Best Practise and workflow with Terraform and AWS Lambda functions


Happy new year to everyone :slight_smile: I have a question regarding the workflow people follow when managing AWS Lambda functions via Terraform.

Our base infrastructure workflow is managed by Terraform. We have exactly 2 repos for Terraform. One contains reusable modules and other contains root modules for different stages. So using these we create base infra layer i.e. Networking, ec2, EKS, ALB etc. And the applications itself is managed by helm by other application repos. So for example I manage EKS versions and configurations by using Terraform repo. But the configurations of the applications is managed by helm via application repo. There is a clear separation of concerns.

But when managing AWS Lambda functions, I am confused how to properly differentiate these concerns. We create lambda function and supporting resources (IAM roles, event source mapping and layers) with Terraform. And since underlying API also mandates a ZIP file as part of Lambda function creation, we create a dummy zip file and pass it to “aws_lambda_function” resource. The idea is to manage the individual function code updates via different application repo which contains code for the function. And Terraform shows no diffs if I update function code outside the Terraform (we don’t specify hashes).

But now following best practise I want to publish version and aliases. I want to keep the function aliases same as git release tags so that there is 1:1 mapping between them. But now if I create new alias corresponding to new release, then I also have to update the ARN of the event source mapping (which is managed by Terraform). And if I keep one alias and change underlying versions, then I loose 1:1 mapping between git release tags and function aliases.

So in this scenario I am not sure how to separate the concerns of infrastructure layer and application layer. So I would like to understand how the larger community is solving this problem when adopting AWS Lambda. What workflow do you follow to manage both these layers efficiently? How do you manage updates to function codes? Do you have Terraform code as part of your application repo? Or do you have a complicated CI which call terraform apply from within the application repo?

Any pointer in the right direction is appreciated.

Note: We don’t use API Gateway or SAM because our use case is to run functions upon SQS, S3 and SNS updates. We don’t serve our websites via Lambda function and API gateway.

Thank You

Best Regards,

I would do as you mentioned and use Terraform in the application repo for the lambda. As you are wanting to split things between “infrastructure” and “application” I would suggest that any code for the lambda is more application than infrastructure.