Deploy AWS Lambda by Terraform

This is the 2nd, and last, part of a small series about
=> writing a Lambda function which does kind of “chaos monkey”-termination of EC2 instances behind a classic ELB ( Part I )
=> deploying the lambda function and creating all necessary AWS resources via Terraform

This post focusses on the deployment of the lambda function and the creation of the AWS resources to get it into place.

Now that we have the lambda function implemented (see Part I), it is time to figure out what is needed to publish it to AWS, hence which additional resources are required.

The terraform documentation is your best friend, it is very well written and with lots of examples.

Since we are dealing with AWS cloud, it is obvious that we need the AWS provider of Terraform.

Permissions
To be able to access ELB, ASG, EC2 and Cloudwatch I defined the proper policies for the lambda function, as show below.
To limit the possibility to terminate EC2 instances I injected a filter to restrict to the current user’s account.

With that policy in place, next step is to create a role and attach the policy to that role, and finally the lambda function assumes this role on execution time.

The creation of the lambda function resource itself is quite straighforward. For deployment you need a .zip archive of the lambda implementation itself, then add the previously created role and the environment parameters for the lambda function. Most importantly this is our name of the loadbalancer which shall be considered for terminating EC2 instances which are targets of it.

For the archive we create a terraform data source of type zip, then we use it as parameter within the lambda function resource

Scheduling
Now let’s have a look at the final “challenge”….how to schedule the lambda function ?

I wanted to have a cron-like schedule to be as flexible as possible, and lambda offers that as well. In Terraform we need 3 resources for that

• an aws_cloudwatch_event_rule : responsible for triggering per our specification
• an aws_cloudwatch_event_target : which connects the event rule to our lambda function arn
• an aws_lambda_permission : to allow the event rule to invoke our lambda function

The final scheduling definition is provided in file variables.tf , in variable named lambda_schedule . I wanted to have it being triggered hourly, between 8–17h (UTC) on weekdays (mon-fri), which results in the following setting

variable “lambda_schedule” {
 description = “cron(Minutes Hours Day-of-month Month Day-of-week Year), default: hourly on week days 8–15h UTC”
 default=”cron(0 8–17 ? * MON-FRI *)” 
}

Deplooooy
After having specified all our resources, we are good to go and deploy :D

terraform init #just once initially to fetch the aws provider
terraform validate # do a syntax check
terraform plan # check whats going to be created/modified/destroyed
terraform apply

There are 2 options to provide the required parameter for the loadbalancer name “lb_name”. Either you put it into the variables.tf and run terraform as show before, or you specify it on the commandline at terraform execution time.

For the latter, just execute

terraform plan -var lb_name=<your-loadbalancer-name>
terraform apply -var lb_name=<your-loadbalancer-name>

Voila:

The whole setup and deployment you can find on GitHub

Have fun playing with AWS Lambda and Terraform, hope you enjoyed reading !!