This module makes it easy to deploy and manage an AWS Lambda function. Lambda gives
you a way to run code on-demand in AWS without having to manage servers.
How do you use this module?
See the root README for instructions on using Terraform modules.
See vars.tf for all the variables you can set on this module.
The general idea is to:
Create a folder that contains your source code in one of the supported languages: Python, JavaScript, Java, etc (see
Lambda programming model for the complete
list).
Use this lambda module to automatically zip that folder, upload it to AWS, and configure it as a Lambda function.
Trigger your Lambda function using one of the following options:
An event source, such as a new
message on an SNS topic or a new file uploaded to S3.
What is AWS Lambda?
AWS Lambda lets you run code without provisioning or managing servers. You define a
function in a supported language (currently: Python, JavaScript, Java, and C#), upload the code to Lambda, specify how
that function can be triggered, and then AWS Lambda takes care of all the details of deploying and scaling the
infrastructure to run that code.
How do you add additional IAM policies and permissions?
By default, the lambda module configures your lambda function with an IAM role that allows it to write logs to
CloudWatch Logs. The ID of the IAM role is exported as the output iam_role_id and the ID of the lambda function is
exported as the output function_arn, so you can add custom rules using the aws_iam_role_policy or
aws_lambda_permission resources, respectively. For example, to allow your lambda function to be triggered by SNS:
How do you give the lambda function access to a VPC?
By default, your Lambda functions do not have access to your VPCs or subnets. If the lambda function needs to be able
to talk to something directly within your VPC, you need to:
Set the run_in_vpc parameter to true.
Specify the ID of the VPC your Lambda function should be able to access via the vpc_id parameter.
Specify the IDs of the subnets your Lambda function should be able to access via the subnet_ids parameter.
When you set run_in_vpc to true, this module also creates a Security Group for your Lambda function. By default,
this security group does not allow any inbound or outbound requests, so if the Lambda function needs to make requests
to the outside world, you will need to add the corresponding rules to that security group (its ID is available as the
output variable security_group_id):
Check out the lambda-vpc example for working sample code. Make sure to note the Known Issues
section in that example's README.
How do you share Lambda functions across multiple AWS accounts?
If you want to have a central S3 bucket that you use as a repository for your Lambda functions in one AWS account (e.g., shared-services) and you want to allow all the other accounts (e.g., dev, stage, prod) to access that S3 bucket, you need to do the following:
In the shared-services account, add a bucket policy to allow access to the bucket from other AWS accounts:
s3:GetObjectVersion is only required if you want to use s3 object versioning when deploying lambdas. You also need to enable bucket versioning in such case.
If you want to enable encryption for S3 objects you must use a customer master key, or CMK (see the kms-master-key module) rather than the default key, and ensure that both the shared-services account and all the other accounts (dev, stage, prod) have access to that CMK.
The IAM User or IAM Role which will be running terraform apply for the other accounts (dev, stage, prod) must also be explicitly granted access to the S3 bucket in (1) and the CMK in (2).
Questions? Ask away.
We're here to talk about our services, answer any questions, give advice, or just to chat.
{"treedata":{"name":"root","toggled":true,"children":[{"name":".circleci","children":[{"name":"config.yml","path":".circleci/config.yml","sha":"f8cd3b3eed9be036e0678794070e05d88b4a196c"}]},{"name":".gitignore","path":".gitignore","sha":"8856aa91519493c35e5e717d52f531d52612dfdc"},{"name":".pre-commit-config.yaml","path":".pre-commit-config.yaml","sha":"4ea66ff80f04d5013f666c752310424c22919251"},{"name":"CODEOWNERS","path":"CODEOWNERS","sha":"555c0c6e23a7502acbef94fb0b77bfa759ba11e8"},{"name":"LICENSE.txt","path":"LICENSE.txt","sha":"f4e3d9bd4717a044ed31ad847a300eee74371a78"},{"name":"README.md","path":"README.md","sha":"92ccefcdcf95442db0388cf7b9431dccd468a9c7"},{"name":"examples","children":[{"name":"lambda-build","children":[{"name":"README.md","path":"examples/lambda-build/README.md","sha":"922fd81fe36879d68d3b4d850ae131100590379c"},{"name":"main.tf","path":"examples/lambda-build/main.tf","sha":"4f85389ff3d696f0df6afe34c69f593de2be0d6b"},{"name":"outputs.tf","path":"examples/lambda-build/outputs.tf","sha":"28fc5ab8cc109b761b4697e68067f4eefc6ee0dd"},{"name":"python","children":[{"name":"Dockerfile","path":"examples/lambda-build/python/Dockerfile","sha":"733d628db3e066d8d23076d035fdd3a26ca80bf8"},{"name":"build.sh","path":"examples/lambda-build/python/build.sh","sha":"bf53f2bdde463e8bd2f1a4f93009ecb1c6c0c206"},{"name":"requirements.txt","path":"examples/lambda-build/python/requirements.txt","sha":"451185f2d13849f778627a85aab7238efdb8e228"},{"name":"src","children":[{"name":"__init.py__","path":"examples/lambda-build/python/src/__init.py__","sha":"1b58820b01935d58928ad905427bd838c5e80123"},{"name":"index.py","path":"examples/lambda-build/python/src/index.py","sha":"d0233c21dc7572caead57e7e60c8d75a13312ea0"},{"name":"test_harness.py","path":"examples/lambda-build/python/src/test_harness.py","sha":"73edf34edf789e6f57b0d8288cedb22ec9d37bc3"}]}]},{"name":"vars.tf","path":"examples/lambda-build/vars.tf","sha":"a3db97ba1c39d962d7c36064206535c618ce4083"}]},{"name":"lambda-dead-letter-queue","children":[{"name":"README.md","path":"examples/lambda-dead-letter-queue/README.md","sha":"25dfce9f066a85b998fc7a0e52aff4ab716a0ecc"},{"name":"main.tf","path":"examples/lambda-dead-letter-queue/main.tf","sha":"6aa62e0561afac362023258653848b9ca2748634"},{"name":"outputs.tf","path":"examples/lambda-dead-letter-queue/outputs.tf","sha":"c9f9f5be8eec0260e59b908a0c64d481522e7435"},{"name":"python","children":[{"name":"index.py","path":"examples/lambda-dead-letter-queue/python/index.py","sha":"fdb82c37d271ffb7c508ea1fb9a465cc6d0cc330"}]},{"name":"vars.tf","path":"examples/lambda-dead-letter-queue/vars.tf","sha":"942b373fd87b2e4f0cdae56b12ae6e678bd88133"}]},{"name":"lambda-edge","children":[{"name":"README.md","path":"examples/lambda-edge/README.md","sha":"3d5f9863348407a5a11d00240a5dc92e84a8e3df"},{"name":"main.tf","path":"examples/lambda-edge/main.tf","sha":"4efa66103627bf629c3571830d3a2915ef34c44c"},{"name":"nodejs","children":[{"name":"index.js","path":"examples/lambda-edge/nodejs/index.js","sha":"927b0d194260ca2517369f584a0b49513433f8e9"}]},{"name":"outputs.tf","path":"examples/lambda-edge/outputs.tf","sha":"f26239ec90f6ceca5165be5d5b9f9fb26635120e"},{"name":"vars.tf","path":"examples/lambda-edge/vars.tf","sha":"696c7c319ca3c2d4b6ca10e79ca6ce8efbf57b51"}]},{"name":"lambda-keep-warm","children":[{"name":"README.md","path":"examples/lambda-keep-warm/README.md","sha":"d9828b74307b72a59f9c62c5578adc9a3dd7ae59"},{"name":"main.tf","path":"examples/lambda-keep-warm/main.tf","sha":"7cdc42a8698dba79689b631349399baba8fd3a27"},{"name":"outputs.tf","path":"examples/lambda-keep-warm/outputs.tf","sha":"62a79ed810f3cde44b54d91505647e358752ff4a"},{"name":"src","children":[{"name":"index.js","path":"examples/lambda-keep-warm/src/index.js","sha":"a06e3ce1dddfe2692eeb5b2606873affc975bb76"}]},{"name":"vars.tf","path":"examples/lambda-keep-warm/vars.tf","sha":"1409b361ac77a8a5c64868de4dc06c716f2dcf66"}]},{"name":"lambda-s3-deployment-package","children":[{"name":"README.md","path":"examples/lambda-s3-deployment-package/README.md","sha":"a4adf84621831cdc686ad125a567957a8f8967c7"},{"name":"main.tf","path":"examples/lambda-s3-deployment-package/main.tf","sha":"3927ed54e314110301281542be8d1a2f4979c6a8"},{"name":"outputs.tf","path":"examples/lambda-s3-deployment-package/outputs.tf","sha":"28fc5ab8cc109b761b4697e68067f4eefc6ee0dd"},{"name":"python","children":[{"name":"index.py","path":"examples/lambda-s3-deployment-package/python/index.py","sha":"eaa4418c2160ad4c4d3af22db1486792e6fee11f"},{"name":"test_harness.py","path":"examples/lambda-s3-deployment-package/python/test_harness.py","sha":"6c8f8c4c4a9ac1aedd12a5e0babae588565d22b4"}]},{"name":"vars.tf","path":"examples/lambda-s3-deployment-package/vars.tf","sha":"c21f2df459e0775158faa1dd9e86cb0666d688c4"}]},{"name":"lambda-s3","children":[{"name":"README.md","path":"examples/lambda-s3/README.md","sha":"037fbac52c44915b0fc66c47b0337441a64495ce"},{"name":"images","children":[{"name":"gruntwork-logo.png","path":"examples/lambda-s3/images/gruntwork-logo.png","sha":"a351cbef55bb12a9aa2652469416a388e9e276de"}]},{"name":"main.tf","path":"examples/lambda-s3/main.tf","sha":"dcc9af2e14067e9c910cf8e8500ce53b18237a03"},{"name":"outputs.tf","path":"examples/lambda-s3/outputs.tf","sha":"729892970d1ffc9122cef114133614945b9c7853"},{"name":"python","children":[{"name":"index.py","path":"examples/lambda-s3/python/index.py","sha":"9382fa2e2c3956f1c5ae1467de0f3942cad5bf34"},{"name":"test_harness.py","path":"examples/lambda-s3/python/test_harness.py","sha":"723f97fdacc7155bac0a3d9e12715a7bd6ba6c41"}]},{"name":"vars.tf","path":"examples/lambda-s3/vars.tf","sha":"abc518949b9d570263e8614834b0005aa58b40b9"}]},{"name":"lambda-vpc","children":[{"name":"README.md","path":"examples/lambda-vpc/README.md","sha":"af08d793ac3a6c5d5251cbe88ab2358c56616a84"},{"name":"javascript","children":[{"name":"index.js","path":"examples/lambda-vpc/javascript/index.js","sha":"1c4d37c47144c12acaa1306952c6e8512b201744"}]},{"name":"main.tf","path":"examples/lambda-vpc/main.tf","sha":"0b15b81ad6d8d0896cc59b9508d69f1332ab5353"},{"name":"outputs.tf","path":"examples/lambda-vpc/outputs.tf","sha":"eb9cbc764168459df0fa63742281ef87b5919f2e"},{"name":"vars.tf","path":"examples/lambda-vpc/vars.tf","sha":"17ee714bfd63e99dc13f625e88cca231e4e47a78"}]},{"name":"scheduled-lambda-job","children":[{"name":"README.md","path":"examples/scheduled-lambda-job/README.md","sha":"d757b26ae306a94fc854fbbaaebedc1ae26d82b6"},{"name":"javascript","children":[{"name":"index.js","path":"examples/scheduled-lambda-job/javascript/index.js","sha":"92e0906a7d45397aedbda160a61f50321f7c23e4"}]},{"name":"main.tf","path":"examples/scheduled-lambda-job/main.tf","sha":"87888cb4d44d1e7b3118a9a9449eb95bc68aec53"},{"name":"outputs.tf","path":"examples/scheduled-lambda-job/outputs.tf","sha":"eb9cbc764168459df0fa63742281ef87b5919f2e"},{"name":"vars.tf","path":"examples/scheduled-lambda-job/vars.tf","sha":"d3a08b377cc2cb908fb23af423b1700b19e3a684"}]}]},{"name":"modules","children":[{"name":"keep-warm","children":[{"name":"README.md","path":"modules/keep-warm/README.md","sha":"0d78638c9cdebd91c1ae4c0d2dcfea520c9b3105"},{"name":"main.tf","path":"modules/keep-warm/main.tf","sha":"a285dcd56ecfc92f5f05b5f490cdcb58f83dba8b"},{"name":"outputs.tf","path":"modules/keep-warm/outputs.tf","sha":"5fc4667c38e2694986e16b9808e9957ec0ad5d5b"},{"name":"src","children":[{"name":"index.js","path":"modules/keep-warm/src/index.js","sha":"16c923525b669ef04cfb039349ad6dd906720caa"}]},{"name":"vars.tf","path":"modules/keep-warm/vars.tf","sha":"af0fe8836a6bfd5f929a9534290c6e8f5943037a"}]},{"name":"lambda-edge","children":[{"name":"README.md","path":"modules/lambda-edge/README.md","sha":"9e87c414c239a67e36e433ea2172b05cc194154a"},{"name":"main.tf","path":"modules/lambda-edge/main.tf","sha":"1dcbef4be9a0fd08020d1f0a5a66c3acdc3fff3d"},{"name":"outputs.tf","path":"modules/lambda-edge/outputs.tf","sha":"275b9eda581185081ec7b34ba330d9204c4789dd"},{"name":"vars.tf","path":"modules/lambda-edge/vars.tf","sha":"a6c6cf9472d4ee36cc0b42158c39d1cc27f49824"}]},{"name":"lambda","children":[{"name":"README.md","path":"modules/lambda/README.md","sha":"bdc61f16defdbd786418c105689f4dd01341a945","toggled":true},{"name":"main.tf","path":"modules/lambda/main.tf","sha":"a85a41ea4782da3d2bd769378de41a6a6d4bbf43"},{"name":"outputs.tf","path":"modules/lambda/outputs.tf","sha":"d23e274092901495abd46b2ca5502518acfa32ec"},{"name":"vars.tf","path":"modules/lambda/vars.tf","sha":"5b6a62b72d696775c406b74ed7d5c3440baf7f7b"}],"toggled":true},{"name":"scheduled-lambda-job","children":[{"name":"README.md","path":"modules/scheduled-lambda-job/README.md","sha":"ea9c111f016d8e6546d8608dd7fc25433a1fc7d0"},{"name":"main.tf","path":"modules/scheduled-lambda-job/main.tf","sha":"cd6c3c7dd59190ee6dcb5f2e4a23047fb097d38e"},{"name":"outputs.tf","path":"modules/scheduled-lambda-job/outputs.tf","sha":"63274208aa97eceb03826f154973e010b1e8c539"},{"name":"vars.tf","path":"modules/scheduled-lambda-job/vars.tf","sha":"867285ceb2d1ce3c0352b7110ac7711b8fb0d7f6"}]}],"toggled":true},{"name":"owners.txt","path":"owners.txt","sha":"bc3c9b6136485d9fa12b39f55b2ebbdeaa03583f"},{"name":"terraform-cloud-enterprise-private-module-registry-placeholder.tf","path":"terraform-cloud-enterprise-private-module-registry-placeholder.tf","sha":"ae586c0fe830819580e1009d41a9074f16e65bed"},{"name":"test","children":[{"name":"README.md","path":"test/README.md","sha":"ef26d3851db2fff0b36dfa61379724c0db9ff281"},{"name":"go.mod","path":"test/go.mod","sha":"1debc2d201e1101b5c3d5675ede1ae4308c91b51"},{"name":"go.sum","path":"test/go.sum","sha":"9604fdcd8b9ec40c34ab4a3b0a721a6201b1adaa"},{"name":"gruntwork-logo.base64.txt","path":"test/gruntwork-logo.base64.txt","sha":"e94e107e3a8ea8c875a4489071137a38d279dc10"},{"name":"helpers_test.go","path":"test/helpers_test.go","sha":"f75f0d70512061aa17d34a686c4e0d0579073b75"},{"name":"lambda_build_test.go","path":"test/lambda_build_test.go","sha":"284ed155e95097334426ba6fb4f1fc669bb775c2"},{"name":"lambda_dead_letter_queue_test.go","path":"test/lambda_dead_letter_queue_test.go","sha":"fe2d73dc899a097f965126bcb1dcc2d4b72010f4"},{"name":"lambda_edge_test.go","path":"test/lambda_edge_test.go","sha":"25b0659f4defc830cb26ea26dca2fbcb508c2399"},{"name":"lambda_keep_warm_test.go","path":"test/lambda_keep_warm_test.go","sha":"6cb968e65b7cc1171ad8f8cc76c49523d19480e5"},{"name":"lambda_s3_deployment_package_test.go","path":"test/lambda_s3_deployment_package_test.go","sha":"35e061cb25ae8745c7d4a0039dda98c6dd9bee04"},{"name":"lambda_s3_reserved_test.go","path":"test/lambda_s3_reserved_test.go","sha":"62f81d1f78b6d10eb32e5bc2c6d5fedaf1803cf2"},{"name":"lambda_s3_test.go","path":"test/lambda_s3_test.go","sha":"9d22b32b32e23f134648b6926f2e9866ae36da7a"},{"name":"lambda_vpc_test.go","path":"test/lambda_vpc_test.go","sha":"d35960594af1b4dca0963777fd7951d317a1b6e7"},{"name":"scheduled_lambda_job_test.go","path":"test/scheduled_lambda_job_test.go","sha":"7a436697712dc8222c2850be10e1fe2e2e727df9"}]}]},"detailsContent":"<h1 class=\"preview__body--title\" id=\"lambda-function-module\">Lambda Function Module</h1><div class=\"preview__body--border\"></div><p>This module makes it easy to deploy and manage an <a href=\"https://aws.amazon.com/lambda/\" class=\"preview__body--description--blue\" target=\"_blank\">AWS Lambda</a> function. Lambda gives\nyou a way to run code on-demand in AWS without having to manage servers.</p>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-you-use-this-module\">How do you use this module?</h2>\n<ul>\n<li>See the <a href=\"/repos/v0.13.0/package-lambda/README.md\" class=\"preview__body--description--blue\">root README</a> for instructions on using Terraform modules.</li>\n<li>See the <a href=\"/repos/v0.13.0/package-lambda/examples/lambda-s3\" class=\"preview__body--description--blue\">lambda-s3 example</a> folder for sample usage.</li>\n<li>See <a href=\"/repos/v0.13.0/package-lambda/modules/lambda/vars.tf\" class=\"preview__body--description--blue\">vars.tf</a> for all the variables you can set on this module.</li>\n</ul>\n<p>The general idea is to:</p>\n<ol>\n<li>Create a folder that contains your source code in one of the supported languages: Python, JavaScript, Java, etc (see\n<a href=\"https://docs.aws.amazon.com/lambda/latest/dg/programming-model-v2.html\" class=\"preview__body--description--blue\" target=\"_blank\">Lambda programming model</a> for the complete\nlist).</li>\n<li>Use this <code>lambda</code> module to automatically zip that folder, upload it to AWS, and configure it as a Lambda function.</li>\n<li>Trigger your Lambda function using one of the following options:\n<ol>\n<li><a href=\"https://console.aws.amazon.com/lambda/home\" class=\"preview__body--description--blue\" target=\"_blank\">AWS Console UI</a>.</li>\n<li><a href=\"http://docs.aws.amazon.com/lambda/latest/dg/API_Invoke.html\" class=\"preview__body--description--blue\" target=\"_blank\">AWS API</a>.</li>\n<li><a href=\"http://docs.aws.amazon.com/cli/latest/reference/lambda/invoke.html\" class=\"preview__body--description--blue\" target=\"_blank\">AWS CLI</a>.</li>\n<li><a href=\"http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started.html\" class=\"preview__body--description--blue\" target=\"_blank\">API Gateway</a> API you expose.</li>\n<li>An <a href=\"http://docs.aws.amazon.com/lambda/latest/dg/invoking-lambda-function.html\" class=\"preview__body--description--blue\" target=\"_blank\">event source</a>, such as a new\nmessage on an SNS topic or a new file uploaded to S3.</li>\n</ol>\n</li>\n</ol>\n<h2 class=\"preview__body--subtitle\" id=\"what-is-aws-lambda\">What is AWS Lambda?</h2>\n<p><a href=\"https://aws.amazon.com/lambda/\" class=\"preview__body--description--blue\" target=\"_blank\">AWS Lambda</a> lets you run code without provisioning or managing servers. You define a\nfunction in a supported language (currently: Python, JavaScript, Java, and C#), upload the code to Lambda, specify how\nthat function can be triggered, and then AWS Lambda takes care of all the details of deploying and scaling the\ninfrastructure to run that code.</p>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-you-add-additional-iam-policies-and-permissions\">How do you add additional IAM policies and permissions?</h2>\n<p>By default, the <code>lambda</code> module configures your lambda function with an IAM role that allows it to write logs to\nCloudWatch Logs. The ID of the IAM role is exported as the output <code>iam_role_id</code> and the ID of the lambda function is\nexported as the output <code>function_arn</code>, so you can add custom rules using the <code>aws_iam_role_policy</code> or\n<code>aws_lambda_permission</code> resources, respectively. For example, to allow your lambda function to be triggered by SNS:</p>\n<pre><span class=\"hljs-keyword\">module</span> <span class=\"hljs-string\">\"my_lambda_function\"</span> {\n source = <span class=\"hljs-string\">\"git::git@github.com:gruntwork-io/terraform-aws-lambda.git//modules/lambda?ref=v1.0.8\"</span>\n <span class=\"hljs-comment\"># (params omitted)</span>\n}\n\n<span class=\"hljs-keyword\">resource</span> <span class=\"hljs-string\">\"aws_lambda_permission\"</span> <span class=\"hljs-string\">\"with_sns\"</span> {\n statement_id = <span class=\"hljs-string\">\"AllowExecutionFromSNS\"</span>\n action = <span class=\"hljs-string\">\"lambda:InvokeFunction\"</span>\n function_name = <span class=\"hljs-string\">\"<span class=\"hljs-variable\">${module.my_lambda_function.function_arn}</span>\"</span>\n principal = <span class=\"hljs-string\">\"sns.amazonaws.com\"</span>\n source_arn = <span class=\"hljs-string\">\"<span class=\"hljs-variable\">${aws_sns_topic.default.arn}</span>\"</span>\n}\n</pre>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-you-give-the-lambda-function-access-to-a-vpc\">How do you give the lambda function access to a VPC?</h2>\n<p>By default, your Lambda functions do not have access to your VPCs or subnets. If the lambda function needs to be able\nto talk to something directly within your VPC, you need to:</p>\n<ol>\n<li>Set the <code>run_in_vpc</code> parameter to <code>true</code>.</li>\n<li>Specify the ID of the VPC your Lambda function should be able to access via the <code>vpc_id</code> parameter.</li>\n<li>Specify the IDs of the subnets your Lambda function should be able to access via the <code>subnet_ids</code> parameter.</li>\n</ol>\n<p>Here's an example:</p>\n<pre><span class=\"hljs-keyword\">module</span> <span class=\"hljs-string\">\"my_lambda_function\"</span> {\n source = <span class=\"hljs-string\">\"git::git@github.com:gruntwork-io/terraform-aws-lambda.git//modules/lambda?ref=v1.0.8\"</span>\n \n run_in_vpc = true\n vpc_id = <span class=\"hljs-string\">\"<span class=\"hljs-variable\">${data.terraform_remote_state.vpc.id}</span>\"</span>\n subnet_ids = <span class=\"hljs-string\">\"<span class=\"hljs-variable\">${data.terraform_remote_state.vpc.private_app_subnet_ids}</span>\"</span>\n \n <span class=\"hljs-comment\"># (other params omitted)</span>\n}\n</pre>\n<p>When you set <code>run_in_vpc</code> to <code>true</code>, this module also creates a Security Group for your Lambda function. By default,\nthis security group does not allow any inbound or outbound requests, so if the Lambda function needs to make requests\nto the outside world, you will need to add the corresponding rules to that security group (its ID is available as the\noutput variable <code>security_group_id</code>):</p>\n<pre><span class=\"hljs-keyword\">module</span> <span class=\"hljs-string\">\"my_lambda_function\"</span> {\n source = <span class=\"hljs-string\">\"git::git@github.com:gruntwork-io/terraform-aws-lambda.git//modules/lambda?ref=v1.0.8\"</span>\n \n run_in_vpc = true\n vpc_id = <span class=\"hljs-string\">\"<span class=\"hljs-variable\">${data.terraform_remote_state.vpc.id}</span>\"</span>\n subnet_ids = <span class=\"hljs-string\">\"<span class=\"hljs-variable\">${data.terraform_remote_state.vpc.private_app_subnet_ids}</span>\"</span>\n \n <span class=\"hljs-comment\"># (other params omitted)</span>\n}\n\n<span class=\"hljs-keyword\">resource</span> <span class=\"hljs-string\">\"aws_security_group_rule\"</span> <span class=\"hljs-string\">\"allow_all_outbound_to_vpc\"</span> {\n type = <span class=\"hljs-string\">\"egress\"</span>\n from_port = <span class=\"hljs-number\">0</span>\n to_port = <span class=\"hljs-number\">0</span>\n protocol = <span class=\"hljs-string\">\"-1\"</span>\n cidr_blocks = [<span class=\"hljs-string\">\"<span class=\"hljs-variable\">${data.terraform_remote_state.vpc.vpc_cidr_block}</span>\"</span>]\n security_group_id = <span class=\"hljs-string\">\"<span class=\"hljs-variable\">${module.my_lambda_function.security_group_id}</span>\"</span>\n}\n</pre>\n<p>Check out the <a href=\"/repos/v0.13.0/package-lambda/examples/lambda-vpc\" class=\"preview__body--description--blue\">lambda-vpc example</a> for working sample code. Make sure to note the Known Issues\nsection in that example's README.</p>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-you-share-lambda-functions-across-multiple-aws-accounts\">How do you share Lambda functions across multiple AWS accounts?</h2>\n<p>If you want to have a central S3 bucket that you use as a repository for your Lambda functions in one AWS account (e.g., <code>shared-services</code>) and you want to allow all the other accounts (e.g., <code>dev</code>, <code>stage</code>, <code>prod</code>) to access that S3 bucket, you need to do the following:</p>\n<ol>\n<li>In the <code>shared-services</code> account, add a bucket policy to allow access to the bucket from other AWS accounts:<pre>{\n <span class=\"hljs-attr\">\"Version\"</span>: <span class=\"hljs-string\">\"2012-10-17\"</span>,\n <span class=\"hljs-attr\">\"Statement\"</span>: [\n {\n <span class=\"hljs-attr\">\"Sid\"</span>: <span class=\"hljs-string\">\"ReadOnlyAccessForExternalAccounts\"</span>,\n <span class=\"hljs-attr\">\"Effect\"</span>: <span class=\"hljs-string\">\"Allow\"</span>,\n <span class=\"hljs-attr\">\"Principal\"</span>: {\n <span class=\"hljs-attr\">\"AWS\"</span>: [\n <span class=\"hljs-string\">\"arn:aws:iam::222222222222:root\"</span>,\n <span class=\"hljs-string\">\"arn:aws:iam::333333333333:root\"</span>,\n <span class=\"hljs-string\">\"arn:aws:iam::444444444444:root\"</span> \n ]\n },\n <span class=\"hljs-attr\">\"Action\"</span>: [\n <span class=\"hljs-string\">\"s3:GetObjectVersion\"</span>,\n <span class=\"hljs-string\">\"s3:GetObject\"</span>\n ],\n <span class=\"hljs-attr\">\"Resource\"</span>: <span class=\"hljs-string\">\"arn:aws:s3:::bucket-name/*\"</span>\n }\n ]\n}\n</pre>\n<code>s3:GetObjectVersion</code> is only required if you want to use <code>s3 object versioning</code> when deploying <code>lambdas</code>. You also need to enable <code>bucket versioning</code> in such case.</li>\n<li>If you want to enable <code>encryption</code> for <code>S3 objects</code> you must use a customer master key, or CMK (see the <a href=\"/repos/terraform-aws-security/modules/kms-master-key\" class=\"preview__body--description--blue\">kms-master-key</a> module) rather than the default key, and ensure that both the <code>shared-services</code> account and all the other accounts (<code>dev</code>, <code>stage</code>, <code>prod</code>) have access to that CMK.</li>\n<li>The IAM User or IAM Role which will be running <code>terraform apply</code> for the other accounts (<code>dev</code>, <code>stage</code>, <code>prod</code>) must also be explicitly granted access to the S3 bucket in (1) and the CMK in (2).</li>\n</ol>\n","repoName":"package-lambda","repoRef":"v0.10.1","serviceDescriptor":{"serviceName":"AWS Lambda","serviceRepoName":"package-lambda","serviceRepoOrg":"gruntwork-io","cloudProviders":["aws"],"description":"Deploy Lambda functions with Terraform. Supports uploading deployment packages, configuring environment variables, and scheduled functions.","imageUrl":"lambda.png","licenseType":"subscriber","technologies":["Terraform","Bash"],"compliance":[],"tags":[""]},"serviceCategoryName":"Serverless","fileName":"README.md","filePath":"/modules/lambda","title":"Repo Browser: AWS Lambda","description":"Browse the repos in the Gruntwork Infrastructure as Code Library."}