terraform-aws-lambda-redux

The terraform module creates lambda with permissions, for my purposes a lex lambda combination bit options for IAM and Cloudwatch. To use a lambda with an intent a number of other objects are either required. In this module I have included a number of reasonable default values. This should make it easier to build the lambdas that go with your lex objects. The lambda permission is a array/list this means you can add as many permissions to lambda as you need to.

How to use this project:

---

It's 100% Open Source and licensed under the APACHE2.

Usage

This is a minimal example Examplea, but with Cloudwatch alarms enabled.

module "lambda" {
  source = "github.com/jameswoolfenden/terraform-aws-lambda-redux"
  version= "0.3.40"

  lambdapermmissions = [{
    intent     = "Pizza"
    source_arn = "Pizza:*"
  }]

  account_id     = data.aws_caller_identity.current.account_id
  alarms_enabled = true
  common_tags    = var.common_tags
  description    = "Best Pizza!!"
  filename       = "${path.module}/lambda.zip"
  name           = var.name
  region_name    = data.aws_region.current.name
  role_arn       = data.aws_iam_role.lambda.arn
}

Requirements

No requirements.

Providers

Name	Version
aws	n/a

Modules

No modules.

Resources

Name	Type
aws_cloudwatch_log_group.lambda	resource
aws_cloudwatch_metric_alarm.invocations	resource
aws_iam_role.lambda	resource
aws_iam_role_policy.lambda	resource
aws_lambda_function.withintent	resource
aws_lambda_permission.withintent	resource
aws_sns_topic.lambda	resource
aws_caller_identity.current	data source
aws_iam_policy_document.lambda	data source
aws_iam_policy_document.sns	data source
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
account_id	The Aws account the policy or object should target	string	n/a	yes
action	Action for the Lambda permission	string	"lambda:InvokeFunction"	no
alarms_enabled	Cloudwatch alarms enabled	bool	false	no
common_tags	Implements the common tags scheme	map(any)	n/a	yes
description	Of the the Lambda	string	n/a	yes
envvar	Optional set of environmental variables for the lambda	map(any)	{ "Terraform": "Bug" }	no
filename	name of zip file if any	string	null	no
handler	The file the lambda should import	string	"index.handler"	no
kms_key_id	CMK for Lambda	string	n/a	yes
lambdapermmissions	This takes a list object with values to set permissions of a lambda. Can take multiple permission objects	list(any)	[]	no
layers	Optionally, add in up 5 lambda layers	list(any)	[]	no
memory_size	Of the the lambda	string	"128"	no
metric_comparison_operator	For Cloudwatch Alarms	string	"GreaterThanThreshold"	no
metric_datapoints_to_alarm	For Cloudwatch Alarms	number	1	no
metric_evaluation_periods	For Cloudwatch Alarms	number	1	no
metric_metric_name	n/a	string	"Invocations"	no
metric_period	n/a	number	300	no
metric_statistic	n/a	string	"Average"	no
metric_threshold	n/a	number	100	no
name	Name of Lambda object	string	n/a	yes
passrole	n/a	bool	false	no
prefixdash	Support for renaming on multi-environments	string	""	no
principal	n/a	string	"lex.amazonaws.com"	no
region_name	Aws region name, eu-west-1...	string	n/a	yes
role_arn	The name you want your IAM role to have	string	""	no
runtime	Language the code runs in	string	"nodejs8.10"	no
s3_bucket	path to the lambda bucket	string	null	no
s3_key	path to the lambda zip	string	null	no
security_group_ids	The IDs of some security groups	list(string)	[]	no
subnet_ids	Subnet IDs...	list(string)	[]	no
timeout	Of the the lambda	string	"100"	no
tracing_mode	Enable X-ray and in what mode Active or PassThrough	string	"Active"	no
vpc_config	Optional Vpc attachment config	map(any)	{}	no

Outputs

Name	Description
lambda_arn	n/a
memory_size	n/a
source_code_size	n/a
timeout	n/a

Policy

This is the policy required to build this project:

The Terraform resource required is:

resource "aws_iam_policy" "terraform_pike" {
  name_prefix = "terraform_pike"
  path        = "/"
  description = "Pike Autogenerated policy from IAC"

  policy = jsonencode({
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "SNS:CreateTopic",
                "SNS:DeleteTopic",
                "SNS:GetTopicAttributes",
                "SNS:ListTagsForResource",
                "SNS:SetTopicAttributes",
                "SNS:TagResource",
                "SNS:UnTagResource"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:DeleteAlarms",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:ListTagsForResource",
                "cloudwatch:PutMetricAlarm"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeAccountAttributes"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:ListInstanceProfilesForRole",
                "iam:ListRolePolicies",
                "iam:PassRole",
                "iam:PutRolePolicy",
                "iam:TagRole"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor4",
            "Effect": "Allow",
            "Action": [
                "lambda:AddPermission",
                "lambda:CreateFunction",
                "lambda:DeleteFunction",
                "lambda:GetFunction",
                "lambda:GetFunctionCodeSigningConfig",
                "lambda:GetPolicy",
                "lambda:ListVersionsByFunction",
                "lambda:RemovePermission",
                "lambda:TagResource",
                "lambda:UntagResource"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor5",
            "Effect": "Allow",
            "Action": [
                "logs:AssociateKmsKey",
                "logs:CreateLogGroup",
                "logs:DeleteLogGroup",
                "logs:DeleteRetentionPolicy",
                "logs:DescribeLogGroups",
                "logs:DisassociateKmsKey",
                "logs:ListTagsLogGroup",
                "logs:PutRetentionPolicy"
            ],
            "Resource": "*"
        }
    ]
})
}

Further work

Connection to cloudwatch metric and attach subscription to Slack.

Determine when ConcurrentExecutions or Invocations exceeds your threshold

• https://docs.aws.amazon.com/lambda/latest/dg/monitoring-functions-metrics.html and
• https://aws.amazon.com/blogs/architecture/best-practices-for-developing-on-aws-lambda/?sc_channel=sm&sc_campaign=AWS_Blog&sc_publisher=LINKEDIN&sc_country=Global&sc_geo=GLOBAL&sc_outcome=awareness&trk=AWS_Blog_LINKEDIN&sc_category=AWS_Lambda,AWS+Lambda&linkId=70615743

and connect up the aws chatbot to slack/bot

• https://us-east-2.console.aws.amazon.com/chatbot/home#/
• https://docs.aws.amazon.com/chatbot/latest/adminguide/setting-up.html

General:

• https://www.concurrencylabs.com/blog/how-to-operate-aws-lambda/
• Add support for sns subscriptions.
• Add in support for keeping lambda warm.

What alarms are important:

• https://www.concurrencylabs.com/blog/how-to-operate-aws-lambda/
• https://dev.to/frosnerd/monitoring-aws-lambda-functions-with-cloudwatch-1nap
• https://aws.amazon.com/blogs/compute/investigating-spikes-in-aws-lambda-function-concurrency/

Right sizing Lambdas:

• timeouts to close to invocation length
• no of failed or throttled
• memory usage - am i over provisioned?
• memory usage - more tin required?
• size of payload is related to the start time

Related Projects

Check out these related projects.

• terraform-aws-codecommit - Storing ones code

Help

Got a question?

File a GitHub issue.

Contributing

Bug Reports & Feature Requests

Please use the issue tracker to report any bugs or file feature requests.

Copyrights

Copyright © 2019-2022 James Woolfenden

License

See LICENSE for full details.

Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Contributors

James Woolfenden