart for Java cold start optimization, HTTPS function URLs with configurable CORS, event source mappings for SQS/DynamoDB Streams/Kinesis with filter criteria, async invocation destinations (success/failure), alias-based canary deployments with provisioned concurrency, VPC integration for private subnet deployment, X-Ray tracing, KMS-encrypted environment variables and logs, dead letter queues, and least-privilege IAM execution roles with conditional policies scoped to specific resource ARNs.

Overview

Resources Created
9+
Function, URL, Alias, Concurrency, Event Sources, Destinations, Permissions, CW Logs, IAM
Input Variables
28
function_name, runtime, handler, packaging, VPC, tracing, events, etc.
Outputs
10
function_arn, invoke_arn, function_url, alias_arn, role_arn, log_group_arn, etc.
Architectures
arm64
20% cheaper than x86_64 (also supported)

Architecture Diagram

API Gateway
EventBridge / S3 / SNS
Function URL
HTTPS
SQS Queue
Kinesis Stream
DynamoDB Stream
Lambda Function
Zip / Container Image
SnapStart
Java Cold Start
Lambda Layers
Up to 5
VPC Config
Private Subnets
Env Variables
KMS Encrypted
Alias (live)
Versioned
Provisioned
Concurrency
On Success
SNS / SQS / Lambda
On Failure
SNS / SQS / DLQ
CloudWatch Logs
JSON / Text
X-Ray Tracing
Active

Component Breakdown

Lambda Function

  • Zip packaging: local source_path or S3 bucket/key
  • Container packaging: ECR image_uri
  • Runtimes: Python 3.8-3.13, Node.js 16-22, Java 8-21, .NET 6-8, Ruby, Go, custom
  • arm64 default architecture (20% cost savings)
  • Memory: 128 MB - 10,240 MB; Timeout: 1-900 seconds

Event Sources & Triggers

  • Event source mappings: SQS, DynamoDB Streams, Kinesis
  • Filter criteria for event pattern matching
  • Batch size, windowing, bisect on error
  • Lambda permissions for API Gateway, EventBridge, S3, SNS
  • Function URL with CORS and AWS_IAM or NONE auth

Deployment & Scaling

  • Alias-based deployments (e.g., "live")
  • Provisioned concurrency for consistent latency
  • SnapStart for Java cold start optimization
  • Reserved concurrent executions for throttle control
  • Auto-publish versions when alias or provisioned concurrency configured

Observability & Security

  • X-Ray tracing (Active or PassThrough mode)
  • CloudWatch Logs with configurable retention (1-3653 days)
  • JSON or Text log format
  • KMS encryption for env vars and logs
  • Dead letter queue (SNS or SQS)
  • Least-privilege IAM with conditional policy attachments

Data Flow

  1. Event sources (API Gateway, SQS, Kinesis, etc.) invoke the Lambda function
  2. Lambda permission resources authorize each trigger service
  3. Function URL provides direct HTTPS access with optional CORS
  4. Event source mappings poll SQS/Kinesis/DDB Streams and invoke in batches
  5. Function executes with environment variables decrypted from KMS at runtime
  6. Async invocations route success/failure to configured destinations
  7. Failed events can be sent to dead letter queue (SNS/SQS)
  8. X-Ray traces and CloudWatch Logs capture execution telemetry

Security Controls

ControlImplementationDefault
IAM Execution RoleLeast-privilege with conditional policiesAuto-created
Env Var EncryptionKMS customer-managed keykms_key_arn=null (optional)
Log EncryptionKMS-encrypted CloudWatch Log GroupSame KMS key
VPC IsolationPrivate subnet + security group deploymentvpc_config=null
Function URL AuthAWS_IAM or NONEAWS_IAM
Dead Letter QueueSNS or SQS for failed invocationsnull
Concurrency LimitReserved concurrent executions-1 (unreserved)
No Wildcard IAMEvent source permissions scoped to resource ARNsAlways enforced

Industry Adaptation

API Backend / Microservices

  • Function URL or API Gateway trigger
  • Provisioned concurrency for low latency
  • Alias-based canary deployments
  • X-Ray tracing for distributed tracing

Event Processing Pipeline

  • SQS/Kinesis event source mappings
  • Filter criteria to reduce invocations
  • Batch processing with bisect on error
  • DLQ for poison message handling

Enterprise Java (SnapStart)

  • SnapStart for sub-second cold starts
  • Java 11/17/21 runtimes
  • S3-based deployment packages
  • Alias-based version management

Production Readiness Checklist

Configuration Reference

Key Inputs

VariableTypeDefaultDescription
function_namestring--Unique function name (required)
runtimestringnullRuntime (python3.12, nodejs20.x, java21, etc.)
handlerstringnullEntry point (e.g., index.handler)
architectureslist(string)["arm64"]CPU architecture
memory_sizenumber128MB (128-10240)
timeoutnumber30Seconds (1-900)
package_typestringZipZip or Image
enable_function_urlboolfalseCreate HTTPS endpoint
enable_snapstartboolfalseJava cold start optimization
enable_xray_tracingbooltrueX-Ray tracing
event_source_mappingslist(object)[]SQS/Kinesis/DDB mappings
provisioned_concurrencynumber0Pre-warmed executions

Key Outputs

OutputDescription
function_arnLambda function ARN
invoke_arnARN for API Gateway invocation
function_urlHTTPS endpoint URL
alias_arnAlias ARN
role_arnExecution IAM role ARN
log_group_nameCloudWatch Log Group name

Deployment

# Initialize
terraform init

# Plan
terraform plan -var-file="lambda.tfvars"

# Apply
terraform apply -var-file="lambda.tfvars"

# Test invocation
aws lambda invoke \
  --function-name <function_name> \
  --payload '{"key":"value"}' \
  response.json

# Check logs
aws logs tail /aws/lambda/<function_name> --follow

Links & References

AWS Documentation

Module Resources