How do I add a lambda environmental variable with terraform?

terraform lambda environment variables example
terraform invoke lambda
terraform lambda trigger
terraform lambda layers
terraform lambda module
terraform lambda vpc_config example
data terraform lambda
terraform variables

I want my lambda to call APIs, and that requires an API token. I want to place the API token into a lambda environment variable. How can I have terraform do this instead? Or am I approaching this the wrong way?


The Documentation here gives a pretty good example. Basically it's a environment block with a variables block. Then whatever key value pairs you want. Assuming you're using nodejs you can then refer to these variables in your lambda code by doing process.env.api_key. These values would be stored in plain text in your terraform code as well as the terraform state file. AWS encrypts the environment variables but you do need to concern yourself with how those values get there. If you are uncomfortable with them being stored in git and whatever storage you use for your state file then you can add them in manually through the console.

resource "aws_lambda_function" "test_lambda" {
  filename         = "lambda_function_payload.zip"
  function_name    = "lambda_function_name"
  runtime          = "nodejs8.10"
  ...

  environment {
    variables = {
      api_key = "super_secret"
    }
  }
}

Environment Variables, The Documentation here gives a pretty good example. Basically it's a environment block with a variables block. Then whatever key value pairs  If this configuration is provided when environment variables are not in use, the AWS Lambda API does not save this configuration and Terraform will show a perpetual difference of adding the key. To fix the perpetual difference, remove this configuration. source_code_hash - (Optional) Used to trigger updates.


If you have, like for most traditional NodeJS app, en .env file that is loaded with dotenv locally, here is a trick to proxy those variables into your Terraform files as variables:

env $(sed -e 's/^/TF_VAR_/' ../../.env.preproduction) terraform plan \
 -out=terraform-preproduction.plan

Then, just declare the env vars as variables and use them:

variable "SECRET" {
  description = "The application SECRET env var"
}

resource "aws_lambda_function" "test_lambda" {
  filename         = "lambda_function_payload.zip"
  function_name    = "lambda_function_name"
  runtime          = "nodejs8.10"
  ...

  environment = {
    variables = {
      api_key = "${var.SECRET}"
    }
  }
}

How do I add a lambda environmental variable with terraform , How to reproduce the environment for efficient local Lambda development. it's way harder to set breakpoints and see what the code actually does. An important environment variable not managed by Terraform is the  Terraform’s capabilities extend far beyond these simple commands. Some common examples include importing environment variables, managing deployment modules, and storing infrastructure state remotely. System Design. The goal of this system is to automagically move an object from one S3 bucket to two others.


If you want to pass a super_secret_value in terraform then instead passing through a tfvars file, you might want to consider using Vault or AWS Secret Manager.

But, even if you use Vault or AWS Secret Manager, secrets maybe be visible in tfstate file. But to mitigate the risk, you can encrypt the tfstate file on S3 and put restrict policy so that only required people can access this state file.

How to reproduce a Lambda function's environment variables locally , FrediWeber added a commit to FrediWeber/terraform-provider-aws that Resolves #11595 - Sensitive environment variables in AWS Lambda #11614. Open Add 'content_sensitive'/'content_base64_sensitive' argument to  module.edge.aws_lambda_function.main: environment: should be a list; Obviously environment is supposed to be a map, but it seems to expect a list. I can't find a workaround to providing a default empty object for the environment, aside from creating a seperate module specifically for edge functions, which would omit environment entirely.


You can use aws secret manager to store your data. more info. to use them in your terraform follow below steps:

  1. Store your sensitive data such as passwords and api keys.
  2. Add "aws_secretsmanager_secret" data to your terraform, more info
  3. Add "aws_secretsmanager_secret_version" based on the secret from the previous step. more info
  4. Assuming your secret are stored in a key-value structure use

${jsondecode(data.aws_secretsmanager_secret_version.secrets.secret_string)["YOUR_KEY"]}

AWS Lambda Function Sensitive Environment Variables · Issue , Basically, terraform tries to add the environment variables to the lambda function during every run. During the first run, it successfully creates  And it seems odd that it wouldn't allow you to set environment variables if it's really meant to be a useful module. – ydaetskcoR 1 hour ago Haven't validated this but you may be able to update the Lambda function configuration's environment variables without touching anything else (or re-uploading the function code).


AWS Lambda Function Environment Variables not refreshing state , Use Terraform to easily deploy your Lambda functions while supporting multiple AWS It's not enough to just create an AWS Lambda resource. There's Lambda supports encrypted environment variables out of the box. memory_size - Amount of memory in MB your Lambda Function can use at runtime. qualified_arn - Qualified (:QUALIFIER or :VERSION suffix) Amazon Resource Name (ARN) identifying your Lambda Function. See also arn. reserved_concurrent_executions - The amount of reserved concurrent executions for this lambda function or -1 if unreserved.


AWS Lambda Deployment using Terraform - Build Galvanize, To create a lambda function, the deployment package needs to be a .zip consisting of your Just like any tool or language, Terraform supports variables. That module can be called in each of the environment modules. I would suggest to add ConnectionString at AWS console and to not use production connection string at config file to avoid those kinds of problems. Log into AWS console, go to lambda function and add connection string as an environment variable. PS. In case you will struggle with syntax. If your json config file looks like this:


AWS Serverless with Terraform – Best Practices, Terraform's capabilities extend far beyond these simple commands. Some common examples include importing environment variables,  »Environment Variables Terraform refers to a number of environment variables to customize various aspects of its behavior. None of these environment variables are required when using Terraform, but they can be used to change some of Terraform's default behaviors in unusual situations, or to increase output verbosity for debugging.