functions
Creates, updates, deletes or gets a function
resource or lists functions
in a region
Overview
Name | functions |
Type | Resource |
Description | The AWS::Lambda::Function resource creates a Lambda function. To create a function, you need a [deployment package](https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-package.html) and an [execution role](https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html). The deployment package is a .zip file archive or container image that contains your function code. The execution role grants the function permission to use AWS services, such as Amazon CloudWatch Logs for log streaming and AWS X-Ray for request tracing.You set the package type to Image if the deployment package is a [container image](https://docs.aws.amazon.com/lambda/latest/dg/lambda-images.html). For a container image, the code property must include the URI of a container image in the Amazon ECR registry. You do not need to specify the handler and runtime properties. You set the package type to Zip if the deployment package is a [.zip file archive](https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-package.html#gettingstarted-package-zip). For a .zip file archive, the code property specifies the location of the .zip file. You must also specify the handler and runtime properties. For a Python example, see [Deploy Python Lambda functions with .zip file archives](https://docs.aws.amazon.com/lambda/latest/dg/python-package.html).You can use [code signing](https://docs.aws.amazon.com/lambda/latest/dg/configuration-codesigning.html) if your deployment package is a .zip file archive. To enable code signing for this function, specify the ARN of a code-signing configuration. When a user attempts to deploy a code package with UpdateFunctionCode , Lambda checks that the code package has a valid signature from a trusted publisher. The code-signing configuration includes a set of signing profiles, which define the trusted publishers for this function.Note that you configure [provisioned concurrency](https://docs.aws.amazon.com/lambda/latest/dg/provisioned-concurrency.html) on a AWS::Lambda::Version or a AWS::Lambda::Alias .For a complete introduction to Lambda functions, see [What is Lambda?](https://docs.aws.amazon.com/lambda/latest/dg/lambda-welcome.html) in the *Lambda developer guide.* |
Id | aws.lambda.functions |
Fields
Name | Datatype | Description |
---|---|---|
description | string | A description of the function. |
tracing_config | object | Set Mode to Active to sample and trace a subset of incoming requests with [X-Ray](https://docs.aws.amazon.com/lambda/latest/dg/services-xray.html). |
vpc_config | object | For network connectivity to AWS resources in a VPC, specify a list of security groups and subnets in the VPC. When you connect a function to a VPC, it can access resources and the internet only through that VPC. For more information, see [Configuring a Lambda function to access resources in a VPC](https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html). |
runtime_management_config | object | Sets the runtime management configuration for a function's version. For more information, see [Runtime updates](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-update.html). |
reserved_concurrent_executions | integer | The number of simultaneous executions to reserve for the function. |
snap_start | object | The function's [SnapStart](https://docs.aws.amazon.com/lambda/latest/dg/snapstart.html) setting. |
file_system_configs | array | Connection settings for an Amazon EFS file system. To connect a function to a file system, a mount target must be available in every Availability Zone that your function connects to. If your template contains an [AWS::EFS::MountTarget](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-mounttarget.html) resource, you must also specify a DependsOn attribute to ensure that the mount target is created or updated before the function.For more information about using the DependsOn attribute, see [DependsOn Attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html). |
function_name | string | The name of the Lambda function, up to 64 characters in length. If you don't specify a name, CFN generates one. If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name. |
runtime | string | The identifier of the function's [runtime](https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html). Runtime is required if the deployment package is a .zip file archive. The following list includes deprecated runtimes. For more information, see [Runtime deprecation policy](https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html#runtime-support-policy). |
kms_key_arn | string | The ARN of the KMSlong (KMS) customer managed key that's used to encrypt your function's [environment variables](https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-encryption). When [Lambda SnapStart](https://docs.aws.amazon.com/lambda/latest/dg/snapstart-security.html) is activated, Lambda also uses this key is to encrypt your function's snapshot. If you deploy your function using a container image, Lambda also uses this key to encrypt your function when it's deployed. Note that this is not the same key that's used to protect your container image in the Amazon Elastic Container Registry (Amazon ECR). If you don't provide a customer managed key, Lambda uses a default service key. |
package_type | string | The type of deployment package. Set to Image for container image and set Zip for .zip file archive. |
code_signing_config_arn | string | To enable code signing for this function, specify the ARN of a code-signing configuration. A code-signing configuration includes a set of signing profiles, which define the trusted publishers for this function. |
layers | array | A list of [function layers](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) to add to the function's execution environment. Specify each layer by its ARN, including the version. |
tags | array | A list of [tags](https://docs.aws.amazon.com/lambda/latest/dg/tagging.html) to apply to the function. |
image_config | object | Configuration values that override the container image Dockerfile settings. For more information, see [Container image settings](https://docs.aws.amazon.com/lambda/latest/dg/images-create.html#images-parms). |
memory_size | integer | The amount of [memory available to the function](https://docs.aws.amazon.com/lambda/latest/dg/configuration-function-common.html#configuration-memory-console) at runtime. Increasing the function memory also increases its CPU allocation. The default value is 128 MB. The value can be any multiple of 1 MB. Note that new AWS accounts have reduced concurrency and memory quotas. AWS raises these quotas automatically based on your usage. You can also request a quota increase. |
dead_letter_config | object | A dead-letter queue configuration that specifies the queue or topic where Lambda sends asynchronous events when they fail processing. For more information, see [Dead-letter queues](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async.html#invocation-dlq). |
timeout | integer | The amount of time (in seconds) that Lambda allows a function to run before stopping it. The default is 3 seconds. The maximum allowed value is 900 seconds. For more information, see [Lambda execution environment](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-context.html). |
handler | string | The name of the method within your code that Lambda calls to run your function. Handler is required if the deployment package is a .zip file archive. The format includes the file name. It can also include namespaces and other qualifiers, depending on the runtime. For more information, see [Lambda programming model](https://docs.aws.amazon.com/lambda/latest/dg/foundation-progmodel.html). |
snap_start_response | object | The function's [SnapStart](https://docs.aws.amazon.com/lambda/latest/dg/snapstart.html) setting. |
code | object | The code for the function. |
role | string | The Amazon Resource Name (ARN) of the function's execution role. |
logging_config | object | The function's Amazon CloudWatch Logs configuration settings. |
environment | object | Environment variables that are accessible from function code during execution. |
arn | string | |
ephemeral_storage | object | The size of the function's /tmp directory in MB. The default value is 512, but it can be any whole number between 512 and 10,240 MB. |
architectures | array | The instruction set architecture that the function supports. Enter a string array with one of the valid values (arm64 or x86_64). The default value is x86_64 . |
region | string | AWS region. |
Methods
Name | Accessible by | Required Params |
---|---|---|
create_resource | INSERT | Code, Role, region |
delete_resource | DELETE | data__Identifier, region |
update_resource | UPDATE | data__Identifier, data__PatchDocument, region |
list_resources | SELECT | region |
get_resource | SELECT | data__Identifier, region |
SELECT
examples
Gets all functions
in a region.
SELECT
region,
description,
tracing_config,
vpc_config,
runtime_management_config,
reserved_concurrent_executions,
snap_start,
file_system_configs,
function_name,
runtime,
kms_key_arn,
package_type,
code_signing_config_arn,
layers,
tags,
image_config,
memory_size,
dead_letter_config,
timeout,
handler,
snap_start_response,
code,
role,
logging_config,
environment,
arn,
ephemeral_storage,
architectures
FROM aws.lambda.functions
WHERE region = 'us-east-1';
Gets all properties from an individual function
.
SELECT
region,
description,
tracing_config,
vpc_config,
runtime_management_config,
reserved_concurrent_executions,
snap_start,
file_system_configs,
function_name,
runtime,
kms_key_arn,
package_type,
code_signing_config_arn,
layers,
tags,
image_config,
memory_size,
dead_letter_config,
timeout,
handler,
snap_start_response,
code,
role,
logging_config,
environment,
arn,
ephemeral_storage,
architectures
FROM aws.lambda.functions
WHERE region = 'us-east-1' AND data__Identifier = '<FunctionName>';
INSERT
example
Use the following StackQL query and manifest file to create a new function
resource, using stack-deploy
.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO aws.lambda.functions (
Code,
Role,
region
)
SELECT
'{{ Code }}',
'{{ Role }}',
'{{ region }}';
/*+ create */
INSERT INTO aws.lambda.functions (
Description,
TracingConfig,
VpcConfig,
RuntimeManagementConfig,
ReservedConcurrentExecutions,
SnapStart,
FileSystemConfigs,
FunctionName,
Runtime,
KmsKeyArn,
PackageType,
CodeSigningConfigArn,
Layers,
Tags,
ImageConfig,
MemorySize,
DeadLetterConfig,
Timeout,
Handler,
Code,
Role,
LoggingConfig,
Environment,
EphemeralStorage,
Architectures,
region
)
SELECT
'{{ Description }}',
'{{ TracingConfig }}',
'{{ VpcConfig }}',
'{{ RuntimeManagementConfig }}',
'{{ ReservedConcurrentExecutions }}',
'{{ SnapStart }}',
'{{ FileSystemConfigs }}',
'{{ FunctionName }}',
'{{ Runtime }}',
'{{ KmsKeyArn }}',
'{{ PackageType }}',
'{{ CodeSigningConfigArn }}',
'{{ Layers }}',
'{{ Tags }}',
'{{ ImageConfig }}',
'{{ MemorySize }}',
'{{ DeadLetterConfig }}',
'{{ Timeout }}',
'{{ Handler }}',
'{{ Code }}',
'{{ Role }}',
'{{ LoggingConfig }}',
'{{ Environment }}',
'{{ EphemeralStorage }}',
'{{ Architectures }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: function
props:
- name: Description
value: '{{ Description }}'
- name: TracingConfig
value:
Mode: '{{ Mode }}'
- name: VpcConfig
value:
Ipv6AllowedForDualStack: '{{ Ipv6AllowedForDualStack }}'
SecurityGroupIds:
- '{{ SecurityGroupIds[0] }}'
SubnetIds:
- '{{ SubnetIds[0] }}'
- name: RuntimeManagementConfig
value:
UpdateRuntimeOn: '{{ UpdateRuntimeOn }}'
RuntimeVersionArn: '{{ RuntimeVersionArn }}'
- name: ReservedConcurrentExecutions
value: '{{ ReservedConcurrentExecutions }}'
- name: SnapStart
value:
ApplyOn: '{{ ApplyOn }}'
- name: FileSystemConfigs
value:
- Arn: '{{ Arn }}'
LocalMountPath: '{{ LocalMountPath }}'
- name: FunctionName
value: '{{ FunctionName }}'
- name: Runtime
value: '{{ Runtime }}'
- name: KmsKeyArn
value: '{{ KmsKeyArn }}'
- name: PackageType
value: '{{ PackageType }}'
- name: CodeSigningConfigArn
value: '{{ CodeSigningConfigArn }}'
- name: Layers
value:
- '{{ Layers[0] }}'
- name: Tags
value:
- Value: '{{ Value }}'
Key: '{{ Key }}'
- name: ImageConfig
value:
WorkingDirectory: '{{ WorkingDirectory }}'
Command:
- '{{ Command[0] }}'
EntryPoint:
- '{{ EntryPoint[0] }}'
- name: MemorySize
value: '{{ MemorySize }}'
- name: DeadLetterConfig
value:
TargetArn: '{{ TargetArn }}'
- name: Timeout
value: '{{ Timeout }}'
- name: Handler
value: '{{ Handler }}'
- name: Code
value:
S3ObjectVersion: '{{ S3ObjectVersion }}'
S3Bucket: '{{ S3Bucket }}'
ZipFile: '{{ ZipFile }}'
S3Key: '{{ S3Key }}'
ImageUri: '{{ ImageUri }}'
- name: Role
value: '{{ Role }}'
- name: LoggingConfig
value:
LogFormat: '{{ LogFormat }}'
ApplicationLogLevel: '{{ ApplicationLogLevel }}'
LogGroup: '{{ LogGroup }}'
SystemLogLevel: '{{ SystemLogLevel }}'
- name: Environment
value:
Variables: {}
- name: EphemeralStorage
value:
Size: '{{ Size }}'
- name: Architectures
value:
- '{{ Architectures[0] }}'
DELETE
example
/*+ delete */
DELETE FROM aws.lambda.functions
WHERE data__Identifier = '<FunctionName>'
AND region = 'us-east-1';
Permissions
To operate on the functions
resource, the following permissions are required:
Read
lambda:GetFunction,
lambda:GetFunctionCodeSigningConfig
Create
lambda:CreateFunction,
lambda:GetFunction,
lambda:PutFunctionConcurrency,
iam:PassRole,
s3:GetObject,
s3:GetObjectVersion,
ec2:DescribeSecurityGroups,
ec2:DescribeSubnets,
ec2:DescribeVpcs,
elasticfilesystem:DescribeMountTargets,
kms:CreateGrant,
kms:Decrypt,
kms:Encrypt,
kms:GenerateDataKey,
lambda:GetCodeSigningConfig,
lambda:GetFunctionCodeSigningConfig,
lambda:GetLayerVersion,
lambda:GetRuntimeManagementConfig,
lambda:PutRuntimeManagementConfig,
lambda:TagResource,
lambda:GetPolicy,
lambda:AddPermission,
lambda:RemovePermission,
lambda:GetResourcePolicy,
lambda:PutResourcePolicy
Update
lambda:DeleteFunctionConcurrency,
lambda:GetFunction,
lambda:PutFunctionConcurrency,
lambda:ListTags,
lambda:TagResource,
lambda:UntagResource,
lambda:UpdateFunctionConfiguration,
lambda:UpdateFunctionCode,
iam:PassRole,
s3:GetObject,
s3:GetObjectVersion,
ec2:DescribeSecurityGroups,
ec2:DescribeSubnets,
ec2:DescribeVpcs,
elasticfilesystem:DescribeMountTargets,
kms:CreateGrant,
kms:Decrypt,
kms:GenerateDataKey,
lambda:GetRuntimeManagementConfig,
lambda:PutRuntimeManagementConfig,
lambda:PutFunctionCodeSigningConfig,
lambda:DeleteFunctionCodeSigningConfig,
lambda:GetCodeSigningConfig,
lambda:GetFunctionCodeSigningConfig,
lambda:GetPolicy,
lambda:AddPermission,
lambda:RemovePermission,
lambda:GetResourcePolicy,
lambda:PutResourcePolicy,
lambda:DeleteResourcePolicy
List
lambda:ListFunctions
Delete
lambda:DeleteFunction,
lambda:GetFunction,
ec2:DescribeNetworkInterfaces