Terraform Scheduled Lambda: Step-by-Step Setup Guide

Introduction
Step-by-Step Guide
Code Example
Additional Notes
Summary
Conclusion
References

Introduction

This guide demonstrates how to schedule the execution of an AWS Lambda function using Terraform and AWS CloudWatch Events (Amazon EventBridge). You will learn how to define your Lambda function, create a CloudWatch Event Rule for scheduling, link the two together, and set up the necessary permissions for seamless execution.

Step-by-Step Guide

To schedule the execution of an AWS Lambda function using Terraform, you'll need to utilize the power of AWS CloudWatch Events (now known as Amazon EventBridge). Here's a breakdown of the process:

Define your Lambda function: Start by defining your Lambda function using the aws_lambda_function resource in your Terraform configuration. This involves specifying the function's name, runtime environment, handler, and other relevant parameters.
Establish a CloudWatch Event Rule: Create a CloudWatch Event Rule using the aws_cloudwatch_event_rule resource. This rule will dictate the schedule on which your Lambda function should be triggered. You can define the schedule using cron expressions or rate expressions.
Link the Lambda function to the Event Rule: Connect your Lambda function to the CloudWatch Event Rule using the aws_cloudwatch_event_target resource. This resource acts as a bridge, ensuring that when the Event Rule is triggered according to the defined schedule, your Lambda function is invoked.
Grant necessary permissions: For your CloudWatch Event Rule to successfully trigger your Lambda function, you need to grant the necessary permissions. This is typically achieved by adding an IAM policy to your Lambda function's execution role, allowing it to be invoked by the CloudWatch Events service.

By following these steps, you can effectively schedule the execution of your Lambda function using Terraform and CloudWatch Events. This approach provides a robust and scalable solution for automating tasks within your AWS environment.

Code Example

This Terraform code defines an AWS Lambda function and configures it to be triggered by a CloudWatch Event Rule every 5 minutes. It creates the necessary IAM role and policy for the Lambda function, defines a CloudWatch Event Rule with a schedule, and sets up a target to invoke the Lambda function when the rule is triggered. Finally, it grants the CloudWatch Events service permission to invoke the Lambda function.

# Define the Lambda function
resource "aws_lambda_function" "example" {
  function_name = "example_function"
  runtime       = "nodejs16.x"
  handler       = "index.handler"

  # Replace with your actual Lambda function code
  filename         = "lambda_function.zip"
  source_code_hash = filebase64sha256("lambda_function.zip")

  # Define the IAM role for the Lambda function
  role = aws_iam_role.lambda_role.arn
}

# Create an IAM role for the Lambda function
resource "aws_iam_role" "lambda_role" {
  name = "example_lambda_role"

  assume_role_policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
POLICY
}

# Attach the AWSLambdaBasicExecutionRole policy to the Lambda role
resource "aws_iam_role_policy_attachment" "lambda_policy_attachment" {
  role       = aws_iam_role.lambda_role.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}

# Create a CloudWatch Event Rule to trigger the Lambda function
resource "aws_cloudwatch_event_rule" "example" {
  name                = "example_rule"
  schedule_expression = "rate(5 minutes)" # Run every 5 minutes
}

# Create a CloudWatch Event Target to invoke the Lambda function
resource "aws_cloudwatch_event_target" "example" {
  rule      = aws_cloudwatch_event_rule.example.name
  target_id = "lambda_target"
  arn       = aws_lambda_function.example.arn
}

# Grant permission to the CloudWatch Event Rule to invoke the Lambda function
resource "aws_lambda_permission" "example" {
  statement_id  = "AllowExecutionFromCloudWatch"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.example.function_name
  principal     = "events.amazonaws.com"
  source_arn    = aws_cloudwatch_event_rule.example.arn
}

Explanation:

Lambda Function Definition:
- The aws_lambda_function resource defines your Lambda function, including its name, runtime, handler, and code location.
- The role attribute specifies the IAM role that the Lambda function will assume.
IAM Role and Policy:
- The aws_iam_role resource creates an IAM role for the Lambda function.
- The assume_role_policy allows the Lambda service to assume this role.
- The aws_iam_role_policy_attachment resource attaches the AWSLambdaBasicExecutionRole policy to the role, granting the function basic execution permissions.
CloudWatch Event Rule:
- The aws_cloudwatch_event_rule resource defines a CloudWatch Event Rule named "example_rule."
- The schedule_expression attribute sets the schedule for triggering the rule. In this case, it's set to run every 5 minutes using the rate expression.
CloudWatch Event Target:
- The aws_cloudwatch_event_target resource connects the CloudWatch Event Rule to the Lambda function.
- The rule attribute specifies the rule to trigger the target.
- The target_id is a unique identifier for the target.
- The arn attribute specifies the ARN of the Lambda function to invoke.
Lambda Permission:
- The aws_lambda_permission resource grants the CloudWatch Events service permission to invoke the Lambda function.
- The statement_id is a unique identifier for the permission statement.
- The action specifies the allowed action, which is lambda:InvokeFunction.
- The function_name identifies the Lambda function.
- The principal specifies the service that is allowed to invoke the function, which is events.amazonaws.com for CloudWatch Events.
- The source_arn specifies the ARN of the CloudWatch Event Rule that is allowed to invoke the function.

Remember to replace the placeholder values with your actual Lambda function code, desired schedule, and other relevant details.

Additional Notes

Scheduling:

Cron expressions: Provide flexibility for complex schedules (e.g., every Tuesday at 8:00 AM). Refer to AWS documentation for cron expression syntax.
Rate expressions: Simpler for fixed intervals (e.g., every 5 minutes).
Time zones: CloudWatch Events uses UTC. Consider time zone conversions within your Lambda function if necessary.

Permissions:

Principle of least privilege: Grant only the necessary permissions to the Lambda function's execution role.
Alternative to inline policy: Create a separate IAM policy and attach it to the role for better organization.

Lambda Function Considerations:

Function logic: Ensure your Lambda function handles scheduled invocations correctly.
Execution time: Set an appropriate timeout for your function to prevent it from being terminated prematurely.
Logging and monitoring: Implement logging and monitoring to track executions and troubleshoot issues.

Terraform Best Practices:

Modularity: Use modules to organize your Terraform code and make it reusable.
Variables: Use variables to parameterize your code and make it more flexible.
State management: Store your Terraform state securely using a remote backend.

Alternatives and Extensions:

AWS EventBridge Scheduler: A newer service offering more advanced scheduling capabilities.
Other event sources: Trigger Lambda functions based on various events, such as S3 object uploads or API Gateway requests.

Troubleshooting:

CloudWatch Logs: Check the Lambda function's log group for errors.
EventBridge console: Verify the event rule's trigger history and target invocation status.
IAM simulator: Test and validate IAM policies to ensure the Lambda function has the necessary permissions.

Summary

This table summarizes the process of scheduling AWS Lambda function execution using Terraform and CloudWatch Events:

Step	Description	Terraform Resource	Key Point
1. Define Lambda Function	Define your Lambda function's configuration (name, runtime, handler, etc.).	`aws_lambda_function`	This sets up the function itself.
2. Create CloudWatch Event Rule	Define the schedule (using cron or rate expressions) for triggering your Lambda function.	`aws_cloudwatch_event_rule`	This determines when the function will run.
3. Connect Lambda to Event Rule	Link your Lambda function to the CloudWatch Event Rule.	`aws_cloudwatch_event_target`	This ensures the function is invoked upon the schedule defined in the rule.
4. Grant Permissions	Allow CloudWatch Events to invoke your Lambda function by adding an IAM policy to the function's execution role.		This is crucial for the entire setup to work.

In essence: You define your function, set a schedule with CloudWatch Events, connect the two, and ensure proper permissions for a seamless automated workflow.

Conclusion

In conclusion, scheduling the execution of AWS Lambda functions using Terraform and CloudWatch Events (Amazon EventBridge) offers a robust and automated approach for managing tasks within your AWS environment. By defining your Lambda function, establishing a CloudWatch Event Rule with a specific schedule, linking the two, and ensuring appropriate IAM permissions, you can achieve seamless and scalable automation. This guide provided a comprehensive overview of the process, along with code examples and explanations, empowering you to implement scheduled Lambda function executions effectively. Remember to leverage Terraform best practices, consider Lambda function limitations, and utilize monitoring tools for a smooth and reliable automation experience.

References

How to schedule your Lambda with Terraform? - DEV Community | There are many cases where you might need to run your Lambda regularly without having it triggered by...
Adding trigger between lambda function and Cloudwatch rule ... | I am struggling to create a schedule to run a lambda function through terraform… With the code below resource "aws_lambda_function" "cleansing_coding_lambda" { ... } resource "aws_cloudwatch_event_rule" "cleansing_coding_rule" { name = "cleansing-coding-rule" schedule_expression = "cron(5 * * * ? *)" # every hour, 5 mns passed the hour } resource "aws_cloudwatch_event_target" "cleansing_coding_target" { rule = aws_cloudwatch_event_rule.cleansing_coding_rule.name arn ...
aws_lambda_event_source_mapping | hashicorp/aws | Terraform | Provides a Lambda event source mapping. This allows Lambda functions to get events from Kinesis, DynamoDB, SQS, Amazon MQ and Managed Streaming for Apache ...
How To Setup AWS Lambda Scheduled Events with Terraform | Need to know how to trigger a Lambda on a CloudWatch event? We show you how to Terraform Lambda Scheduled Event's by adding a CloudWatch Event, Trigger and Lambda permission.
How can I schedule a lambda to be called at a specific time in the ... | Posted by u/GooberMcNutly - 28 votes and 37 comments
How to Enable/Disable a Lambda Trigger on a Schedule | by Zac ... | One solution using Lambda and another using a API Gateway. But first, let’s discuss why you want to do this and what you could do instead.
Support Scheduled Event event source for AWS Lambda · Issue ... | It seems the aws_lambda_event_source_mapping resource only currently supports events from Kinesis and DynamoDB. Lambda can be a nice replacement for cron when using the Scheduled Event source, so i...
Invoke a Lambda function on a schedule - AWS Lambda | With EventBridge Scheduler, you can create schedules using cron and rate expressions for recurring patterns, or configure one-time invocations. You can set up ...
Lambda Function Event Bridge Terraform | How to invoke an AWS Lambda Function at scheduled intervals with AWS EventBridge Rule using Terraform