Module: lambda_function
Defines Lambda functions used in automation (e.g., controlled EC2 stop logic) and their invoke permissions. Each lambda key auto‑packages a directory found at src/functions/<lambda_key>/ into src/functions/<lambda_key>.zip during terraform plan/apply.
Lambda Directory Structure
All lambdas use a directory-based structure:
src/functions/
├── ec2_stop_function/
│ └── ec2_stop_function.py
├── manage_route_function/
│ └── manage_route_function.py
├── update_hsweb_url_function/
│ ├── main.py
│ └── update_hsweb_url.bash
└── ...
This structure allows including additional files, scripts, or dependencies alongside the Lambda handler.
Input Map Key Pattern
Root variable: lambdas (map of objects).
| Field | Type | Required | Description |
|---|---|---|---|
| function_name | string | optional | Override generated name (prefix + key + suffix). |
| role | string | required | IAM role key (must exist in iamroles output map). |
| handler | string | required | Entrypoint. Use <main python file name>.lambda_handler |
| runtime | string | required | Runtime (e.g., python3.12). |
| timeout | number | optional | Seconds (default 300). |
| memory_size | number | optional | MB (default 128). |
| description | string | optional | Function description. |
| publish | bool | optional | Publish version (default false). |
Related: lambda_permissions Map
Root variable: lambda_permissions defines invoke permissions separate from function definition.
| Field | Type | Required | Description |
|---|---|---|---|
| statement_id | string | required | Unique statement identifier |
| action | string | required | Typically lambda:InvokeFunction |
| function_name | string | required | Key of the lambda in lambdas map |
| principal | string | required | Service or account allowed to invoke (e.g. events.amazonaws.com, ssm.amazonaws.com) |
| source_arn | string | conditional | Restricts invoke source (e.g., EventBridge rule name resolved to ARN) |
Behavior
- Directory-based packaging: For every lambda key
X, Terraform packages the entiresrc/functions/X/directory intosrc/functions/X.zip. - Multi-file support: Include additional files (scripts, configs, dependencies) in the lambda directory; all contents are packaged together.
- Source code tracking:
source_code_hashuses the archive's base64 SHA256, triggering updates only when directory contents change. - Build artifacts: Zip files (
src/functions/*.zip) are generated during Terraform operations and ignored by Git. - Permissions: Managed via separate
lambda_permissionsmap, allowing multiple services to invoke the same function. - Naming: Function name defaults to
prefix + key + suffixunlessfunction_nameattribute overrides it.
Example
Lambda Function
lambdas = {
ec2_stop_function = {
role = "Lambda_AutomationRole"
handler = "ec2_stop_function.lambda_handler"
runtime = "python3.12"
timeout = 300
}
}
Lambda Permissions
lambda_permissions = {
eventbridge_permission = {
statement_id = "AllowEventBridgeInvoke"
action = "lambda:InvokeFunction"
function_name = "ec2_stop_function"
principal = "events.amazonaws.com"
source_arn = "ec2-shutdown-everynight" # EventBridge rule name
}
ssm_permission = {
statement_id = "AllowSSMInvoke"
action = "lambda:InvokeFunction"
function_name = "ec2_stop_function"
principal = "ssm.amazonaws.com"
}
}