functions

Creates, updates, deletes or gets a function resource or lists functions in a region

Overview

Name	functions
Type	Resource
Description	The AWS::Lambda::Function resource creates a Lambda function. To create a function, you need a deployment package and an execution role. The deployment package is a .zip file archive or container image that contains your function code. The execution role grants the function permission to use AWS services, such as Amazon CloudWatch Logs for log streaming and AWS X-Ray for request tracing. You set the package type to Image if the deployment package is a container image. For these functions, include the URI of the container image in the ECR registry in the ImageUri property of the Code property. You do not need to specify the handler and runtime properties. You set the package type to Zip if the deployment package is a .zip file archive. For these functions, specify the S3 location of your .zip file in the Code property. Alternatively, for Node.js and Python functions, you can define your function inline in the ZipFile property of the Code property. In both cases, you must also specify the handler and runtime properties. You can use code signing if your deployment package is a .zip file archive. To enable code signing for this function, specify the ARN of a code-signing configuration. When a user attempts to deploy a code package with UpdateFunctionCode, Lambda checks that the code package has a valid signature from a trusted publisher. The code-signing configuration includes a set of signing profiles, which define the trusted publishers for this function. When you update a AWS::Lambda::Function resource, CFNshort calls the UpdateFunctionConfiguration and UpdateFunctionCodeLAM APIs under the hood. Because these calls happen sequentially, and invocations can happen between these calls, your function may encounter errors in the time between the calls. For example, if you remove an environment variable, and the code that references that environment variable in the same CFNshort update, you may see invocation errors related to a missing environment variable. To work around this, you can invoke your function against a version or alias by default, rather than the $LATEST version. Note that you configure provisioned concurrency on a AWS::Lambda::Version or a AWS::Lambda::Alias. For a complete introduction to Lambda functions, see What is Lambda? in the Lambda developer guide.
Id	awscc.lambda.functions

Fields

get (all properties)

Name	Datatype	Description
description	string	A description of the function.
▶tracing_config	object	Set Mode to Active to sample and trace a subset of incoming requests with X-Ray.
▶vpc_config	object	For network connectivity to AWS resources in a VPC, specify a list of security groups and subnets in the VPC. When you connect a function to a VPC, it can access resources and the internet only through that VPC. For more information, see Configuring a Lambda function to access resources in a VPC.
▶runtime_management_config	object	Sets the runtime management configuration for a function's version. For more information, see Runtime updates.
reserved_concurrent_executions	integer	The number of simultaneous executions to reserve for the function.
▶snap_start	object	The function's SnapStart setting.
▶file_system_configs	array	Connection settings for an Amazon EFS file system. To connect a function to a file system, a mount target must be available in every Availability Zone that your function connects to. If your template contains an AWS::EFS::MountTarget resource, you must also specify a DependsOn attribute to ensure that the mount target is created or updated before the function. For more information about using the DependsOn attribute, see DependsOn Attribute.
function_name	string	The name of the Lambda function, up to 64 characters in length. If you don't specify a name, CFN generates one. If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.
runtime	string	The identifier of the function's runtime. Runtime is required if the deployment package is a .zip file archive. Specifying a runtime results in an error if you're deploying a function using a container image. The following list includes deprecated runtimes. Lambda blocks creating new functions and updating existing functions shortly after each runtime is deprecated. For more information, see Runtime use after deprecation. For a list of all currently supported runtimes, see Supported runtimes.
kms_key_arn	string	The ARN of the KMSlong (KMS) customer managed key that's used to encrypt the following resources: + The function's environment variables. + The function's Lambda SnapStart snapshots. + When used with SourceKMSKeyArn, the unzipped version of the .zip deployment package that's used for function invocations. For more information, see Specifying a customer managed key for Lambda. + The optimized version of the container image that's used for function invocations. Note that this is not the same key that's used to protect your container image in the Amazon Elastic Container Registry (Amazon ECR). For more information, see Function lifecycle. If you don't provide a customer managed key, Lambda uses an owned key or an [](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk).
package_type	string	The type of deployment package. Set to Image for container image and set Zip for .zip file archive.
code_signing_config_arn	string	To enable code signing for this function, specify the ARN of a code-signing configuration. A code-signing configuration includes a set of signing profiles, which define the trusted publishers for this function.
layers	array	A list of function layers to add to the function's execution environment. Specify each layer by its ARN, including the version.
▶tags	array	A list of tags to apply to the function. You must have the lambda:TagResource, lambda:UntagResource, and lambda:ListTags permissions for your principal to manage the CFN stack. If you don't have these permissions, there might be unexpected behavior with stack-level tags propagating to the resource during resource creation and update.
▶image_config	object	Configuration values that override the container image Dockerfile settings. For more information, see Container image settings.
memory_size	integer	The amount of memory available to the function at runtime. Increasing the function memory also increases its CPU allocation. The default value is 128 MB. The value can be any multiple of 1 MB. Note that new AWS accounts have reduced concurrency and memory quotas. AWS raises these quotas automatically based on your usage. You can also request a quota increase.
▶dead_letter_config	object	A dead-letter queue configuration that specifies the queue or topic where Lambda sends asynchronous events when they fail processing. For more information, see Dead-letter queues.
timeout	integer	The amount of time (in seconds) that Lambda allows a function to run before stopping it. The default is 3 seconds. The maximum allowed value is 900 seconds. For more information, see Lambda execution environment.
handler	string	The name of the method within your code that Lambda calls to run your function. Handler is required if the deployment package is a .zip file archive. The format includes the file name. It can also include namespaces and other qualifiers, depending on the runtime. For more information, see Lambda programming model.
▶snap_start_response	object	The function's SnapStart setting.
▶code	object	The code for the function. You can define your function code in multiple ways: + For .zip deployment packages, you can specify the S3 location of the .zip file in the S3Bucket, S3Key, and S3ObjectVersion properties. + For .zip deployment packages, you can alternatively define the function code inline in the ZipFile property. This method works only for Node.js and Python functions. + For container images, specify the URI of your container image in the ECR registry in the ImageUri property.
role	string	The Amazon Resource Name (ARN) of the function's execution role.
▶logging_config	object	The function's Amazon CloudWatch Logs configuration settings.
recursive_loop	string	The status of your function's recursive loop detection configuration. When this value is set to Allowand Lambda detects your function being invoked as part of a recursive loop, it doesn't take any action. When this value is set to Terminate and Lambda detects your function being invoked as part of a recursive loop, it stops your function being invoked and notifies you.
▶environment	object	Environment variables that are accessible from function code during execution.
arn	string
▶ephemeral_storage	object	The size of the function's /tmp directory in MB. The default value is 512, but it can be any whole number between 512 and 10,240 MB.
architectures	array	The instruction set architecture that the function supports. Enter a string array with one of the valid values (arm64 or x86_64). The default value is x86_64.
region	string	AWS region.

list (identifiers only)

Name	Datatype	Description
function_name	string	The name of the Lambda function, up to 64 characters in length. If you don't specify a name, CFN generates one. If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.
region	string	AWS region.

For more information, see AWS::Lambda::Function.

Methods

Name	Resource	Accessible by	Required Params
create_resource	functions	INSERT	Code, Role, region
delete_resource	functions	DELETE	Identifier, region
update_resource	functions	UPDATE	Identifier, PatchDocument, region
list_resources	functions_list_only	SELECT	region
get_resource	functions	SELECT	Identifier, region

SELECT examples

get (all properties)

Gets all properties from an individual function.

SELECT
  region,
  description,
  tracing_config,
  vpc_config,
  runtime_management_config,
  reserved_concurrent_executions,
  snap_start,
  file_system_configs,
  function_name,
  runtime,
  kms_key_arn,
  package_type,
  code_signing_config_arn,
  layers,
  tags,
  image_config,
  memory_size,
  dead_letter_config,
  timeout,
  handler,
  snap_start_response,
  code,
  role,
  logging_config,
  recursive_loop,
  environment,
  arn,
  ephemeral_storage,
  architectures
FROM awscc.lambda.functions
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ function_name }}';

list (identifiers only)

Lists all functions in a region.

SELECT
  region,
  function_name
FROM awscc.lambda.functions_list_only
WHERE
  region = '{{ region }}';

INSERT example

Use the following StackQL query and manifest file to create a new function resource, using stack-deploy.

Required Properties

/*+ create */
INSERT INTO awscc.lambda.functions (
  Code,
  Role,
  region
)
SELECT
  '{{ code }}',
  '{{ role }}',
  '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

All Properties

/*+ create */
INSERT INTO awscc.lambda.functions (
  Description,
  TracingConfig,
  VpcConfig,
  RuntimeManagementConfig,
  ReservedConcurrentExecutions,
  SnapStart,
  FileSystemConfigs,
  FunctionName,
  Runtime,
  KmsKeyArn,
  PackageType,
  CodeSigningConfigArn,
  Layers,
  Tags,
  ImageConfig,
  MemorySize,
  DeadLetterConfig,
  Timeout,
  Handler,
  Code,
  Role,
  LoggingConfig,
  RecursiveLoop,
  Environment,
  EphemeralStorage,
  Architectures,
  region
)
SELECT
  '{{ description }}',
  '{{ tracing_config }}',
  '{{ vpc_config }}',
  '{{ runtime_management_config }}',
  '{{ reserved_concurrent_executions }}',
  '{{ snap_start }}',
  '{{ file_system_configs }}',
  '{{ function_name }}',
  '{{ runtime }}',
  '{{ kms_key_arn }}',
  '{{ package_type }}',
  '{{ code_signing_config_arn }}',
  '{{ layers }}',
  '{{ tags }}',
  '{{ image_config }}',
  '{{ memory_size }}',
  '{{ dead_letter_config }}',
  '{{ timeout }}',
  '{{ handler }}',
  '{{ code }}',
  '{{ role }}',
  '{{ logging_config }}',
  '{{ recursive_loop }}',
  '{{ environment }}',
  '{{ ephemeral_storage }}',
  '{{ architectures }}',
  '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

Manifest

version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
  value: '{{ vars.AWS_REGION }}'
resources:
- name: function
  props:
    - name: description
      value: '{{ description }}'
    - name: tracing_config
      value:
        mode: '{{ mode }}'
    - name: vpc_config
      value:
        ipv6_allowed_for_dual_stack: '{{ ipv6_allowed_for_dual_stack }}'
        security_group_ids:
          - '{{ security_group_ids[0] }}'
        subnet_ids:
          - '{{ subnet_ids[0] }}'
    - name: runtime_management_config
      value:
        update_runtime_on: '{{ update_runtime_on }}'
        runtime_version_arn: '{{ runtime_version_arn }}'
    - name: reserved_concurrent_executions
      value: '{{ reserved_concurrent_executions }}'
    - name: snap_start
      value:
        apply_on: '{{ apply_on }}'
    - name: file_system_configs
      value:
        - arn: '{{ arn }}'
          local_mount_path: '{{ local_mount_path }}'
    - name: function_name
      value: '{{ function_name }}'
    - name: runtime
      value: '{{ runtime }}'
    - name: kms_key_arn
      value: '{{ kms_key_arn }}'
    - name: package_type
      value: '{{ package_type }}'
    - name: code_signing_config_arn
      value: '{{ code_signing_config_arn }}'
    - name: layers
      value:
        - '{{ layers[0] }}'
    - name: tags
      value:
        - value: '{{ value }}'
          key: '{{ key }}'
    - name: image_config
      value:
        working_directory: '{{ working_directory }}'
        command:
          - '{{ command[0] }}'
        entry_point:
          - '{{ entry_point[0] }}'
    - name: memory_size
      value: '{{ memory_size }}'
    - name: dead_letter_config
      value:
        target_arn: '{{ target_arn }}'
    - name: timeout
      value: '{{ timeout }}'
    - name: handler
      value: '{{ handler }}'
    - name: code
      value:
        source_kms_key_arn: '{{ source_kms_key_arn }}'
        s3_object_version: '{{ s3_object_version }}'
        s3_bucket: '{{ s3_bucket }}'
        zip_file: '{{ zip_file }}'
        s3_key: '{{ s3_key }}'
        image_uri: '{{ image_uri }}'
    - name: role
      value: '{{ role }}'
    - name: logging_config
      value:
        log_format: '{{ log_format }}'
        application_log_level: '{{ application_log_level }}'
        log_group: '{{ log_group }}'
        system_log_level: '{{ system_log_level }}'
    - name: recursive_loop
      value: '{{ recursive_loop }}'
    - name: environment
      value:
        variables: {}
    - name: ephemeral_storage
      value:
        size: '{{ size }}'
    - name: architectures
      value:
        - '{{ architectures[0] }}'

UPDATE example

Use the following StackQL query and manifest file to update a function resource, using stack-deploy.

/*+ update */
UPDATE awscc.lambda.functions
SET PatchDocument = string('{{ {
    "Description": description,
    "TracingConfig": tracing_config,
    "VpcConfig": vpc_config,
    "RuntimeManagementConfig": runtime_management_config,
    "ReservedConcurrentExecutions": reserved_concurrent_executions,
    "SnapStart": snap_start,
    "FileSystemConfigs": file_system_configs,
    "Runtime": runtime,
    "KmsKeyArn": kms_key_arn,
    "CodeSigningConfigArn": code_signing_config_arn,
    "Layers": layers,
    "Tags": tags,
    "ImageConfig": image_config,
    "MemorySize": memory_size,
    "DeadLetterConfig": dead_letter_config,
    "Timeout": timeout,
    "Handler": handler,
    "Code": code,
    "Role": role,
    "LoggingConfig": logging_config,
    "RecursiveLoop": recursive_loop,
    "Environment": environment,
    "EphemeralStorage": ephemeral_storage,
    "Architectures": architectures
} | generate_patch_document }}')
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ function_name }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

DELETE example

/*+ delete */
DELETE FROM awscc.lambda.functions
WHERE
  Identifier = '{{ function_name }}' AND
  region = '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

Additional Parameters

Mutable resources in the Cloud Control provider support additional optional parameters which can be supplied with INSERT, UPDATE, or DELETE operations. These include:

Parameter	Description
ClientToken	A unique identifier to ensure the idempotency of the resource request. This allows the provider to accurately distinguish between retries and new requests. A client token is valid for 36 hours once used. After that, a resource request with the same client token is treated as a new request. If you do not specify a client token, one is generated for inclusion in the request.
RoleArn	The ARN of the IAM role used to perform this resource operation. The role specified must have the permissions required for this operation. If you do not specify a role, a temporary session is created using your AWS user credentials.
TypeVersionId	For private resource types, the type version to use in this resource operation. If you do not specify a resource version, the default version is used.

Permissions

To operate on the functions resource, the following permissions are required:

Read

lambda:GetFunction,
lambda:GetFunctionCodeSigningConfig,
lambda:GetFunctionRecursionConfig

Create

lambda:CreateFunction,
lambda:GetFunction,
lambda:PutFunctionConcurrency,
iam:PassRole,
s3:GetObject,
s3:GetObjectVersion,
ec2:DescribeSecurityGroups,
ec2:DescribeSubnets,
ec2:DescribeVpcs,
elasticfilesystem:DescribeMountTargets,
kms:CreateGrant,
kms:Decrypt,
kms:Encrypt,
kms:GenerateDataKey,
lambda:GetCodeSigningConfig,
lambda:GetFunctionCodeSigningConfig,
lambda:GetLayerVersion,
lambda:GetRuntimeManagementConfig,
lambda:PutRuntimeManagementConfig,
lambda:TagResource,
lambda:PutFunctionRecursionConfig,
lambda:GetFunctionRecursionConfig

Update

lambda:DeleteFunctionConcurrency,
lambda:GetFunction,
lambda:PutFunctionConcurrency,
lambda:TagResource,
lambda:UntagResource,
lambda:UpdateFunctionConfiguration,
lambda:UpdateFunctionCode,
iam:PassRole,
s3:GetObject,
s3:GetObjectVersion,
ec2:DescribeSecurityGroups,
ec2:DescribeSubnets,
ec2:DescribeVpcs,
elasticfilesystem:DescribeMountTargets,
kms:CreateGrant,
kms:Decrypt,
kms:GenerateDataKey,
lambda:GetRuntimeManagementConfig,
lambda:PutRuntimeManagementConfig,
lambda:PutFunctionCodeSigningConfig,
lambda:DeleteFunctionCodeSigningConfig,
lambda:GetCodeSigningConfig,
lambda:GetFunctionCodeSigningConfig,
lambda:PutFunctionRecursionConfig,
lambda:GetFunctionRecursionConfig

List

lambda:ListFunctions

Delete

lambda:DeleteFunction,
lambda:GetFunction,
ec2:DescribeNetworkInterfaces