Skip to content
Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


This Terraform module creates and uploads an AWS Lambda function and hides the ugly parts from you.


  • Only appears in the Terraform plan when there are legitimate changes.
  • Creates a standard IAM role and policy for CloudWatch Logs.
    • You can add additional policies if required.
  • Zips up a source file or directory.
  • Installs dependencies from requirements.txt for Python functions.
    • It only does this when necessary, not every time.


  • Python 2.7 or higher
  • Linux/Unix/Windows

Terraform version compatibility

Module version Terraform version
1.x.x 0.12.x
0.x.x 0.11.x


module "lambda" {
  source = ""

  function_name = "deployment-deploy-status"
  description   = "Deployment deploy status task"
  handler       = "main.lambda_handler"
  runtime       = "python3.6"
  timeout       = 300

  // Specify a file or directory for the source code.
  source_path = "${path.module}/"

  // Add additional trusted entities for assuming roles (trust relationships).
  trusted_entities = ["", ""]

  // Attach a policy.
  policy = {
    json = data.aws_iam_policy_document.lambda.json

  // Add a dead letter queue.
  dead_letter_config = {
    target_arn = aws_sqs_queue.dlq.arn

  // Add environment variables.
  environment = {
    variables = {
      SLACK_URL = var.slack_url

  // Deploy into a VPC.
  vpc_config = {
    subnet_ids         = []
    security_group_ids = []


Inputs for this module are the same as the aws_lambda_function resource with the following additional arguments:

Name Description Type Default Required
source_path The absolute path to a local file or directory containing your Lambda source code string yes
build_command The command to run to create the Lambda package zip file string "python '$filename' '$runtime' '$source'" no
build_paths The files or directories used by the build command, to trigger new Lambda package builds whenever build scripts change list(string) [""] no
cloudwatch_logs Set this to false to disable logging your Lambda output to CloudWatch Logs bool true no
lambda_at_edge Set this to true if using Lambda@Edge, to enable publishing, limit the timeout, and allow to invoke the function bool false no
policy An additional policy to attach to the Lambda function role object({json=string}) no
trusted_entities Additional trusted entities for the Lambda function. The (and if lambda_at_edge is true) is always set list(string) no
enabled Enabling and disaling of resources bool true no

The following arguments from the aws_lambda_function resource are not supported:

  • filename (use source_path instead)
  • role (one is automatically created)
  • s3_bucket
  • s3_key
  • s3_object_version
  • source_code_hash (changes are handled automatically)


Name Description
function_arn The ARN of the Lambda function
function_invoke_arn The Invoke ARN of the Lambda function
function_name The name of the Lambda function
function_qualified_arn The qualified ARN of the Lambda function
role_arn The ARN of the IAM role created for the Lambda function
role_name The name of the IAM role created for the Lambda function