Skip to content
Terraform module for AWS Lambda functions
HCL Python Shell
Branch: master
Clone or download


This Terraform module creates and uploads an AWS Lambda function and hides the ugly parts from you.


  • Only appears in the Terraform plan when there are legitimate changes.
  • Creates a standard IAM role and policy for CloudWatch Logs.
    • You can add additional policies if required.
  • Zips up a source file or directory.
  • Installs dependencies from requirements.txt for Python functions.
    • It only does this when necessary, not every time.


  • Python 2.7 or higher
  • Linux/Unix/Windows

Terraform version compatibility

Module version Terraform version
1.x.x 0.12.x
0.x.x 0.11.x


module "lambda" {
  source = ""

  function_name = "deployment-deploy-status"
  description   = "Deployment deploy status task"
  handler       = "main.lambda_handler"
  runtime       = "python3.6"
  timeout       = 300

  // Specify a file or directory for the source code.
  source_path = "${path.module}/"

  // Attach a policy.
  policy = {
    json = data.aws_iam_policy_document.lambda.json

  // Add a dead letter queue.
  dead_letter_config = {
    target_arn = aws_sqs_queue.dlq.arn

  // Add environment variables.
  environment = {
    variables = {
      SLACK_URL = var.slack_url

  // Deploy into a VPC.
  vpc_config = {
    subnet_ids         = []
    security_group_ids = []


Inputs for this module are the same as the aws_lambda_function resource with the following additional arguments:

Name Description Type Default Required
source_path The absolute path to a local file or directory containing your Lambda source code string yes
build_command The command to run to create the Lambda package zip file string "python '$filename' '$runtime' '$source'" no
build_paths The files or directories used by the build command, to trigger new Lambda package builds whenever build scripts change list(string) [""] no
cloudwatch_logs Set this to false to disable logging your Lambda output to CloudWatch Logs bool true no
lambda_at_edge Set this to true if using Lambda@Edge, to enable publishing, limit the timeout, and allow to invoke the function bool false no
policy An additional policy to attach to the Lambda function role object({json=string}) no

The following arguments from the aws_lambda_function resource are not supported:

  • filename (use source_path instead)
  • role (one is automatically created)
  • s3_bucket
  • s3_key
  • s3_object_version
  • source_code_hash (changes are handled automatically)


Name Description
function_arn The ARN of the Lambda function
function_invoke_arn The Invoke ARN of the Lambda function
function_name The name of the Lambda function
function_qualified_arn The qualified ARN of the Lambda function
role_arn The ARN of the IAM role created for the Lambda function
role_name The name of the IAM role created for the Lambda function
You can’t perform that action at this time.