Requirements

Name	Version
terraform	>= 1.0
archive	~> 2.3.0
aws	>= 5.32

Providers

Name	Version
archive	2.3.0
aws	5.37.0

Modules

Name	Source	Version
lambda	terraform-aws-modules/lambda/aws	~> 7.2.1
lambda_gha	philips-labs/github-oidc/aws	~> 0.7.0
oidc_provider	philips-labs/github-oidc/aws//modules/provider	~> 0.7.0

Resources

Name	Type
aws_iam_role_policy.sign_code	resource
aws_iam_role_policy.update_lambda	resource
aws_iam_role_policy.update_lambda_edge	resource
archive_file.dummy	data source
aws_caller_identity.current	data source
aws_iam_openid_connect_provider.github	data source
aws_iam_policy_document.sign_code	data source
aws_iam_policy_document.update_lambda	data source
aws_iam_policy_document.update_lambda_combined	data source
aws_iam_policy_document.update_lambda_edge	data source
aws_iam_policy_document.update_lambda_edge_combined	data source
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
allowed_triggers	Map of allowed triggers to create Lambda permissions	map(any)	{}	no
apigw_arn	API Gateway ARN	string	null	no
architectures	Instruction set architecture for your Lambda function. Valid values are ["x86_64"] and ["arm64"].	list(string)	null	no
attach_network_policy	Flag to attach network policy to use VPC subnet and security group	bool	false	no
attach_policies	Controls whether AWS managed policies should be added to IAM role for Lambda Function (e.g AWSLambdaBasicExecutionRole)	bool	false	no
attach_policy_json	Controls whether policy_json should be added to IAM role for Lambda Function	bool	false	no
attach_policy_jsons	Controls whether policy_jsons should be added to IAM role for Lambda Function	bool	false	no
attach_policy_statements	Controls whether policy_jsons should be added to IAM role for Lambda Function	bool	false	no
attach_tracing_policy	whether to attach tracing policy to lambda role	bool	false	no
authorization_type	The type of authentication that the Lambda Function URL uses. Set to 'AWS_IAM' to restrict access to authenticated IAM users only. Set to 'NONE' to bypass IAM authentication and create a public endpoint.	string	"NONE"	no
cf_distribution_id	distribution id to allow oidc role to update edge functions that are attached	string	null	no
cloudwatch_logs_retention_in_days	Number of days the cloudwatch logs will be retained. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653.	number	7	no
code_signing_config_arn	Amazon Resource Name (ARN) for a Code Signing Configuration	string	null	no
cors	CORS settings to be used by the Lambda Function URL	any	{}	no
create_current_version_allowed_triggers	Whether to allow triggers on current version of Lambda Function (this will revoke permissions from previous version because Terraform manages only current resources)	bool	true	no
create_github_actions_edge_role	Controls whether to create for lambda edge functions	bool	false	no
create_github_actions_oidc_provider	Controls Whether to create openid connect provider.	bool	false	no
create_github_actions_role	Controls whether to create AWS OIDC integration GitHub Actions	bool	true	no
create_github_actions_signed_code_role	Controls whether to grant s3 access and signer access to GitHub Actions	bool	false	no
create_lambda_cloudwatch_log_group	Controls whether the Lambda Role	bool	true	no
create_lambda_function_url	Controls whether the Lambda Function URL resource should be created	bool	false	no
create_lambda_role	Controls whether the Lambda Role	bool	true	no
create_unqualified_alias_lambda_function_url	Whether to use unqualified alias pointing to $LATEST version in Lambda Function URL	bool	true	no
dead_letter_target_arn	The ARN of an SNS topic or SQS queue to notify when an invocation fails.	string	null	no
default_conditions	(Optional) Default condtions to apply, at least one of the following is madatory: 'allow_main', 'allow_environment', 'deny_pull_request' and 'allow_all'.	list(string)	[ "allow_main", "allow_environment" ]	no
deployer_lambda_additional_permission	Additional permission needed by lambda deployer in json format	string	null	no
deployer_lambda_edge_additional_permission	Additional permission needed by lambda edge deployer in json format	string	null	no
description	Lambda Function Description	string	""	no
enable_version_identifier	Enable version identifier for lambda function	bool	false	no
environment_variables	A map that defines environment variables for the Lambda Function.	map(string)	{}	no
ephemeral_storage_size	Amount of ephemeral storage (/tmp) in MB your Lambda Function can use at runtime. Valid value between 512 MB to 10,240 MB (10 GB).	number	512	no
event_source_mapping	Map of event source mapping	any	{}	no
function_name	Lambda Function Name	string	n/a	yes
function_prefix	Prefix for the IAM role for lambda functions	string	""	no
function_tags	A map of tags to assign only to the lambda function	map(string)	{}	no
github_repo	GitHub repo to grant access to assume a role via OIDC.	object({ repo = string branches = optional(list(string), []) environments = optional(list(string), ["*"]) tags = optional(list(string), []) # Custom Role name. It will autocreate based on repo if not provided role_name = optional(string) })	n/a	yes
handler	Lambda Function Index Handler	string	"index.handler"	no
image_config_command	The CMD for the docker image	list(string)	[]	no
image_config_entry_point	The ENTRYPOINT for the docker image	list(string)	[]	no
image_config_working_directory	The working directory for the docker image	string	null	no
image_uri	The ECR image URI containing the function's deployment package.	string	null	no
kms_key_arn	The ARN of KMS key to use by your Lambda Function	string	null	no
lambda_at_edge	Set this to true if using Lambda@Edge, to enable publishing, limit the timeout, and allow edgelambda.amazonaws.com to invoke the function	bool	false	no
lambda_role	IAM role ARN attached to the Lambda Function. This governs both who / what can invoke your Lambda Function, as well as what resources our Lambda Function has access to. See Lambda Permission Model for more details.	string	""	no
layers	List of Lambda Layer Version ARNs (maximum of 5) to attach to your Lambda Function.	list(string)	null	no
logging_application_log_level	The application log level of your lambda	string	"INFO"	no
logging_log_format	Logging format of your lambda	string	"Text"	no
logging_log_group	Log group that your lambda will use	string	null	no
logging_system_log_level	System log level of your lambda	string	"INFO"	no
managed_policy_arns	List of AWS managed policies to attach to IAM role for Lambda Function	list(string)	null	no
memory_size	Amount of memory in MB your Lambda Function can use at runtime. Valid value between 128 MB to 10,240 MB (10 GB), in 64 MB increments.	number	128	no
number_of_managed_policies	Number of AWS managed policies to attach to IAM role for Lambda Function	number	0	no
number_of_policy_jsons	Number of policies JSON to attach to IAM role for Lambda Function	number	0	no
package_type	The Lambda deployment package type. Valid options: Zip or Image	string	"Zip"	no
policy_json	An additional policy document as JSON to attach to the Lambda Function role	string	null	no
policy_jsons	List of additional policies for the lambda execution	list(string)	[]	no
policy_statements	Additional Inline Lambda Policy Statements	any	{}	no
provisioned_concurrent_executions	Amount of capacity to allocate. Set to 1 or greater to enable, or set to -1 to disable provisioned concurrency.	number	-1	no
publish	Whether to publish creation/change as new Lambda Function Version.	bool	false	no
recreate_missing_package	Controls whether to recreate the package if it is missing	bool	true	no
reserved_concurrent_executions	The amount of reserved concurrent executions for this Lambda Function. A value of 0 disables Lambda Function from being triggered and -1 removes any concurrency limitations. Defaults to Unreserved Concurrency Limits -1.	number	-1	no
role_name	Name of IAM role to use for Lambda Function.	string	null	no
runtime	Lambda Function runtime	string	"nodejs18.x"	no
signing_bucket_name	Name of the S3 bucket to store code for signing job	string	null	no
signing_profile_name	Name of the signer signing profile to use for signing job	string	null	no
snap_start	(Optional) Snap start settings for low-latency startups	bool	false	no
source_path	The absolute path to a local file or directory containing your Lambda source code	string	null	no
tags	A map of tags to assign to resources.	map(string)	{}	no
timeout	The amount of time your Lambda Function has to run in seconds.	number	3	no
tracing_mode	Tracing mode of the Lambda Function. Valid value can be either PassThrough or Active.	string	null	no
vpc_security_group_ids	List of security group ids when Lambda Function should run in the VPC.	list(string)	null	no
vpc_subnet_ids	List of subnet ids when Lambda Function should run in the VPC. Usually private or intra subnets.	list(string)	null	no

Outputs

Name	Description
function_url	The function url of lambda function to be able to be set as cloudfront origin
function_url_id	The function url ID of lambda function to be able to be set as cloudfront origin
invoke_arn	The invoke arn of lambda function for APIGW integration
lambda_cloudwatch_log_group_arn	Lambda Cloudwatch Log group
lambda_cloudwatch_log_group_name	Lambda Cloudwatch Log group
lambda_function_arn	Lambda Function ARN
lambda_function_name	Lambda Function Name
lambda_function_version	Latest published version of Lambda Function
lambda_gha_role_name	The crated role that can be assumed for the configured repository.
lambda_role_arn	ARN of the IAM role created for the Lambda Function
lambda_role_name	The name of the IAM role created for the Lambda Function
lambda_role_unique_id	The unique id of the IAM role created for the Lambda Function
qualified_arn	The qualified arn of the lambda function to be associated with Cloudfront as a Lambda@Edge function