Created
September 26, 2024 07:34
-
-
Save sangam14/fe8f5095269cd4203dfaab7d27e172b0 to your computer and use it in GitHub Desktop.
AWS Lambda with Terraform (In-Depth)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# AWS Lambda with Terraform (In-Depth) | |
## Overview | |
- Automate deployment and management of AWS Lambda functions | |
- Terraform allows declarative infrastructure management | |
## Terraform Components | |
### AWS Provider | |
- Configure the AWS provider to connect to the AWS account | |
- Example: | |
```terraform | |
provider "aws" { | |
region = "us-west-2" | |
} | |
``` | |
### AWS Lambda Function | |
- Define the Lambda function resource with various configurations | |
- Example: | |
```terraform | |
resource "aws_lambda_function" "example" { | |
function_name = "my_lambda" | |
runtime = "python3.8" | |
handler = "lambda_function.lambda_handler" | |
role = aws_iam_role.lambda_role.arn | |
filename = "lambda_function.zip" | |
memory_size = 128 | |
timeout = 10 | |
environment { | |
variables = { | |
"ENV_VAR_1" = "value1" | |
} | |
} | |
} | |
``` | |
### Lambda Function Configuration | |
- **Key Attributes** | |
- `function_name`: Name of the Lambda function | |
- `runtime`: Supported runtimes (Python, Node.js, Go, Java, etc.) | |
- `handler`: Entry point of the function (e.g., `index.handler`) | |
- `memory_size`: Memory allocation (128 MB to 10 GB) | |
- `timeout`: Maximum execution time (1 to 900 seconds) | |
- `environment`: Environment variables for the function | |
- `role`: IAM role to allow function execution | |
### Deployment Package | |
- **Package Code** | |
- Use `filename` to specify the deployment package (ZIP file) | |
- Example: | |
```terraform | |
filename = "lambda_function.zip" | |
``` | |
- **Source Code from S3** | |
- Deploy code from an S3 bucket instead of local files | |
- Example: | |
```terraform | |
s3_bucket = "lambda-deployment-bucket" | |
s3_key = "lambda_function.zip" | |
``` | |
### Lambda Layers | |
- Use Lambda Layers to share dependencies across functions | |
- Example: | |
```terraform | |
resource "aws_lambda_layer_version" "example" { | |
layer_name = "my_layer" | |
filename = "layer.zip" | |
compatible_runtimes = ["python3.8"] | |
} | |
``` | |
- **Attach Layers to Lambda Function** | |
- Example: | |
```terraform | |
resource "aws_lambda_function" "example" { | |
function_name = "my_lambda" | |
layers = [aws_lambda_layer_version.example.arn] | |
} | |
``` | |
### IAM Role for Lambda | |
- **IAM Role Setup** | |
- Define IAM role for Lambda execution | |
- Example: | |
```terraform | |
resource "aws_iam_role" "lambda_role" { | |
name = "lambda_execution_role" | |
assume_role_policy = <<EOF | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Principal": { | |
"Service": "lambda.amazonaws.com" | |
}, | |
"Action": "sts:AssumeRole" | |
} | |
] | |
} | |
EOF | |
} | |
``` | |
### IAM Policy for Lambda | |
- **Basic Execution Role Policy** | |
- Attach policies for basic Lambda execution (CloudWatch logs, etc.) | |
- Example: | |
```terraform | |
resource "aws_iam_policy_attachment" "lambda_policy_attachment" { | |
name = "lambda_policy_attachment" | |
roles = [aws_iam_role.lambda_role.name] | |
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" | |
} | |
``` | |
### VPC Configuration | |
- Deploy Lambda inside a VPC for network isolation | |
- Example: | |
```terraform | |
resource "aws_lambda_function" "example" { | |
function_name = "my_vpc_lambda" | |
vpc_config { | |
subnet_ids = ["subnet-12345", "subnet-67890"] | |
security_group_ids = ["sg-123456"] | |
} | |
} | |
``` | |
### Event Source Mapping | |
- Trigger Lambda functions from AWS services like S3, SNS, SQS, or DynamoDB Streams | |
#### S3 Event Source | |
- Trigger Lambda on S3 object creation | |
- Example: | |
```terraform | |
resource "aws_s3_bucket_notification" "example" { | |
bucket = aws_s3_bucket.example.bucket | |
lambda_function { | |
lambda_function_arn = aws_lambda_function.example.arn | |
events = ["s3:ObjectCreated:*"] | |
} | |
} | |
``` | |
#### API Gateway Integration | |
- Trigger Lambda via an API Gateway request | |
- Example: | |
```terraform | |
resource "aws_api_gateway_rest_api" "example" { | |
name = "example_api" | |
} | |
resource "aws_lambda_permission" "api_gateway_invoke" { | |
statement_id = "AllowExecutionFromApiGateway" | |
action = "lambda:InvokeFunction" | |
function_name = aws_lambda_function.example.function_name | |
principal = "apigateway.amazonaws.com" | |
source_arn = "${aws_api_gateway_rest_api.example.execution_arn}/*/*" | |
} | |
``` | |
#### CloudWatch Event Trigger | |
- Schedule Lambda function execution using CloudWatch Events | |
- Example: | |
```terraform | |
resource "aws_cloudwatch_event_rule" "example" { | |
name = "example_rule" | |
schedule_expression = "rate(5 minutes)" | |
} | |
resource "aws_lambda_permission" "cloudwatch_event_permission" { | |
statement_id = "AllowExecutionFromCloudWatch" | |
action = "lambda:InvokeFunction" | |
function_name = aws_lambda_function.example.function_name | |
principal = "events.amazonaws.com" | |
source_arn = aws_cloudwatch_event_rule.example.arn | |
} | |
``` | |
#### DynamoDB Stream Trigger | |
- Trigger Lambda from changes in a DynamoDB stream | |
- Example: | |
```terraform | |
resource "aws_lambda_event_source_mapping" "dynamodb_trigger" { | |
event_source_arn = aws_dynamodb_table.example.stream_arn | |
function_name = aws_lambda_function.example.arn | |
starting_position = "LATEST" | |
} | |
``` | |
#### SQS Event Source | |
- Trigger Lambda when messages are added to an SQS queue | |
- Example: | |
```terraform | |
resource "aws_lambda_event_source_mapping" "sqs_trigger" { | |
event_source_arn = aws_sqs_queue.example.arn | |
function_name = aws_lambda_function.example.arn | |
batch_size = 10 | |
} | |
``` | |
### Logging and Monitoring | |
- **CloudWatch Logs** | |
- Automatically send Lambda logs to CloudWatch | |
- Example: | |
```terraform | |
resource "aws_cloudwatch_log_group" "lambda_logs" { | |
name = "/aws/lambda/my_lambda" | |
retention_in_days = 14 | |
} | |
``` | |
- **CloudWatch Metrics** | |
- Monitor Lambda metrics (invocations, errors, duration) | |
- Example: | |
```terraform | |
resource "aws_cloudwatch_metric_alarm" "lambda_error_alarm" { | |
alarm_name = "LambdaErrorAlarm" | |
comparison_operator = "GreaterThanThreshold" | |
evaluation_periods = 1 | |
metric_name = "Errors" | |
namespace = "AWS/Lambda" | |
period = 300 | |
statistic = "Sum" | |
threshold = 1 | |
actions_enabled = true | |
} | |
``` | |
### Reserved Concurrency | |
- Reserve concurrency limits for Lambda function | |
- Example: | |
```terraform | |
resource "aws_lambda_function" "example" { | |
reserved_concurrent_executions = 5 | |
} | |
``` | |
## Terraform Workflow | |
- **terraform init**: Initialize Terraform for AWS provider and backend | |
- **terraform plan**: Preview the infrastructure changes | |
- **terraform apply**: Apply changes and deploy Lambda functions | |
- **terraform destroy**: Destroy Lambda infrastructure | |
## Best Practices | |
- Version control the deployment package (ZIP) | |
- Use Terraform remote state for shared environments | |
- Separate resource creation into modules for maintainability |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment