feature: add support for providing an lambda image

schubergphilis · Dec 30, 2024 · a686421 · a686421
1 parent 9f9c3df
commit a686421
Show file tree

Hide file tree

Showing 4 changed files with 72 additions and 20 deletions.
diff --git a/README.md b/README.md
@@ -2,7 +2,11 @@
 
 Terraform module to create an AWS Lambda function.
 
-IMPORTANT: We do not pin modules to versions in our examples. We highly recommend that in your code you pin the version to the exact version you are using so that your infrastructure remains stable.
+> [!TIP] 
+> We do not pin modules to versions in our examples. We highly recommend that in your code you pin the version to the exact version you are using so that your infrastructure remains stable.
+
+> [!IMPORTANT] 
+> Exactly one of `var.filename`, `var.image_config.uri`, or `var.s3_bucket` must be specified when using the module.
 
 <!-- BEGIN_TF_DOCS -->
 ## Requirements

diff --git a/UPGRADING.md b/UPGRADING.md
@@ -23,6 +23,9 @@ The following variables have been removed:
 
 * `create_policy`. This variable is not deemed necessary anymore, creating the policy is controlled by providing an `execution_role.policy`.
 
+The following variable defaults have been modified:
+
+* `runtime` → default: `python3.13` (previous: `python3.10`).
 
 ## Upgrading to v1.0.0
 

diff --git a/main.tf b/main.tf
@@ -5,6 +5,7 @@ locals {
   ephemeral_storage          = var.ephemeral_storage_size != null ? { create : true } : {}
   execution_type             = var.subnet_ids == null ? "Basic" : "VPCAccess"
   filename                   = var.filename != null ? var.filename : data.archive_file.dummy.output_path
+  image_config               = var.image_config != null ? { create : true } : {}
   source_code_hash           = var.source_code_hash != null ? var.source_code_hash : var.filename != null ? filebase64sha256(var.filename) : null
   tracing_config             = var.tracing_config_mode != null ? { create : true } : {}
   vpc_config                 = var.subnet_ids != null ? { create : true } : {}
@@ -134,16 +135,18 @@ resource "aws_lambda_function" "default" {
   architectures                  = [var.architecture]
   code_signing_config_arn        = var.code_signing_config_arn
   description                    = var.description
-  filename                       = var.s3_bucket == null ? local.filename : null
+  filename                       = var.s3_bucket == null && var.image_uri == null ? local.filename : null
   function_name                  = var.name
-  handler                        = var.handler
+  handler                        = var.package_type == "Zip" ? var.handler : null
+  image_uri                      = var.image_config != null ? var.image_config.uri : null
   kms_key_arn                    = var.environment != null ? var.kms_key_arn : null
   layers                         = var.layers
   memory_size                    = var.memory_size
+  package_type                   = var.package_type
   publish                        = var.publish
   reserved_concurrent_executions = var.reserved_concurrency
   role                           = var.execution_role_custom != null ? var.execution_role_custom.arn : module.lambda_role[0].arn
-  runtime                        = var.runtime
+  runtime                        = var.package_type == "Zip" ? var.runtime : null
   s3_bucket                      = var.s3_bucket
   s3_key                         = var.s3_key
   s3_object_version              = var.s3_object_version
@@ -167,6 +170,24 @@ resource "aws_lambda_function" "default" {
     }
   }
 
+  dynamic "ephemeral_storage" {
+    for_each = local.ephemeral_storage
+
+    content {
+      size = var.ephemeral_storage_size
+    }
+  }
+
+  dynamic "image_config" {
+    for_each = local.image_config
+
+    content {
+      command           = var.image_config.command
+      entry_point       = var.image_config.entry_point
+      working_directory = var.image_config.working_directory
+    }
+  }
+
   dynamic "tracing_config" {
     for_each = local.tracing_config
 
@@ -183,12 +204,4 @@ resource "aws_lambda_function" "default" {
       security_group_ids = length(var.security_group_ids) > 0 ? var.security_group_ids : [aws_security_group.default[0].id]
     }
   }
-
-  dynamic "ephemeral_storage" {
-    for_each = local.ephemeral_storage
-
-    content {
-      size = var.ephemeral_storage_size
-    }
-  }
 }
diff --git a/variables.tf b/variables.tf
@@ -105,6 +105,22 @@ variable "handler" {
   description = "The function entrypoint in your code"
 }
 
+variable "image_config" {
+  type = object({
+    command           = optional(list(string), [])
+    entry_point       = optional(list(string), [])
+    uri               = optional(string)
+    working_directory = optional(string)
+  })
+  default     = null
+  description = "Container image configuration values. The ECR image URI must be a private ECR URI."
+
+  validation {
+    condition     = var.image_config == null || can(regex("^[0-9]{12}.dkr.ecr.[a-zA-Z0-9-]+.amazonaws.com/.+$", var.image_config.uri))
+    error_message = "The \"uri\" be a valid private ECR URI."
+  }
+}
+
 variable "kms_key_arn" {
   type        = string
   default     = null
@@ -134,6 +150,17 @@ variable "name" {
   description = "The name of the lambda"
 }
 
+variable "package_type" {
+  type        = string
+  default     = "Zip"
+  description = "The Lambda deployment package type."
+
+  validation {
+    condition     = contains(["Image", "Zip"], var.package_type)
+    error_message = "Allowed values are \"Image\" or \"Zip\"."
+  }
+}
+
 variable "publish" {
   type        = bool
   default     = false
@@ -154,7 +181,7 @@ variable "retries" {
 
 variable "runtime" {
   type        = string
-  default     = "python3.10"
+  default     = "python3.13"
   description = "The function runtime to use"
 }
 
@@ -176,12 +203,6 @@ variable "s3_object_version" {
   description = "The object version containing the function's deployment package"
 }
 
-variable "security_group_ids" {
-  type        = list(string)
-  default     = []
-  description = "The security group(s) for running the Lambda within the VPC. If not specified a minimal default SG will be created"
-}
-
 variable "security_group_egress_rules" {
   type = list(object({
     cidr_ipv4                    = optional(string)
@@ -202,6 +223,12 @@ variable "security_group_egress_rules" {
   }
 }
 
+variable "security_group_ids" {
+  type        = list(string)
+  default     = []
+  description = "The security group(s) for running the Lambda within the VPC. If not specified a minimal default SG will be created"
+}
+
 variable "security_group_name_prefix" {
   type        = string
   default     = null
@@ -236,4 +263,9 @@ variable "tracing_config_mode" {
   type        = string
   default     = null
   description = "The lambda's AWS X-Ray tracing configuration"
-}
+
+  validation {
+    condition     = var.tracing_config_mode == null || var.tracing_config_mode == "Active" || var.tracing_config_mode == "PassThrough"
+    error_message = "If provided, allowed values are \"Active\" or \"PassThrough\"."
+  }
+}