第 8 章:Serverless 設定
Reference Link
Lambda
Lambda Function
data "aws_iam_policy_document" "assume_role" {
statement {
effect = "Allow"
principals {
type = "Service"
identifiers = ["lambda.amazonaws.com"]
}
actions = ["sts:AssumeRole"]
}
}
resource "aws_iam_role" "iam_for_lambda" {
name = "iam_for_lambda"
assume_role_policy = data.aws_iam_policy_document.assume_role.json
}
data "archive_file" "lambda" {
type = "zip"
source_file = "lambda.js"
output_path = "lambda_function_payload.zip"
}
resource "aws_lambda_function" "test_lambda" {
# If the file is not in the current working directory you will need to include a
# path.module in the filename.
filename = "lambda_function_payload.zip"
function_name = "lambda_function_name"
role = aws_iam_role.iam_for_lambda.arn
handler = "index.test"
source_code_hash = data.archive_file.lambda.output_base64sha256
runtime = "nodejs18.x"
environment {
variables = {
foo = "bar"
}
}
}
Lambda Layers
resource "aws_lambda_layer_version" "example" {
# ... other configuration ...
}
resource "aws_lambda_function" "example" {
# ... other configuration ...
layers = [aws_lambda_layer_version.example.arn]
}
Lambda Ephemeral Storage
data "aws_iam_policy_document" "assume_role" {
statement {
effect = "Allow"
principals {
type = "Service"
identifiers = ["lambda.amazonaws.com"]
}
actions = ["sts:AssumeRole"]
}
}
resource "aws_iam_role" "iam_for_lambda" {
name = "iam_for_lambda"
assume_role_policy = data.aws_iam_policy_document.assume_role.json
}
resource "aws_lambda_function" "test_lambda" {
filename = "lambda_function_payload.zip"
function_name = "lambda_function_name"
role = aws_iam_role.iam_for_lambda.arn
handler = "index.test"
runtime = "nodejs18.x"
ephemeral_storage {
size = 10240 # Min 512 MB and the Max 10240 MB
}
}
Lambda File Systems
# A lambda function connected to an EFS file system
resource "aws_lambda_function" "example" {
# ... other configuration ...
file_system_config {
# EFS file system access point ARN
arn = aws_efs_access_point.access_point_for_lambda.arn
# Local mount path inside the lambda function. Must start with '/mnt/'.
local_mount_path = "/mnt/efs"
}
vpc_config {
# Every subnet should be able to reach an EFS mount target in the same Availability Zone. Cross-AZ mounts are not permitted.
subnet_ids = [aws_subnet.subnet_for_lambda.id]
security_group_ids = [aws_security_group.sg_for_lambda.id]
}
# Explicitly declare dependency on EFS mount target.
# When creating or updating Lambda functions, mount target must be in 'available' lifecycle state.
depends_on = [aws_efs_mount_target.alpha]
}
# EFS file system
resource "aws_efs_file_system" "efs_for_lambda" {
tags = {
Name = "efs_for_lambda"
}
}
# Mount target connects the file system to the subnet
resource "aws_efs_mount_target" "alpha" {
file_system_id = aws_efs_file_system.efs_for_lambda.id
subnet_id = aws_subnet.subnet_for_lambda.id
security_groups = [aws_security_group.sg_for_lambda.id]
}
# EFS access point used by lambda file system
resource "aws_efs_access_point" "access_point_for_lambda" {
file_system_id = aws_efs_file_system.efs_for_lambda.id
root_directory {
path = "/lambda"
creation_info {
owner_gid = 1000
owner_uid = 1000
permissions = "777"
}
}
posix_user {
gid = 1000
uid = 1000
}
}
CloudWatch Logging and Permissions
variable "lambda_function_name" {
default = "lambda_function_name"
}
resource "aws_lambda_function" "test_lambda" {
function_name = var.lambda_function_name
# Advanced logging controls (optional)
logging_config {
log_format = "Text"
}
# ... other configuration ...
depends_on = [
aws_iam_role_policy_attachment.lambda_logs,
aws_cloudwatch_log_group.example,
]
}
# This is to optionally manage the CloudWatch Log Group for the Lambda Function.
# If skipping this resource configuration, also add "logs:CreateLogGroup" to the IAM policy below.
resource "aws_cloudwatch_log_group" "example" {
name = "/aws/lambda/${var.lambda_function_name}"
retention_in_days = 14
}
# See also the following AWS managed policy: AWSLambdaBasicExecutionRole
data "aws_iam_policy_document" "lambda_logging" {
statement {
effect = "Allow"
actions = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
]
resources = ["arn:aws:logs:*:*:*"]
}
}
resource "aws_iam_policy" "lambda_logging" {
name = "lambda_logging"
path = "/"
description = "IAM policy for logging from a lambda"
policy = data.aws_iam_policy_document.lambda_logging.json
}
resource "aws_iam_role_policy_attachment" "lambda_logs" {
role = aws_iam_role.iam_for_lambda.name
policy_arn = aws_iam_policy.lambda_logging.arn
}
Lambda Function URL
resource "aws_lambda_function_url" "test_latest" {
function_name = aws_lambda_function.test.function_name
authorization_type = "NONE"
}
resource "aws_lambda_function_url" "test_live" {
function_name = aws_lambda_function.test.function_name
qualifier = "my_alias"
authorization_type = "AWS_IAM"
cors {
allow_credentials = true
allow_origins = ["*"]
allow_methods = ["*"]
allow_headers = ["date", "keep-alive"]
expose_headers = ["keep-alive", "date"]
max_age = 86400
}
}
Lambda Invocation
Lambda Invocation
resource "aws_lambda_invocation" "example" {
function_name = aws_lambda_function.lambda_function_test.function_name
input = jsonencode({
key1 = "value1"
key2 = "value2"
})
}
output "result_entry" {
value = jsondecode(aws_lambda_invocation.example.result)["key1"]
}