diff --git a/README.md b/README.md
index c07b639..38a2337 100644
--- a/README.md
+++ b/README.md
@@ -4,95 +4,97 @@ Terraform module to create an AWS Lambda function.
IMPORTANT: We do not pin modules to versions in our examples. We highly recommend that in your code you pin the version to the exact version you are using so that your infrastructure remains stable.
+IMPORTANT: exactly one of filename, image_uri, or s3_bucket must be specified when using the module.
+
## Requirements
-| Name | Version |
-|------|---------|
+| Name | Version |
+| ------------------------------------------------------------------------- | --------- |
| [terraform](#requirement\_terraform) | >= 0.13.0 |
-| [archive](#requirement\_archive) | >= 2.0.0 |
-| [aws](#requirement\_aws) | >= 4.9.0 |
+| [archive](#requirement\_archive) | >= 2.0.0 |
+| [aws](#requirement\_aws) | >= 4.9.0 |
## Providers
-| Name | Version |
-|------|---------|
+| Name | Version |
+| ------------------------------------------------------------- | -------- |
| [archive](#provider\_archive) | >= 2.0.0 |
-| [aws](#provider\_aws) | >= 4.9.0 |
+| [aws](#provider\_aws) | >= 4.9.0 |
## Modules
-| Name | Source | Version |
-|------|--------|---------|
-| [lambda\_role](#module\_lambda\_role) | github.com/schubergphilis/terraform-aws-mcaf-role | v0.3.3 |
+| Name | Source | Version |
+| ----------------------------------------------------------------------- | ------------------------------------------------- | ------- |
+| [lambda\_role](#module\_lambda\_role) | github.com/schubergphilis/terraform-aws-mcaf-role | v0.3.3 |
## Resources
-| Name | Type |
-|------|------|
-| [aws_cloudwatch_log_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
-| [aws_lambda_function.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
-| [aws_lambda_function_event_invoke_config.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function_event_invoke_config) | resource |
-| [aws_s3_object.s3_dummy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource |
-| [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
-| [aws_vpc_security_group_egress_rule.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |
-| [archive_file.dummy](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
-| [aws_subnet.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
+| Name | Type |
+| ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------- |
+| [aws_cloudwatch_log_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_lambda_function.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_lambda_function_event_invoke_config.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function_event_invoke_config) | resource |
+| [aws_s3_object.s3_dummy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource |
+| [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_vpc_security_group_egress_rule.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |
+| [archive_file.dummy](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
+| [aws_subnet.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
## Inputs
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [name](#input\_name) | The name of the lambda | `string` | n/a | yes |
-| [architecture](#input\_architecture) | Instruction set architecture of the Lambda function | `string` | `"x86_64"` | no |
-| [cloudwatch\_logs](#input\_cloudwatch\_logs) | Whether or not to configure a CloudWatch log group | `bool` | `true` | no |
-| [code\_signing\_config\_arn](#input\_code\_signing\_config\_arn) | ARN for a Code Signing Configuration | `string` | `null` | no |
-| [create\_policy](#input\_create\_policy) | Overrule whether the Lambda role policy has to be created | `bool` | `null` | no |
-| [create\_s3\_dummy\_object](#input\_create\_s3\_dummy\_object) | Whether or not to create a S3 dummy object | `bool` | `true` | no |
-| [dead\_letter\_target\_arn](#input\_dead\_letter\_target\_arn) | The ARN of an SNS topic or SQS queue to notify when an invocation fails | `string` | `null` | no |
-| [description](#input\_description) | A description of the lambda | `string` | `""` | no |
-| [destination\_on\_failure](#input\_destination\_on\_failure) | ARN of the destination resource for failed asynchronous invocations | `string` | `null` | no |
-| [destination\_on\_success](#input\_destination\_on\_success) | ARN of the destination resource for successful asynchronous invocations | `string` | `null` | no |
-| [environment](#input\_environment) | A map of environment variables to assign to the lambda | `map(string)` | `null` | no |
-| [ephemeral\_storage\_size](#input\_ephemeral\_storage\_size) | The size of the Lambda function Ephemeral storage | `number` | `null` | no |
-| [filename](#input\_filename) | The path to the function's deployment package within the local filesystem | `string` | `null` | no |
-| [handler](#input\_handler) | The function entrypoint in your code | `string` | `"main.handler"` | no |
-| [kms\_key\_arn](#input\_kms\_key\_arn) | The ARN of the KMS key used to encrypt the cloudwatch log group and environment variables | `string` | `null` | no |
-| [layers](#input\_layers) | List of Lambda layer ARNs to be used by the Lambda function | `list(string)` | `[]` | no |
-| [log\_retention](#input\_log\_retention) | Number of days to retain log events in the specified log group | `number` | `365` | no |
-| [memory\_size](#input\_memory\_size) | The memory size of the lambda | `number` | `null` | no |
-| [permissions\_boundary](#input\_permissions\_boundary) | The permissions boundary to set on the role | `string` | `null` | no |
-| [policy](#input\_policy) | A valid lambda policy JSON document. This policy is used if you don't specify a role\_arn | `string` | `null` | no |
-| [publish](#input\_publish) | Whether to publish creation/change as new lambda function version | `bool` | `false` | no |
-| [reserved\_concurrency](#input\_reserved\_concurrency) | The amount of reserved concurrent executions for this lambda function | `number` | `null` | no |
-| [retries](#input\_retries) | Maximum number of retries for the Lambda invocation | `number` | `null` | no |
-| [role\_arn](#input\_role\_arn) | An optional lambda execution role | `string` | `null` | no |
-| [role\_prefix](#input\_role\_prefix) | Default prefix for the role | `string` | `null` | no |
-| [runtime](#input\_runtime) | The function runtime to use | `string` | `"python3.10"` | no |
-| [s3\_bucket](#input\_s3\_bucket) | The S3 bucket location containing the function's deployment package | `string` | `null` | no |
-| [s3\_key](#input\_s3\_key) | The S3 key of an object containing the function's deployment package | `string` | `null` | no |
-| [s3\_object\_version](#input\_s3\_object\_version) | The object version containing the function's deployment package | `string` | `null` | no |
-| [security\_group\_egress\_rules](#input\_security\_group\_egress\_rules) | Security Group egress rules | list(object({
cidr_ipv4 = optional(string)
cidr_ipv6 = optional(string)
description = string
from_port = optional(number, 0)
ip_protocol = optional(string, "-1")
prefix_list_id = optional(string)
referenced_security_group_id = optional(string)
to_port = optional(number, 0)
})) | `[]` | no |
-| [security\_group\_ids](#input\_security\_group\_ids) | The security group(s) for running the Lambda within the VPC. If not specified a minimal default SG will be created | `list(string)` | `[]` | no |
-| [security\_group\_name\_prefix](#input\_security\_group\_name\_prefix) | An optional prefix to create a unique name of the security group. If not provided `var.name` will be used | `string` | `null` | no |
-| [source\_code\_hash](#input\_source\_code\_hash) | Optional source code hash | `string` | `null` | no |
-| [subnet\_ids](#input\_subnet\_ids) | The subnet ids where this lambda needs to run | `list(string)` | `null` | no |
-| [tags](#input\_tags) | A mapping of tags to assign to the bucket | `map(string)` | `{}` | no |
-| [timeout](#input\_timeout) | The timeout of the lambda | `number` | `5` | no |
-| [tracing\_config\_mode](#input\_tracing\_config\_mode) | The lambda's AWS X-Ray tracing configuration | `string` | `null` | no |
+| Name | Description | Type | Default | Required |
+| ------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | :------: |
+| [name](#input\_name) | The name of the lambda | `string` | n/a | yes |
+| [architecture](#input\_architecture) | Instruction set architecture of the Lambda function | `string` | `"x86_64"` | no |
+| [cloudwatch\_logs](#input\_cloudwatch\_logs) | Whether or not to configure a CloudWatch log group | `bool` | `true` | no |
+| [code\_signing\_config\_arn](#input\_code\_signing\_config\_arn) | ARN for a Code Signing Configuration | `string` | `null` | no |
+| [create\_policy](#input\_create\_policy) | Overrule whether the Lambda role policy has to be created | `bool` | `null` | no |
+| [create\_s3\_dummy\_object](#input\_create\_s3\_dummy\_object) | Whether or not to create a S3 dummy object | `bool` | `true` | no |
+| [dead\_letter\_target\_arn](#input\_dead\_letter\_target\_arn) | The ARN of an SNS topic or SQS queue to notify when an invocation fails | `string` | `null` | no |
+| [description](#input\_description) | A description of the lambda | `string` | `""` | no |
+| [destination\_on\_failure](#input\_destination\_on\_failure) | ARN of the destination resource for failed asynchronous invocations | `string` | `null` | no |
+| [destination\_on\_success](#input\_destination\_on\_success) | ARN of the destination resource for successful asynchronous invocations | `string` | `null` | no |
+| [environment](#input\_environment) | A map of environment variables to assign to the lambda | `map(string)` | `null` | no |
+| [ephemeral\_storage\_size](#input\_ephemeral\_storage\_size) | The size of the Lambda function Ephemeral storage | `number` | `null` | no |
+| [filename](#input\_filename) | The path to the function's deployment package within the local filesystem | `string` | `null` | no |
+| [handler](#input\_handler) | The function entrypoint in your code | `string` | `"main.handler"` | no |
+| [kms\_key\_arn](#input\_kms\_key\_arn) | The ARN of the KMS key used to encrypt the cloudwatch log group and environment variables | `string` | `null` | no |
+| [layers](#input\_layers) | List of Lambda layer ARNs to be used by the Lambda function | `list(string)` | `[]` | no |
+| [log\_retention](#input\_log\_retention) | Number of days to retain log events in the specified log group | `number` | `365` | no |
+| [memory\_size](#input\_memory\_size) | The memory size of the lambda | `number` | `null` | no |
+| [permissions\_boundary](#input\_permissions\_boundary) | The permissions boundary to set on the role | `string` | `null` | no |
+| [policy](#input\_policy) | A valid lambda policy JSON document. This policy is used if you don't specify a role\_arn | `string` | `null` | no |
+| [publish](#input\_publish) | Whether to publish creation/change as new lambda function version | `bool` | `false` | no |
+| [reserved\_concurrency](#input\_reserved\_concurrency) | The amount of reserved concurrent executions for this lambda function | `number` | `null` | no |
+| [retries](#input\_retries) | Maximum number of retries for the Lambda invocation | `number` | `null` | no |
+| [role\_arn](#input\_role\_arn) | An optional lambda execution role | `string` | `null` | no |
+| [role\_prefix](#input\_role\_prefix) | Default prefix for the role | `string` | `null` | no |
+| [runtime](#input\_runtime) | The function runtime to use | `string` | `"python3.10"` | no |
+| [s3\_bucket](#input\_s3\_bucket) | The S3 bucket location containing the function's deployment package | `string` | `null` | no |
+| [s3\_key](#input\_s3\_key) | The S3 key of an object containing the function's deployment package | `string` | `null` | no |
+| [s3\_object\_version](#input\_s3\_object\_version) | The object version containing the function's deployment package | `string` | `null` | no |
+| [security\_group\_egress\_rules](#input\_security\_group\_egress\_rules) | Security Group egress rules | list(object({
cidr_ipv4 = optional(string)
cidr_ipv6 = optional(string)
description = string
from_port = optional(number, 0)
ip_protocol = optional(string, "-1")
prefix_list_id = optional(string)
referenced_security_group_id = optional(string)
to_port = optional(number, 0)
})) | `[]` | no |
+| [security\_group\_ids](#input\_security\_group\_ids) | The security group(s) for running the Lambda within the VPC. If not specified a minimal default SG will be created | `list(string)` | `[]` | no |
+| [security\_group\_name\_prefix](#input\_security\_group\_name\_prefix) | An optional prefix to create a unique name of the security group. If not provided `var.name` will be used | `string` | `null` | no |
+| [source\_code\_hash](#input\_source\_code\_hash) | Optional source code hash | `string` | `null` | no |
+| [subnet\_ids](#input\_subnet\_ids) | The subnet ids where this lambda needs to run | `list(string)` | `null` | no |
+| [tags](#input\_tags) | A mapping of tags to assign to the bucket | `map(string)` | `{}` | no |
+| [timeout](#input\_timeout) | The timeout of the lambda | `number` | `5` | no |
+| [tracing\_config\_mode](#input\_tracing\_config\_mode) | The lambda's AWS X-Ray tracing configuration | `string` | `null` | no |
## Outputs
-| Name | Description |
-|------|-------------|
-| [arn](#output\_arn) | ARN of the Lambda |
-| [invoke\_arn](#output\_invoke\_arn) | Invoke ARN of the Lambda |
-| [name](#output\_name) | Function name of the Lambda |
-| [qualified\_arn](#output\_qualified\_arn) | Qualified ARN of the Lambda |
-| [role\_arn](#output\_role\_arn) | ARN of the lambda execution role |
-| [role\_name](#output\_role\_name) | Name of the lambda execution role |
+| Name | Description |
+| ------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------- |
+| [arn](#output\_arn) | ARN of the Lambda |
+| [invoke\_arn](#output\_invoke\_arn) | Invoke ARN of the Lambda |
+| [name](#output\_name) | Function name of the Lambda |
+| [qualified\_arn](#output\_qualified\_arn) | Qualified ARN of the Lambda |
+| [role\_arn](#output\_role\_arn) | ARN of the lambda execution role |
+| [role\_name](#output\_role\_name) | Name of the lambda execution role |
| [security\_group\_id](#output\_security\_group\_id) | If the Lambda is deployed into a VPC this will output the genetered security group id (if no security groups are specified) |
-| [version](#output\_version) | Latest published version of the Lambda function |
+| [version](#output\_version) | Latest published version of the Lambda function |
## Licensing
diff --git a/main.tf b/main.tf
index 933df0d..6cb0bdc 100644
--- a/main.tf
+++ b/main.tf
@@ -13,7 +13,7 @@ locals {
module "lambda_role" {
count = length(compact([var.role_arn])) == 0 ? 1 : 0
- source = "github.com/schubergphilis/terraform-aws-mcaf-role?ref=v0.3.3"
+ source = "github.com/schubergphilis/terraform-aws-mcaf-role?ref=v0.4.0"
name = join("-", compact([var.role_prefix, "LambdaRole", var.name]))
create_policy = var.create_policy
permissions_boundary = var.permissions_boundary
@@ -133,6 +133,7 @@ resource "aws_lambda_function" "default" {
code_signing_config_arn = var.code_signing_config_arn
description = var.description
filename = var.s3_bucket == null ? local.filename : null
+ image_uri = var.image_uri != null ? var.image_uri : null
function_name = var.name
handler = var.handler
kms_key_arn = var.environment != null ? var.kms_key_arn : null
diff --git a/variables.tf b/variables.tf
index e31986e..aed3eb5 100644
--- a/variables.tf
+++ b/variables.tf
@@ -81,6 +81,17 @@ variable "handler" {
description = "The function entrypoint in your code"
}
+variable "image_uri" {
+ type = string
+ default = null
+ description = "ECR image URI containing the function's deployment package. (must be internal ECR URI to the organiusation)"
+
+ validation {
+ condition = var.image_uri == null || can(regex("^[0-9]{12}.dkr.ecr.[a-zA-Z0-9-]+.amazonaws.com/.+$", var.image_uri))
+ error_message = "The image_uri must be a valid ECR URI, or it can be left null."
+ }
+}
+
variable "kms_key_arn" {
type = string
default = null
@@ -176,12 +187,6 @@ variable "s3_object_version" {
description = "The object version containing the function's deployment package"
}
-variable "security_group_ids" {
- type = list(string)
- default = []
- description = "The security group(s) for running the Lambda within the VPC. If not specified a minimal default SG will be created"
-}
-
variable "security_group_egress_rules" {
type = list(object({
cidr_ipv4 = optional(string)
@@ -202,6 +207,12 @@ variable "security_group_egress_rules" {
}
}
+variable "security_group_ids" {
+ type = list(string)
+ default = []
+ description = "The security group(s) for running the Lambda within the VPC. If not specified a minimal default SG will be created"
+}
+
variable "security_group_name_prefix" {
type = string
default = null