AWS::Lambda::Function
The AWS::Lambda::Function resource creates a Lambda function. To create a function, you need a
deployment package and an
execution role.
The deployment package is a .zip file archive or container image that contains your function code.
The execution role grants the function permission to use AWS services, such as Amazon CloudWatch Logs
for log streaming and AWS X-Ray for request tracing.
You set the package type to Image if the deployment package is a
container image. For a container image,
the code property must include the URI of a container image in the Amazon ECR registry.
You do not need to specify the handler and runtime properties.
You set the package type to Zip if the deployment package is a
.zip file archive.
For a .zip file archive, the code property specifies the location of the .zip file. You must also specify the handler and
runtime properties. For a Python example, see
Deploy Python Lambda functions with .zip file archives.
You can use code signing
if your deployment package is a .zip file archive. To enable code signing for this function,
specify the ARN of a code-signing configuration. When a user
attempts to deploy a code package with UpdateFunctionCode, Lambda checks that the code
package has a valid signature from a trusted publisher. The code-signing configuration
includes a set of signing profiles, which define the trusted publishers for this function.
Note that you configure provisioned concurrency
on a AWS::Lambda::Version or a AWS::Lambda::Alias.
For a complete introduction to Lambda functions, see What is Lambda? in the Lambda developer guide.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::Lambda::Function", "Properties" : { "Architectures" :[ String, ... ], "Code" :Code, "CodeSigningConfigArn" :String, "DeadLetterConfig" :DeadLetterConfig, "Description" :String, "Environment" :Environment, "EphemeralStorage" :EphemeralStorage, "FileSystemConfigs" :[ FileSystemConfig, ... ], "FunctionName" :String, "Handler" :String, "ImageConfig" :ImageConfig, "KmsKeyArn" :String, "Layers" :[ String, ... ], "MemorySize" :Integer, "PackageType" :String, "ReservedConcurrentExecutions" :Integer, "Role" :String, "Runtime" :String, "RuntimeManagementConfig" :RuntimeManagementConfig, "SnapStart" :SnapStart, "Tags" :[ Tag, ... ], "Timeout" :Integer, "TracingConfig" :TracingConfig, "VpcConfig" :VpcConfig} }
YAML
Type: AWS::Lambda::Function Properties: Architectures:- StringCode:CodeCodeSigningConfigArn:StringDeadLetterConfig:DeadLetterConfigDescription:StringEnvironment:EnvironmentEphemeralStorage:EphemeralStorageFileSystemConfigs:- FileSystemConfigFunctionName:StringHandler:StringImageConfig:ImageConfigKmsKeyArn:StringLayers:- StringMemorySize:IntegerPackageType:StringReservedConcurrentExecutions:IntegerRole:StringRuntime:StringRuntimeManagementConfig:RuntimeManagementConfigSnapStart:SnapStartTags:- TagTimeout:IntegerTracingConfig:TracingConfigVpcConfig:VpcConfig
Properties
Architectures-
The instruction set architecture that the function supports. Enter a string array with one of the valid values (arm64 or x86_64). The default value is
x86_64.Required: No
Type: List of String
Maximum:
1Update requires: No interruption
Code-
The code for the function.
Required: Yes
Type: Code
Update requires: No interruption
CodeSigningConfigArn-
To enable code signing for this function, specify the ARN of a code-signing configuration. A code-signing configuration includes a set of signing profiles, which define the trusted publishers for this function.
Required: No
Type: String
Maximum:
200Pattern:
arn:(aws[a-zA-Z-]*)?:lambda:[a-z]{2}((-gov)|(-iso(b?)))?-[a-z]+-\d{1}:\d{12}:code-signing-config:csc-[a-z0-9]{17}Update requires: No interruption
DeadLetterConfig-
A dead-letter queue configuration that specifies the queue or topic where Lambda sends asynchronous events when they fail processing. For more information, see Dead-letter queues.
Required: No
Type: DeadLetterConfig
Update requires: No interruption
Description-
A description of the function.
Required: No
Type: String
Minimum:
0Maximum:
256Update requires: No interruption
Environment-
Environment variables that are accessible from function code during execution.
Required: No
Type: Environment
Update requires: No interruption
EphemeralStorage-
The size of the function's
/tmpdirectory in MB. The default value is 512, but it can be any whole number between 512 and 10,240 MB.Required: No
Type: EphemeralStorage
Update requires: No interruption
FileSystemConfigs-
Connection settings for an Amazon EFS file system. To connect a function to a file system, a mount target must be available in every Availability Zone that your function connects to. If your template contains an AWS::EFS::MountTarget resource, you must also specify a
DependsOnattribute to ensure that the mount target is created or updated before the function.For more information about using the
DependsOnattribute, see DependsOn Attribute.Required: No
Type: List of FileSystemConfig
Maximum:
1Update requires: No interruption
FunctionName-
The name of the Lambda function, up to 64 characters in length. If you don't specify a name, AWS CloudFormation generates one.
If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.
Required: No
Type: String
Update requires: Replacement
Handler-
The name of the method within your code that Lambda calls to run your function. Handler is required if the deployment package is a .zip file archive. The format includes the file name. It can also include namespaces and other qualifiers, depending on the runtime. For more information, see Lambda programming model.
Required: No
Type: String
Maximum:
128Pattern:
[^\s]+Update requires: No interruption
ImageConfig-
Configuration values that override the container image Dockerfile settings. For more information, see Container image settings.
Required: No
Type: ImageConfig
Update requires: No interruption
KmsKeyArn-
The ARN of the AWS Key Management Service (AWS KMS) customer managed key that's used to encrypt your function's environment variables. When Lambda SnapStart is activated, Lambda also uses this key is to encrypt your function's snapshot. If you deploy your function using a container image, Lambda also uses this key to encrypt your function when it's deployed. Note that this is not the same key that's used to protect your container image in the Amazon Elastic Container Registry (Amazon ECR). If you don't provide a customer managed key, Lambda uses a default service key.
Required: No
Type: String
Pattern:
(arn:(aws[a-zA-Z-]*)?:[a-z0-9-.]+:.*)|()Update requires: No interruption
Layers-
A list of function layers to add to the function's execution environment. Specify each layer by its ARN, including the version.
Required: No
Type: List of String
Update requires: No interruption
MemorySize-
The amount of memory available to the function at runtime. Increasing the function memory also increases its CPU allocation. The default value is 128 MB. The value can be any multiple of 1 MB.
Required: No
Type: Integer
Minimum:
128Maximum:
10240Update requires: No interruption
PackageType-
The type of deployment package. Set to
Imagefor container image and setZipfor .zip file archive.Required: No
Type: String
Allowed values:
Image | ZipUpdate requires: No interruption
ReservedConcurrentExecutions-
The number of simultaneous executions to reserve for the function.
Required: No
Type: Integer
Minimum:
0Update requires: No interruption
Role-
The Amazon Resource Name (ARN) of the function's execution role.
Required: Yes
Type: String
Pattern:
arn:(aws[a-zA-Z-]*)?:iam::\d{12}:role/?[a-zA-Z_0-9+=,.@\-_/]+Update requires: No interruption
Runtime-
The identifier of the function's runtime. Runtime is required if the deployment package is a .zip file archive.
The following list includes deprecated runtimes. For more information, see Runtime deprecation policy.
Required: No
Type: String
Allowed values:
dotnet6 | dotnetcore1.0 | dotnetcore2.0 | dotnetcore2.1 | dotnetcore3.1 | go1.x | java11 | java17 | java8 | java8.al2 | nodejs | nodejs10.x | nodejs12.x | nodejs14.x | nodejs16.x | nodejs18.x | nodejs4.3 | nodejs4.3-edge | nodejs6.10 | nodejs8.10 | provided | provided.al2 | python2.7 | python3.10 | python3.6 | python3.7 | python3.8 | python3.9 | ruby2.5 | ruby2.7Update requires: No interruption
RuntimeManagementConfig-
Sets the runtime management configuration for a function's version. For more information, see Runtime updates.
Required: No
Type: RuntimeManagementConfig
Update requires: No interruption
SnapStart-
The function's AWS Lambda SnapStart setting.
Required: No
Type: SnapStart
Update requires: No interruption
Tags-
A list of tags to apply to the function.
Required: No
Type: List of Tag
Update requires: No interruption
Timeout-
The amount of time (in seconds) that Lambda allows a function to run before stopping it. The default is 3 seconds. The maximum allowed value is 900 seconds. For more information, see Lambda execution environment.
Required: No
Type: Integer
Minimum:
1Update requires: No interruption
TracingConfig-
Set
ModetoActiveto sample and trace a subset of incoming requests with X-Ray.Required: No
Type: TracingConfig
Update requires: No interruption
VpcConfig-
For network connectivity to AWS resources in a VPC, specify a list of security groups and subnets in the VPC. When you connect a function to a VPC, it can access resources and the internet only through that VPC. For more information, see Configuring a Lambda function to access resources in a VPC.
Required: No
Type: VpcConfig
Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Reffunction, Refreturns the resource name.
For more information about using the Reffunction, see Ref.
Fn::GetAtt
The Fn::GetAttintrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAttintrinsic function, see Fn::GetAtt.
Examples
Function
Create a Node.js function.
JSON
"AMIIDLookup": { "Type": "AWS::Lambda::Function", "Properties": { "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "LambdaExecutionRole", "Arn" ] }, "Code": { "S3Bucket": "lambda-functions", "S3Key": "amilookup.zip" }, "Runtime": "nodejs12.x", "Timeout": 25, "TracingConfig": { "Mode": "Active" } } }
Inline Function
Inline Node.js function that uses the cfn-response library.
YAML
AWSTemplateFormatVersion: '2010-09-09' Description: Lambda function with cfn-response. Resources: primer: Type: AWS::Lambda::Function Properties: Runtime: nodejs12.x Role: arn:aws:iam::123456789012:role/lambda-role Handler: index.handler Code: ZipFile: | var aws = require('aws-sdk') var response = require('cfn-response') exports.handler = function(event, context) { console.log("REQUEST RECEIVED:\n" + JSON.stringify(event)) // For Delete requests, immediately send a SUCCESS response. if (event.RequestType == "Delete") { response.send(event, context, "SUCCESS") return } var responseStatus = "FAILED" var responseData = {} var functionName = event.ResourceProperties.FunctionName var lambda = new aws.Lambda() lambda.invoke({ FunctionName: functionName }, function(err, invokeResult) { if (err) { responseData = {Error: "Invoke call failed"} console.log(responseData.Error + ":\n", err) } else responseStatus = "SUCCESS" response.send(event, context, responseStatus, responseData) }) } Description: Invoke a function during stack creation. TracingConfig: Mode: Active
VPC Function
Function connected to a VPC.
YAML
AWSTemplateFormatVersion: '2010-09-09' Description: VPC function. Resources: Function: Type: AWS::Lambda::Function Properties: Handler: index.handler Role: arn:aws:iam::123456789012:role/lambda-role Code: S3Bucket: my-bucket S3Key: function.zip Runtime: nodejs12.x Timeout: 5 TracingConfig: Mode: Active VpcConfig: SecurityGroupIds: - sg-085912345678492fb SubnetIds: - subnet-071f712345678e7c8 - subnet-07fd123456788a036
