humanitec-tf-modules · TobiasBabin · Nov 17, 2025 · Nov 17, 2025 · Nov 17, 2025
diff --git a/README.md b/README.md
diff --git a/iam.tf b/iam.tf
@@ -0,0 +1,57 @@
+resource "aws_iam_role" "role" {
+  count       = local.create_lambda_role ? 1 : 0
+  name_prefix = var.iam_role_name_prefix
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+      }
+    ]
+  })
+  tags = var.additional_tags
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_basic" {
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+  role       = local.create_lambda_role ? aws_iam_role.role[0].name : split("/", var.iam_role_arn)[1]
+}
+
+resource "aws_iam_role_policy" "s3_zip_bucket_access" {
+  count = local.create_lambda_role ? 1 : 0
+  role  = aws_iam_role.role[0].id
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "s3:GetObject",
+          "s3:GetObjectVersion"
+        ]
+        Resource = "arn:aws:s3:::${var.s3_bucket}/${var.s3_key}"
+      }
+    ]
+  })
+}
+
+# Attach additional managed policies to the Lambda role
+resource "aws_iam_role_policy_attachment" "lambda_additional_managed_policies" {
+  for_each = local.create_lambda_role ? toset(var.additional_managed_policy_arns) : []
+
+  role       = aws_iam_role.role[0].name
+  policy_arn = each.value
+}
+
+# Attach additional inline policies to the Lambda role
+resource "aws_iam_role_policy" "lambda_additional_inline_policies" {
+  for_each = local.create_lambda_role ? var.additional_inline_policies : {}
+
+  role   = aws_iam_role.role[0].id
+  name   = each.key
+  policy = each.value
+}
diff --git a/lambda.tf b/lambda.tf
@@ -0,0 +1,50 @@
+resource "random_id" "entropy" {
+  byte_length = 4
+  prefix      = var.name_prefix
+}
+
+resource "aws_lambda_function" "function" {
+  function_name = random_id.entropy.hex
+  role          = local.create_lambda_role ? aws_iam_role.role[0].arn : var.iam_role_arn
+
+  package_type = "Zip"
+  s3_bucket    = var.s3_bucket
+  s3_key       = var.s3_key
+
+  handler = var.handler
+  runtime = var.runtime
+
+  dynamic "environment" {
+    for_each = length(var.environment_variables) > 0 ? [1] : []
+    content {
+      variables = var.environment_variables
+    }
+  }
+
+  architectures = var.architectures
+
+  timeout     = var.timeout_in_seconds
+  memory_size = var.memory_size
+
+  tags = var.additional_tags
+}
+
+# Lambda Function URL - Creates an HTTPS endpoint for the Lambda
+resource "aws_lambda_function_url" "function_url" {
+  count = var.enable_function_url ? 1 : 0
+
+  function_name      = aws_lambda_function.function.function_name
+  authorization_type = var.function_url_auth_type
+
+  dynamic "cors" {
+    for_each = var.function_url_cors != null ? [var.function_url_cors] : []
+    content {
+      allow_credentials = cors.value.allow_credentials
+      allow_origins     = cors.value.allow_origins
+      allow_methods     = cors.value.allow_methods
+      allow_headers     = cors.value.allow_headers
+      expose_headers    = cors.value.expose_headers
+      max_age           = cors.value.max_age
+    }
+  }
+}
diff --git a/main.tf b/main.tf
@@ -1 +1,7 @@
-# Main TF code goes here
+data "aws_region" "current" {}
+
+locals {
+  create_lambda_role = var.iam_role_arn == null ? true : false
+  aws_region         = data.aws_region.current.region
+}
+
diff --git a/outputs.tf b/outputs.tf
@@ -1 +1,34 @@
-# TF outputs go here
+output "function_name" {
+  description = "The name of the Lambda function"
+  value       = aws_lambda_function.function.function_name
+}
+
+output "function_arn" {
+  description = "The ARN of the Lambda function"
+  value       = aws_lambda_function.function.arn
+}
+
+output "function_url" {
+  description = "The HTTPS URL endpoint for the Lambda function (if enable_function_url is true)"
+  value       = var.enable_function_url ? aws_lambda_function_url.function_url[0].function_url : null
+}
+
+output "invoke_arn" {
+  description = "The ARN to be used for invoking the Lambda function from API Gateway"
+  value       = aws_lambda_function.function.invoke_arn
+}
+
+output "role_arn" {
+  description = "The ARN of the IAM role used by the Lambda function"
+  value       = var.iam_role_arn != null ? var.iam_role_arn : aws_iam_role.role[0].arn
+}
+
+
+output "humanitec_metadata" {
+  description = "The Humanitec metadata annotations for the Lambda function"
+  value = {
+    Function-Arn    = aws_lambda_function.function.arn
+    Function-Url    = var.enable_function_url ? aws_lambda_function_url.function_url[0].function_url : null
+    Aws-Console-Url = "https://${local.aws_region}.console.aws.amazon.com/lambda/home?region=${local.aws_region}#/functions/${aws_lambda_function.function.function_name}"
+  }
+}