Use Terraform to Build AWS Lambda Functions
What is AWS Lambda?
Lambda is part of Amazon’s compute service. It is considered to be a serverless service because it can be used without having to create EC2 instances in order to function. Simply create and upload code to Lambda, provide the necessary permissions, and Lambda will provide the execution and manage scaling.
What is Terraform?
Terraform is a cloud agnostic, Infrastructure as Code (IaC) tool that allows the creation, implementation and modification of cloud elements using declarative statements. As updates are made to these statements, Terraform recognizes those changes and modifies the current state accordingly.
Deploy Lambda Using Terraform
AWS Lambda and Terraform work together to form a seamless way to implement and manage code deployments to the AWS platform. After the developer creates the code to be pushed to AWS, Terraform takes that code along with the details needed to create the Lambda function (IAM policy and role permissions, lambda function details, etc.) and sends it to AWS for implementation.
Create the Script and Configuration Files
Below is a simple python script called lambda.py which defines a function that prints a message to standard out.
In order to create a Lambda function, Terraform must supply the following.
· Region where the function should reside
· Appropriate Permissions for the function
· Lambda function specifics
The provider.tf file lets Terraform know which cloud platform (AWS in this case) to use and also where (us-east-1) to create cloud resources.
Code is uploaded to AWS for use with the Lambda service in zip format. To automate this step, two items are specified — the file(s) to be compressed and the location to place the compressed file. A local variable called lambda_zip_location captures both of those requirements, and an archive_file data resource labled lambda declares the compression type, the file to be compressed and location of the resulting file.
Next, the permissions for executing the function must be defined.
Using the aws_iam_role_policy resource and the aws_lambda_function resource, we are able to provide Lambda with the permissions required to execute the script.
These permission definitions are stored in two files, lambda-assume-policy.json and lambda-policy.json, which are referenced by the script containing the lambda function definition.
It is best practice to give any account or service the least permissions in order to successfully function.
If you need to create a json statement with select permissions, The Amazon Policy Generator can construct a policy based on the constraints you provide.
Next, define the lambda function using the terraform aws_lambda_function resource.
A local value labeled lambda_zip_location was assigned the location of the zip file that holds the python script. This local value definition allows the file location to be used multiple times in the configuration file without having to explicitly state the location in each use.
The function_name variable is the name that will appear on the Lambda dashboard in the AWS Management Console.
The role is the permission set assigned to the lambda function, and the handler is the function’s entry point.
The runtime variable lets Lambda know the type of code it executes.
Implementing The Change
Now that the code is created the stage is set for Terraform to interact with AWS to build the lambda function.
There are three commands that accomplish this.
terraform init — initializes the directory where the terraform configuration files are located
terraform validate — ensures there are no syntax errors in the code
terraform apply — creates the desired state defined in the configuration files
Verify Desired State
After changes have been successfully applied, it is easy to verify the desired state has been achieved by logging into the AWS Management Console and accessing the Lambda Dashboard.
Find and select the lambda_using_terraform function.
A screenshot of the Configuration tab is shown below.
At the bottom of the screen, the function code window shows the contents of the script.
The management console allows for zip files to be uploaded from a local drive or from S3, but best practice dictates these distributed using Terraform.
The Permissions tab shows the assigned role and lists the service(s) the lambda function can access. In this case, lambda is allowed to interface with Amazon CloudWatch Logs.
Test the Lambda Function
The lambda_using_terraform function can be tested by selecting the Test button located in the upper right-hand corner of the screen.
On the Configuration test event screen, enter “QuickTest” in the Event name window, and then select the Create button.
Select the Test button again in the upper right-hand corner of the screen.
A successful test run will result in a message similar to the one below.
Removing the Lambda Function
All components created by the terraform script can be removed using a simple command executed within the directory containing the configuration files.
terraform destroy — removes all elements defined in the configuration files
AWS Policy Generator
A statement is the formal description of a single permission. See a description of elements that you can use in…