Skip to content

aws.lambda-function-url resource

Description

FunctionUrl gives a Lambda function, or one of its aliases, a dedicated HTTPS endpoint, the way CloudFormation models AWS::Lambda::Url. The function and the alias qualifier identify the endpoint and are fixed at creation; the authentication type, the CORS settings, and the invoke mode reconcile in place through UpdateFunctionUrlConfig. Setting auth-type to NONE does not by itself open the endpoint to anonymous callers: invocation also requires a lambda:InvokeFunctionUrl statement with function-url-auth-type NONE and principal "*" on the function's resource policy, which belongs to the lambda-permission resource, so pair the two.

Source: internal/service/lambda/function_url_rsrc.go:25

Example usage:

imports: {
  aws: 'github.com/cloudboss/unobin-library-aws'
}

resources: {
  example: aws.lambda-function-url {
    # Set input fields here.
  }
}

Inputs

function-name

string

required

FunctionName names the function the endpoint fronts, as a function name, a partial ARN, or a full ARN.

auth-type

string

required

AuthType is how callers authenticate: AWS_IAM to require IAM authorization, or NONE for a public endpoint.

qualifier

optional(string)

Qualifier is the alias the endpoint is attached to. When unset the endpoint addresses the function's unpublished version.

invoke-mode

optional(string)

InvokeMode selects BUFFERED, where Lambda returns the response once the payload is complete, or RESPONSE_STREAM, where the function streams it. Unset leaves the AWS default of BUFFERED; removing the field later leaves the live mode unchanged, so set BUFFERED explicitly to return a streaming endpoint to the default.

cors

optional(object) 
optional(
  object({
    allow-credentials: optional(boolean)
    allow-headers: optional(list(string))
    allow-methods: optional(list(string))
    allow-origins: optional(list(string))
    expose-headers: optional(list(string))
    max-age: optional(integer)
  })
)

Cors holds the cross-origin resource sharing settings the endpoint answers browser preflight requests with. Removing the block clears the settings on the next update.

Input Constraints

Auth type rules

auth-type must be AWS_IAM or NONE.

Rule logic
Require
input.auth-type == 'AWS_IAM'
|| input.auth-type == 'NONE'

Invoke mode rules

invoke-mode must be BUFFERED or RESPONSE_STREAM.

Rule logic
When
input.invoke-mode != null
Require
input.invoke-mode == 'BUFFERED'
|| input.invoke-mode == 'RESPONSE_STREAM'

Cors rules

cors max-age must be between 0 and 86400 seconds.

Rule logic
When
input.cors.max-age != null
Require
(input.cors.max-age == null || input.cors.max-age >= 0)
&& (input.cors.max-age == null || input.cors.max-age <= 86400)

Outputs

function-url

string

function-arn

string

url-id

string

qualifier

string