[feature]: lambda vpc_config and memory_size

aws-lambda-function/README.md

@@ -24,49 +24,68 @@ module lambda {
 
 | Name | Version |
 |------|---------|
-| aws | < 3.0.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | < 3.0.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | < 3.0.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | < 3.0.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_log_group.log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_iam_policy.lambda_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.lambda_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_lambda_function.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.lambda_logging_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.lambda_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| at\_edge | Is this lambda going to be used with a Cloufront distribution? If you set this, you will not have control over log retention, and you cannot include environment variables. | `bool` | `false` | no |
-| env | Env for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes |
-| environment | Map of environment variables. | `map(string)` | `{}` | no |
-| filename | n/a | `string` | `null` | no |
-| function\_description | Description for lambda function. | `string` | `""` | no |
-| function\_name | If not set, function use default naming convention of $project-$env-$service. See local.name in main.tf | `string` | `null` | no |
-| handler | Name of the lambda handler. | `string` | n/a | yes |
-| kms\_key\_arn | KMS key used to encrypt environment variables. | `string` | `null` | no |
-| lambda\_role\_path | The path to the IAM role for lambda. | `string` | `null` | no |
-| log\_retention\_in\_days | n/a | `number` | `null` | no |
-| owner | Owner for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes |
-| project | Project for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes |
-| publish\_lambda | Whether to publish creation/change as new lambda function version. | `bool` | `false` | no |
-| reserved\_concurrent\_executions | Set reserved\_concurrent\_executions for this function. See [docs](https://docs.aws.amazon.com/lambda/latest/dg/configuration-concurrency.html). | `number` | `-1` | no |
-| runtime | Lambda language runtime. | `string` | n/a | yes |
-| service | Service for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes |
-| source\_code\_hash | n/a | `string` | `null` | no |
-| source\_s3\_bucket | Bucket holding lambda source code. | `string` | `null` | no |
-| source\_s3\_key | Key identifying location of code. | `string` | `null` | no |
-| timeout | Execution timeout for the lambda. | `number` | `null` | no |
+| <a name="input_at_edge"></a> [at\_edge](#input\_at\_edge) | Is this lambda going to be used with a Cloufront distribution? If you set this, you will not have control over log retention, and you cannot include environment variables. | `bool` | `false` | no |
+| <a name="input_env"></a> [env](#input\_env) | Env for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes |
+| <a name="input_environment"></a> [environment](#input\_environment) | Map of environment variables. | `map(string)` | `{}` | no |
+| <a name="input_filename"></a> [filename](#input\_filename) | n/a | `string` | `null` | no |
+| <a name="input_function_description"></a> [function\_description](#input\_function\_description) | Description for lambda function. | `string` | `""` | no |
+| <a name="input_function_name"></a> [function\_name](#input\_function\_name) | If not set, function use default naming convention of $project-$env-$service. See local.name in main.tf | `string` | `null` | no |
+| <a name="input_handler"></a> [handler](#input\_handler) | Name of the lambda handler. | `string` | n/a | yes |
+| <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | KMS key used to encrypt environment variables. | `string` | `null` | no |
+| <a name="input_lambda_role_path"></a> [lambda\_role\_path](#input\_lambda\_role\_path) | The path to the IAM role for lambda. | `string` | `null` | no |
+| <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | n/a | `number` | `null` | no |
+| <a name="input_memory_size"></a> [memory\_size](#input\_memory\_size) | Amount of memory to allocate to the lambda | `number` | `128` | no |
+| <a name="input_owner"></a> [owner](#input\_owner) | Owner for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes |
+| <a name="input_project"></a> [project](#input\_project) | Project for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes |
+| <a name="input_publish_lambda"></a> [publish\_lambda](#input\_publish\_lambda) | Whether to publish creation/change as new lambda function version. | `bool` | `false` | no |
+| <a name="input_reserved_concurrent_executions"></a> [reserved\_concurrent\_executions](#input\_reserved\_concurrent\_executions) | Set reserved\_concurrent\_executions for this function. See [docs](https://docs.aws.amazon.com/lambda/latest/dg/configuration-concurrency.html). | `number` | `-1` | no |
+| <a name="input_runtime"></a> [runtime](#input\_runtime) | Lambda language runtime. | `string` | n/a | yes |
+| <a name="input_service"></a> [service](#input\_service) | Service for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes |
+| <a name="input_source_code_hash"></a> [source\_code\_hash](#input\_source\_code\_hash) | n/a | `string` | `null` | no |
+| <a name="input_source_s3_bucket"></a> [source\_s3\_bucket](#input\_source\_s3\_bucket) | Bucket holding lambda source code. | `string` | `null` | no |
+| <a name="input_source_s3_key"></a> [source\_s3\_key](#input\_source\_s3\_key) | Key identifying location of code. | `string` | `null` | no |
+| <a name="input_timeout"></a> [timeout](#input\_timeout) | Execution timeout for the lambda. | `number` | `null` | no |
+| <a name="input_vpc_config"></a> [vpc\_config](#input\_vpc\_config) | The lambda's vpc configuration | <pre>object({<br>    subnet_ids = list(string),<br>    security_group_ids = list(string)<br>  })</pre> | `null` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| arn | n/a |
-| function\_name | n/a |
-| invoke\_arn | n/a |
-| log\_group\_name | n/a |
-| qualified\_arn | If the lambda function is published, the qualified\_arn points at the latest version number. |
-| role\_id | n/a |
-| role\_name | n/a |
-
+| <a name="output_arn"></a> [arn](#output\_arn) | n/a |
+| <a name="output_function_name"></a> [function\_name](#output\_function\_name) | n/a |
+| <a name="output_invoke_arn"></a> [invoke\_arn](#output\_invoke\_arn) | n/a |
+| <a name="output_log_group_name"></a> [log\_group\_name](#output\_log\_group\_name) | n/a |
+| <a name="output_qualified_arn"></a> [qualified\_arn](#output\_qualified\_arn) | If the lambda function is published, the qualified\_arn points at the latest version number. |
+| <a name="output_role_id"></a> [role\_id](#output\_role\_id) | n/a |
+| <a name="output_role_name"></a> [role\_name](#output\_role\_name) | n/a |
 <!-- END -->

aws-lambda-function/main.tf

@@ -12,7 +12,7 @@ locals {
 }
 
 
-resource aws_lambda_function lambda {
+resource "aws_lambda_function" "lambda" {
   s3_bucket = var.source_s3_bucket
   s3_key    = var.source_s3_key
 
@@ -31,18 +31,29 @@ resource aws_lambda_function lambda {
 
   reserved_concurrent_executions = var.reserved_concurrent_executions
 
-  dynamic environment {
+  dynamic "environment" {
     for_each = length(var.environment) > 0 ? [0] : []
 
     content {
       variables = var.environment
     }
   }
 
+  dynamic "vpc_config" {
+    for_each = var.vpc_config == null ? [] : [0]
+
+    content {
+      subnet_ids         = var.vpc_config.subnet_ids
+      security_group_ids = var.vpc_config.security_group_ids
+    }
+  }
+
+  memory_size = var.memory_size
+
   tags = local.tags
 }
 
-data aws_iam_policy_document lambda_role_policy {
+data "aws_iam_policy_document" "lambda_role_policy" {
   statement {
     principals {
       type = "Service"
@@ -55,7 +66,7 @@ data aws_iam_policy_document lambda_role_policy {
   }
 }
 
-resource aws_iam_role role {
+resource "aws_iam_role" "role" {
   name = local.name
   path = var.lambda_role_path
 
@@ -64,13 +75,13 @@ resource aws_iam_role role {
   tags = local.tags
 }
 
-resource aws_cloudwatch_log_group log {
+resource "aws_cloudwatch_log_group" "log" {
   name              = "/aws/lambda/${local.name}"
   retention_in_days = var.log_retention_in_days
 }
 
-data aws_region current {}
-data aws_caller_identity current {}
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
 
 # TODO scope this policy down
 #
@@ -81,7 +92,7 @@ data aws_caller_identity current {}
 #   arn:aws:logs:us-west-2:123456789:log-group:/foo/bar
 # to match operations on the log group(like creating a new stream.) So instead we construct one
 # without the colon before the *, so that we can match both log groups and log streams.
-data aws_iam_policy_document lambda_logging_policy {
+data "aws_iam_policy_document" "lambda_logging_policy" {
   statement {
     effect = "Allow"
     actions = compact([
@@ -98,15 +109,37 @@ data aws_iam_policy_document lambda_logging_policy {
   }
 }
 
-resource aws_iam_policy lambda_logging {
+resource "aws_iam_policy" "lambda_logging" {
   name_prefix = "${local.name}-lambda-logging"
   path        = "/"
   description = "IAM policy for logging from the ${local.name} lambda."
 
   policy = data.aws_iam_policy_document.lambda_logging_policy.json
 }
 
-resource aws_iam_role_policy_attachment lambda_logs {
+resource "aws_iam_role_policy_attachment" "lambda_logs" {
   role       = aws_iam_role.role.name
   policy_arn = aws_iam_policy.lambda_logging.arn
 }
+
+// Execution role basic permissions
+data "aws_iam_policy_document" "role" {
+  statement {
+    sid    = "ec2"
+    effect = "Allow"
+    actions = [
+      "ec2:CreateNetworkInterface",
+      "ec2:DescribeNetworkInterfaces",
+      "ec2:DeleteNetworkInterface",
+    ]
+
+    resources = [
+      "*",
+    ]
+  }
+}
+
+resource "aws_iam_role_policy" "role" {
+  role   = aws_iam_role.role.name
+  policy = data.aws_iam_policy_document.role.json
+}

aws-lambda-function/outputs.tf

@@ -1,28 +1,28 @@
-output arn {
+output "arn" {
   value = aws_lambda_function.lambda.arn
 }
 
-output qualified_arn {
+output "qualified_arn" {
   description = "If the lambda function is published, the qualified_arn points at the latest version number."
   value       = aws_lambda_function.lambda.qualified_arn
 }
 
-output invoke_arn {
+output "invoke_arn" {
   value = aws_lambda_function.lambda.invoke_arn
 }
 
-output function_name {
+output "function_name" {
   value = aws_lambda_function.lambda.function_name
 }
 
-output log_group_name {
+output "log_group_name" {
   value = aws_cloudwatch_log_group.log.name
 }
 
-output role_name {
+output "role_name" {
   value = aws_iam_role.role.name
 }
 
-output role_id {
+output "role_id" {
   value = aws_iam_role.role.id
 }

aws-lambda-function/variables.tf

@@ -1,110 +1,126 @@
-variable project {
+variable "project" {
   type        = string
   description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)"
 }
 
-variable env {
+variable "env" {
   type        = string
   description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)"
 }
 
-variable service {
+variable "service" {
   type        = string
   description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)"
 }
 
-variable owner {
+variable "owner" {
   type        = string
   description = "Owner for tagging and naming. See [doc](../README.md#consistent-tagging)"
 }
 
-variable source_s3_bucket {
+variable "source_s3_bucket" {
   type        = string
   description = "Bucket holding lambda source code."
   default     = null
 }
 
-variable source_s3_key {
+variable "source_s3_key" {
   type        = string
   description = "Key identifying location of code."
   default     = null
 }
 
-variable handler {
+variable "handler" {
   type        = string
   description = "Name of the lambda handler."
 }
 
-variable runtime {
+variable "runtime" {
   type        = string
   description = "Lambda language runtime."
 }
 
-variable timeout {
+variable "timeout" {
   type        = number
   description = "Execution timeout for the lambda."
   default     = null
 }
 
-variable environment {
+variable "environment" {
   type        = map(string)
   description = "Map of environment variables."
   default     = {}
 }
 
-variable kms_key_arn {
+variable "kms_key_arn" {
   type        = string
   description = "KMS key used to encrypt environment variables."
   default     = null
 }
 
-variable source_code_hash {
+variable "source_code_hash" {
   type    = string
   default = null
 }
 
-variable filename {
+variable "filename" {
   type    = string
   default = null
 }
 
-variable log_retention_in_days {
+variable "log_retention_in_days" {
   type    = number
   default = null
 }
 
-variable function_name {
+variable "function_name" {
   type        = string
   description = "If not set, function use default naming convention of $project-$env-$service. See local.name in main.tf"
   default     = null
 }
 
-variable function_description {
+variable "function_description" {
   type        = string
   description = "Description for lambda function."
   default     = ""
 }
 
-variable publish_lambda {
+variable "publish_lambda" {
   type        = bool
   description = "Whether to publish creation/change as new lambda function version."
   default     = false
 }
 
-variable lambda_role_path {
+variable "lambda_role_path" {
   type        = string
   description = "The path to the IAM role for lambda."
   default     = null
 }
 
-variable at_edge {
+variable "at_edge" {
   type        = bool
   description = "Is this lambda going to be used with a Cloufront distribution? If you set this, you will not have control over log retention, and you cannot include environment variables."
   default     = false
 }
 
-variable reserved_concurrent_executions {
+variable "reserved_concurrent_executions" {
   type        = number
   description = "Set reserved_concurrent_executions for this function. See [docs](https://docs.aws.amazon.com/lambda/latest/dg/configuration-concurrency.html)."
   default     = -1 // aws default
 }
+
+variable "vpc_config" {
+  type = object({
+    subnet_ids         = list(string),
+    security_group_ids = list(string)
+  })
+
+  description = "The lambda's vpc configuration"
+  default     = null
+}
+
+variable "memory_size" {
+  type        = number
+  description = "Amount of memory to allocate to the lambda"
+  default     = 128
+}