The aws:lambda/function:Function resource, part of the Pulumi AWS provider, defines a Lambda function’s deployment package, runtime environment, and execution configuration. This guide focuses on four capabilities: container image deployment, Layer-based code sharing, VPC networking and EFS integration, and structured logging and error handling.
Lambda functions require IAM execution roles and may reference ECR repositories, VPC infrastructure, EFS file systems, or CloudWatch resources that must exist separately. The examples are intentionally small. Combine them with your own IAM roles, event sources, and infrastructure.
Deploy a function from a container image
Teams packaging Lambda functions as container images gain flexibility in runtime dependencies and tooling, supporting larger deployment packages and custom base images.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.lambda.Function("example", {
name: "example_container_function",
role: exampleAwsIamRole.arn,
packageType: "Image",
imageUri: `${exampleAwsEcrRepository.repositoryUrl}:latest`,
imageConfig: {
entryPoints: ["/lambda-entrypoint.sh"],
commands: ["app.handler"],
},
memorySize: 512,
timeout: 30,
architectures: ["arm64"],
});
import pulumi
import pulumi_aws as aws
example = aws.lambda_.Function("example",
name="example_container_function",
role=example_aws_iam_role["arn"],
package_type="Image",
image_uri=f"{example_aws_ecr_repository['repositoryUrl']}:latest",
image_config={
"entry_points": ["/lambda-entrypoint.sh"],
"commands": ["app.handler"],
},
memory_size=512,
timeout=30,
architectures=["arm64"])
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/lambda"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := lambda.NewFunction(ctx, "example", &lambda.FunctionArgs{
Name: pulumi.String("example_container_function"),
Role: pulumi.Any(exampleAwsIamRole.Arn),
PackageType: pulumi.String("Image"),
ImageUri: pulumi.Sprintf("%v:latest", exampleAwsEcrRepository.RepositoryUrl),
ImageConfig: &lambda.FunctionImageConfigArgs{
EntryPoints: pulumi.StringArray{
pulumi.String("/lambda-entrypoint.sh"),
},
Commands: pulumi.StringArray{
pulumi.String("app.handler"),
},
},
MemorySize: pulumi.Int(512),
Timeout: pulumi.Int(30),
Architectures: pulumi.StringArray{
pulumi.String("arm64"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Lambda.Function("example", new()
{
Name = "example_container_function",
Role = exampleAwsIamRole.Arn,
PackageType = "Image",
ImageUri = $"{exampleAwsEcrRepository.RepositoryUrl}:latest",
ImageConfig = new Aws.Lambda.Inputs.FunctionImageConfigArgs
{
EntryPoints = new[]
{
"/lambda-entrypoint.sh",
},
Commands = new[]
{
"app.handler",
},
},
MemorySize = 512,
Timeout = 30,
Architectures = new[]
{
"arm64",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lambda.Function;
import com.pulumi.aws.lambda.FunctionArgs;
import com.pulumi.aws.lambda.inputs.FunctionImageConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Function("example", FunctionArgs.builder()
.name("example_container_function")
.role(exampleAwsIamRole.arn())
.packageType("Image")
.imageUri(String.format("%s:latest", exampleAwsEcrRepository.repositoryUrl()))
.imageConfig(FunctionImageConfigArgs.builder()
.entryPoints("/lambda-entrypoint.sh")
.commands("app.handler")
.build())
.memorySize(512)
.timeout(30)
.architectures("arm64")
.build());
}
}
resources:
example:
type: aws:lambda:Function
properties:
name: example_container_function
role: ${exampleAwsIamRole.arn}
packageType: Image
imageUri: ${exampleAwsEcrRepository.repositoryUrl}:latest
imageConfig:
entryPoints:
- /lambda-entrypoint.sh
commands:
- app.handler
memorySize: 512
timeout: 30
architectures: # Graviton support for better price/performance
- arm64
When packageType is “Image”, Lambda pulls your container from ECR at invocation time. The imageConfig block overrides the container’s default entry point and command, letting you reuse images across functions with different handlers. The imageUri must point to a tagged image in ECR.
Share code across functions with Layers
Applications with multiple functions often extract common dependencies into Layers, reducing deployment package size and enabling shared library updates.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Common dependencies layer
const example = new aws.lambda.LayerVersion("example", {
code: new pulumi.asset.FileArchive("layer.zip"),
layerName: "example_dependencies_layer",
description: "Common dependencies for Lambda functions",
compatibleRuntimes: [
"nodejs20.x",
"python3.12",
],
compatibleArchitectures: [
"x86_64",
"arm64",
],
});
// Function using the layer
const exampleFunction = new aws.lambda.Function("example", {
code: new pulumi.asset.FileArchive("function.zip"),
name: "example_layered_function",
role: exampleAwsIamRole.arn,
handler: "index.handler",
runtime: aws.lambda.Runtime.NodeJS20dX,
layers: [example.arn],
tracingConfig: {
mode: "Active",
},
});
import pulumi
import pulumi_aws as aws
# Common dependencies layer
example = aws.lambda_.LayerVersion("example",
code=pulumi.FileArchive("layer.zip"),
layer_name="example_dependencies_layer",
description="Common dependencies for Lambda functions",
compatible_runtimes=[
"nodejs20.x",
"python3.12",
],
compatible_architectures=[
"x86_64",
"arm64",
])
# Function using the layer
example_function = aws.lambda_.Function("example",
code=pulumi.FileArchive("function.zip"),
name="example_layered_function",
role=example_aws_iam_role["arn"],
handler="index.handler",
runtime=aws.lambda_.Runtime.NODE_JS20D_X,
layers=[example.arn],
tracing_config={
"mode": "Active",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/lambda"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// Common dependencies layer
example, err := lambda.NewLayerVersion(ctx, "example", &lambda.LayerVersionArgs{
Code: pulumi.NewFileArchive("layer.zip"),
LayerName: pulumi.String("example_dependencies_layer"),
Description: pulumi.String("Common dependencies for Lambda functions"),
CompatibleRuntimes: pulumi.StringArray{
pulumi.String("nodejs20.x"),
pulumi.String("python3.12"),
},
CompatibleArchitectures: pulumi.StringArray{
pulumi.String("x86_64"),
pulumi.String("arm64"),
},
})
if err != nil {
return err
}
// Function using the layer
_, err = lambda.NewFunction(ctx, "example", &lambda.FunctionArgs{
Code: pulumi.NewFileArchive("function.zip"),
Name: pulumi.String("example_layered_function"),
Role: pulumi.Any(exampleAwsIamRole.Arn),
Handler: pulumi.String("index.handler"),
Runtime: pulumi.String(lambda.RuntimeNodeJS20dX),
Layers: pulumi.StringArray{
example.Arn,
},
TracingConfig: &lambda.FunctionTracingConfigArgs{
Mode: pulumi.String("Active"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
// Common dependencies layer
var example = new Aws.Lambda.LayerVersion("example", new()
{
Code = new FileArchive("layer.zip"),
LayerName = "example_dependencies_layer",
Description = "Common dependencies for Lambda functions",
CompatibleRuntimes = new[]
{
"nodejs20.x",
"python3.12",
},
CompatibleArchitectures = new[]
{
"x86_64",
"arm64",
},
});
// Function using the layer
var exampleFunction = new Aws.Lambda.Function("example", new()
{
Code = new FileArchive("function.zip"),
Name = "example_layered_function",
Role = exampleAwsIamRole.Arn,
Handler = "index.handler",
Runtime = Aws.Lambda.Runtime.NodeJS20dX,
Layers = new[]
{
example.Arn,
},
TracingConfig = new Aws.Lambda.Inputs.FunctionTracingConfigArgs
{
Mode = "Active",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lambda.LayerVersion;
import com.pulumi.aws.lambda.LayerVersionArgs;
import com.pulumi.aws.lambda.Function;
import com.pulumi.aws.lambda.FunctionArgs;
import com.pulumi.aws.lambda.inputs.FunctionTracingConfigArgs;
import com.pulumi.asset.FileArchive;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
// Common dependencies layer
var example = new LayerVersion("example", LayerVersionArgs.builder()
.code(new FileArchive("layer.zip"))
.layerName("example_dependencies_layer")
.description("Common dependencies for Lambda functions")
.compatibleRuntimes(
"nodejs20.x",
"python3.12")
.compatibleArchitectures(
"x86_64",
"arm64")
.build());
// Function using the layer
var exampleFunction = new Function("exampleFunction", FunctionArgs.builder()
.code(new FileArchive("function.zip"))
.name("example_layered_function")
.role(exampleAwsIamRole.arn())
.handler("index.handler")
.runtime("nodejs20.x")
.layers(example.arn())
.tracingConfig(FunctionTracingConfigArgs.builder()
.mode("Active")
.build())
.build());
}
}
resources:
# Common dependencies layer
example:
type: aws:lambda:LayerVersion
properties:
code:
fn::FileArchive: layer.zip
layerName: example_dependencies_layer
description: Common dependencies for Lambda functions
compatibleRuntimes:
- nodejs20.x
- python3.12
compatibleArchitectures:
- x86_64
- arm64
# Function using the layer
exampleFunction:
type: aws:lambda:Function
name: example
properties:
code:
fn::FileArchive: function.zip
name: example_layered_function
role: ${exampleAwsIamRole.arn}
handler: index.handler
runtime: nodejs20.x
layers:
- ${example.arn}
tracingConfig:
mode: Active
A LayerVersion packages shared code that multiple functions can reference. The layers property accepts up to five Layer ARNs. Lambda extracts Layer contents into /opt at runtime, making libraries available to your function code. The compatibleRuntimes and compatibleArchitectures properties restrict which functions can use the Layer.
Connect to private resources in a VPC
Functions that access RDS databases, ElastiCache clusters, or internal APIs require VPC configuration to join private subnets and security groups.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.lambda.Function("example", {
code: new pulumi.asset.FileArchive("function.zip"),
name: "example_vpc_function",
role: exampleAwsIamRole.arn,
handler: "app.handler",
runtime: aws.lambda.Runtime.Python3d12,
memorySize: 1024,
timeout: 30,
vpcConfig: {
subnetIds: [
examplePrivate1.id,
examplePrivate2.id,
],
securityGroupIds: [exampleLambda.id],
ipv6AllowedForDualStack: true,
},
ephemeralStorage: {
size: 5120,
},
snapStart: {
applyOn: "PublishedVersions",
},
});
import pulumi
import pulumi_aws as aws
example = aws.lambda_.Function("example",
code=pulumi.FileArchive("function.zip"),
name="example_vpc_function",
role=example_aws_iam_role["arn"],
handler="app.handler",
runtime=aws.lambda_.Runtime.PYTHON3D12,
memory_size=1024,
timeout=30,
vpc_config={
"subnet_ids": [
example_private1["id"],
example_private2["id"],
],
"security_group_ids": [example_lambda["id"]],
"ipv6_allowed_for_dual_stack": True,
},
ephemeral_storage={
"size": 5120,
},
snap_start={
"apply_on": "PublishedVersions",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/lambda"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := lambda.NewFunction(ctx, "example", &lambda.FunctionArgs{
Code: pulumi.NewFileArchive("function.zip"),
Name: pulumi.String("example_vpc_function"),
Role: pulumi.Any(exampleAwsIamRole.Arn),
Handler: pulumi.String("app.handler"),
Runtime: pulumi.String(lambda.RuntimePython3d12),
MemorySize: pulumi.Int(1024),
Timeout: pulumi.Int(30),
VpcConfig: &lambda.FunctionVpcConfigArgs{
SubnetIds: pulumi.StringArray{
examplePrivate1.Id,
examplePrivate2.Id,
},
SecurityGroupIds: pulumi.StringArray{
exampleLambda.Id,
},
Ipv6AllowedForDualStack: pulumi.Bool(true),
},
EphemeralStorage: &lambda.FunctionEphemeralStorageArgs{
Size: pulumi.Int(5120),
},
SnapStart: &lambda.FunctionSnapStartArgs{
ApplyOn: pulumi.String("PublishedVersions"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Lambda.Function("example", new()
{
Code = new FileArchive("function.zip"),
Name = "example_vpc_function",
Role = exampleAwsIamRole.Arn,
Handler = "app.handler",
Runtime = Aws.Lambda.Runtime.Python3d12,
MemorySize = 1024,
Timeout = 30,
VpcConfig = new Aws.Lambda.Inputs.FunctionVpcConfigArgs
{
SubnetIds = new[]
{
examplePrivate1.Id,
examplePrivate2.Id,
},
SecurityGroupIds = new[]
{
exampleLambda.Id,
},
Ipv6AllowedForDualStack = true,
},
EphemeralStorage = new Aws.Lambda.Inputs.FunctionEphemeralStorageArgs
{
Size = 5120,
},
SnapStart = new Aws.Lambda.Inputs.FunctionSnapStartArgs
{
ApplyOn = "PublishedVersions",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lambda.Function;
import com.pulumi.aws.lambda.FunctionArgs;
import com.pulumi.aws.lambda.inputs.FunctionVpcConfigArgs;
import com.pulumi.aws.lambda.inputs.FunctionEphemeralStorageArgs;
import com.pulumi.aws.lambda.inputs.FunctionSnapStartArgs;
import com.pulumi.asset.FileArchive;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Function("example", FunctionArgs.builder()
.code(new FileArchive("function.zip"))
.name("example_vpc_function")
.role(exampleAwsIamRole.arn())
.handler("app.handler")
.runtime("python3.12")
.memorySize(1024)
.timeout(30)
.vpcConfig(FunctionVpcConfigArgs.builder()
.subnetIds(
examplePrivate1.id(),
examplePrivate2.id())
.securityGroupIds(exampleLambda.id())
.ipv6AllowedForDualStack(true)
.build())
.ephemeralStorage(FunctionEphemeralStorageArgs.builder()
.size(5120)
.build())
.snapStart(FunctionSnapStartArgs.builder()
.applyOn("PublishedVersions")
.build())
.build());
}
}
resources:
example:
type: aws:lambda:Function
properties:
code:
fn::FileArchive: function.zip
name: example_vpc_function
role: ${exampleAwsIamRole.arn}
handler: app.handler
runtime: python3.12
memorySize: 1024
timeout: 30
vpcConfig:
subnetIds:
- ${examplePrivate1.id}
- ${examplePrivate2.id}
securityGroupIds:
- ${exampleLambda.id}
ipv6AllowedForDualStack: true
ephemeralStorage:
size: 5120
snapStart:
applyOn: PublishedVersions
The vpcConfig block places your function in specified subnets with attached security groups. Lambda creates elastic network interfaces in your subnets, enabling access to private resources. The ipv6AllowedForDualStack property enables IPv6 connectivity when your VPC supports dual-stack networking. Your execution role needs AWSLambdaVPCAccessExecutionRole permissions to manage network interfaces.
Mount EFS for persistent storage
Workloads that need shared state or large datasets beyond ephemeral storage can mount EFS file systems, providing persistent storage accessible across invocations.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// EFS file system for Lambda
const example = new aws.efs.FileSystem("example", {
encrypted: true,
tags: {
Name: "lambda-efs",
},
});
const config = new pulumi.Config();
// List of subnet IDs for EFS mount targets
const subnetIds = config.getObject<Array<string>>("subnetIds") || [
"subnet-12345678",
"subnet-87654321",
];
// Mount target in each subnet
const exampleMountTarget: aws.efs.MountTarget[] = [];
for (const range = {value: 0}; range.value < subnetIds.length; range.value++) {
exampleMountTarget.push(new aws.efs.MountTarget(`example-${range.value}`, {
fileSystemId: example.id,
subnetId: subnetIds[range.value],
securityGroups: [efs.id],
}));
}
// Access point for Lambda
const exampleAccessPoint = new aws.efs.AccessPoint("example", {
fileSystemId: example.id,
rootDirectory: {
path: "/lambda",
creationInfo: {
ownerGid: 1000,
ownerUid: 1000,
permissions: "755",
},
},
posixUser: {
gid: 1000,
uid: 1000,
},
});
// Lambda function with EFS
const exampleFunction = new aws.lambda.Function("example", {
code: new pulumi.asset.FileArchive("function.zip"),
name: "example_efs_function",
role: exampleAwsIamRole.arn,
handler: "index.handler",
runtime: aws.lambda.Runtime.NodeJS20dX,
vpcConfig: {
subnetIds: subnetIds,
securityGroupIds: [lambda.id],
},
fileSystemConfig: {
arn: exampleAccessPoint.arn,
localMountPath: "/mnt/data",
},
}, {
dependsOn: [exampleMountTarget],
});
import pulumi
import pulumi_aws as aws
# EFS file system for Lambda
example = aws.efs.FileSystem("example",
encrypted=True,
tags={
"Name": "lambda-efs",
})
config = pulumi.Config()
# List of subnet IDs for EFS mount targets
subnet_ids = config.get_object("subnetIds")
if subnet_ids is None:
subnet_ids = [
"subnet-12345678",
"subnet-87654321",
]
# Mount target in each subnet
example_mount_target = []
for range in [{"value": i} for i in range(0, len(subnet_ids))]:
example_mount_target.append(aws.efs.MountTarget(f"example-{range['value']}",
file_system_id=example.id,
subnet_id=subnet_ids[range["value"]],
security_groups=[efs["id"]]))
# Access point for Lambda
example_access_point = aws.efs.AccessPoint("example",
file_system_id=example.id,
root_directory={
"path": "/lambda",
"creation_info": {
"owner_gid": 1000,
"owner_uid": 1000,
"permissions": "755",
},
},
posix_user={
"gid": 1000,
"uid": 1000,
})
# Lambda function with EFS
example_function = aws.lambda_.Function("example",
code=pulumi.FileArchive("function.zip"),
name="example_efs_function",
role=example_aws_iam_role["arn"],
handler="index.handler",
runtime=aws.lambda_.Runtime.NODE_JS20D_X,
vpc_config={
"subnet_ids": subnet_ids,
"security_group_ids": [lambda_["id"]],
},
file_system_config={
"arn": example_access_point.arn,
"local_mount_path": "/mnt/data",
},
opts = pulumi.ResourceOptions(depends_on=[example_mount_target]))
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/efs"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/lambda"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// EFS file system for Lambda
example, err := efs.NewFileSystem(ctx, "example", &efs.FileSystemArgs{
Encrypted: pulumi.Bool(true),
Tags: pulumi.StringMap{
"Name": pulumi.String("lambda-efs"),
},
})
if err != nil {
return err
}
cfg := config.New(ctx, "")
// List of subnet IDs for EFS mount targets
subnetIds := []string{
"subnet-12345678",
"subnet-87654321",
}
if param := cfg.GetObject("subnetIds"); param != nil {
subnetIds = param
}
// Mount target in each subnet
var exampleMountTarget []*efs.MountTarget
for index := 0; index < len(subnetIds); index++ {
key0 := index
val0 := index
__res, err := efs.NewMountTarget(ctx, fmt.Sprintf("example-%v", key0), &efs.MountTargetArgs{
FileSystemId: example.ID(),
SubnetId: pulumi.String(subnetIds[val0]),
SecurityGroups: pulumi.StringArray{
efs.Id,
},
})
if err != nil {
return err
}
exampleMountTarget = append(exampleMountTarget, __res)
}
// Access point for Lambda
exampleAccessPoint, err := efs.NewAccessPoint(ctx, "example", &efs.AccessPointArgs{
FileSystemId: example.ID(),
RootDirectory: &efs.AccessPointRootDirectoryArgs{
Path: pulumi.String("/lambda"),
CreationInfo: &efs.AccessPointRootDirectoryCreationInfoArgs{
OwnerGid: pulumi.Int(1000),
OwnerUid: pulumi.Int(1000),
Permissions: pulumi.String("755"),
},
},
PosixUser: &efs.AccessPointPosixUserArgs{
Gid: pulumi.Int(1000),
Uid: pulumi.Int(1000),
},
})
if err != nil {
return err
}
// Lambda function with EFS
_, err = lambda.NewFunction(ctx, "example", &lambda.FunctionArgs{
Code: pulumi.NewFileArchive("function.zip"),
Name: pulumi.String("example_efs_function"),
Role: pulumi.Any(exampleAwsIamRole.Arn),
Handler: pulumi.String("index.handler"),
Runtime: pulumi.String(lambda.RuntimeNodeJS20dX),
VpcConfig: &lambda.FunctionVpcConfigArgs{
SubnetIds: subnetIds,
SecurityGroupIds: pulumi.StringArray{
lambda.Id,
},
},
FileSystemConfig: &lambda.FunctionFileSystemConfigArgs{
Arn: exampleAccessPoint.Arn,
LocalMountPath: pulumi.String("/mnt/data"),
},
}, pulumi.DependsOn([]pulumi.Resource{
exampleMountTarget,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
// EFS file system for Lambda
var example = new Aws.Efs.FileSystem("example", new()
{
Encrypted = true,
Tags =
{
{ "Name", "lambda-efs" },
},
});
var config = new Config();
// List of subnet IDs for EFS mount targets
var subnetIds = config.GetObject<string[]>("subnetIds") ?? new[]
{
"subnet-12345678",
"subnet-87654321",
};
// Mount target in each subnet
var exampleMountTarget = new List<Aws.Efs.MountTarget>();
for (var rangeIndex = 0; rangeIndex < subnetIds.Length; rangeIndex++)
{
var range = new { Value = rangeIndex };
exampleMountTarget.Add(new Aws.Efs.MountTarget($"example-{range.Value}", new()
{
FileSystemId = example.Id,
SubnetId = subnetIds[range.Value],
SecurityGroups = new[]
{
efs.Id,
},
}));
}
// Access point for Lambda
var exampleAccessPoint = new Aws.Efs.AccessPoint("example", new()
{
FileSystemId = example.Id,
RootDirectory = new Aws.Efs.Inputs.AccessPointRootDirectoryArgs
{
Path = "/lambda",
CreationInfo = new Aws.Efs.Inputs.AccessPointRootDirectoryCreationInfoArgs
{
OwnerGid = 1000,
OwnerUid = 1000,
Permissions = "755",
},
},
PosixUser = new Aws.Efs.Inputs.AccessPointPosixUserArgs
{
Gid = 1000,
Uid = 1000,
},
});
// Lambda function with EFS
var exampleFunction = new Aws.Lambda.Function("example", new()
{
Code = new FileArchive("function.zip"),
Name = "example_efs_function",
Role = exampleAwsIamRole.Arn,
Handler = "index.handler",
Runtime = Aws.Lambda.Runtime.NodeJS20dX,
VpcConfig = new Aws.Lambda.Inputs.FunctionVpcConfigArgs
{
SubnetIds = subnetIds,
SecurityGroupIds = new[]
{
lambda.Id,
},
},
FileSystemConfig = new Aws.Lambda.Inputs.FunctionFileSystemConfigArgs
{
Arn = exampleAccessPoint.Arn,
LocalMountPath = "/mnt/data",
},
}, new CustomResourceOptions
{
DependsOn =
{
exampleMountTarget,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.efs.FileSystem;
import com.pulumi.aws.efs.FileSystemArgs;
import com.pulumi.aws.efs.MountTarget;
import com.pulumi.aws.efs.MountTargetArgs;
import com.pulumi.aws.efs.AccessPoint;
import com.pulumi.aws.efs.AccessPointArgs;
import com.pulumi.aws.efs.inputs.AccessPointRootDirectoryArgs;
import com.pulumi.aws.efs.inputs.AccessPointRootDirectoryCreationInfoArgs;
import com.pulumi.aws.efs.inputs.AccessPointPosixUserArgs;
import com.pulumi.aws.lambda.Function;
import com.pulumi.aws.lambda.FunctionArgs;
import com.pulumi.aws.lambda.inputs.FunctionVpcConfigArgs;
import com.pulumi.aws.lambda.inputs.FunctionFileSystemConfigArgs;
import com.pulumi.asset.FileArchive;
import com.pulumi.codegen.internal.KeyedValue;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var config = ctx.config();
// EFS file system for Lambda
var example = new FileSystem("example", FileSystemArgs.builder()
.encrypted(true)
.tags(Map.of("Name", "lambda-efs"))
.build());
final var subnetIds = config.get("subnetIds").orElse(
"subnet-12345678",
"subnet-87654321");
// Mount target in each subnet
for (var i = 0; i < subnetIds.length(); i++) {
new MountTarget("exampleMountTarget-" + i, MountTargetArgs.builder()
.fileSystemId(example.id())
.subnetId(subnetIds[range.value()])
.securityGroups(efs.id())
.build());
}
// Access point for Lambda
var exampleAccessPoint = new AccessPoint("exampleAccessPoint", AccessPointArgs.builder()
.fileSystemId(example.id())
.rootDirectory(AccessPointRootDirectoryArgs.builder()
.path("/lambda")
.creationInfo(AccessPointRootDirectoryCreationInfoArgs.builder()
.ownerGid(1000)
.ownerUid(1000)
.permissions("755")
.build())
.build())
.posixUser(AccessPointPosixUserArgs.builder()
.gid(1000)
.uid(1000)
.build())
.build());
// Lambda function with EFS
var exampleFunction = new Function("exampleFunction", FunctionArgs.builder()
.code(new FileArchive("function.zip"))
.name("example_efs_function")
.role(exampleAwsIamRole.arn())
.handler("index.handler")
.runtime("nodejs20.x")
.vpcConfig(FunctionVpcConfigArgs.builder()
.subnetIds(subnetIds)
.securityGroupIds(lambda.id())
.build())
.fileSystemConfig(FunctionFileSystemConfigArgs.builder()
.arn(exampleAccessPoint.arn())
.localMountPath("/mnt/data")
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(exampleMountTarget)
.build());
}
}
The fileSystemConfig block mounts an EFS access point at the specified localMountPath. Your function must run in a VPC with mount targets in the same subnets. The access point defines POSIX permissions and the root directory path. Lambda waits for mount targets to become available before creating the function, which the dependsOn relationship enforces.
Configure structured JSON logging
Production functions benefit from structured logging that enables filtering and analysis in CloudWatch Logs Insights.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.cloudwatch.LogGroup("example", {
name: "/aws/lambda/example_function",
retentionInDays: 14,
tags: {
Environment: "production",
Application: "example",
},
});
const exampleFunction = new aws.lambda.Function("example", {
code: new pulumi.asset.FileArchive("function.zip"),
name: "example_function",
role: exampleAwsIamRole.arn,
handler: "index.handler",
runtime: aws.lambda.Runtime.NodeJS20dX,
loggingConfig: {
logFormat: "JSON",
applicationLogLevel: "INFO",
systemLogLevel: "WARN",
},
}, {
dependsOn: [example],
});
import pulumi
import pulumi_aws as aws
example = aws.cloudwatch.LogGroup("example",
name="/aws/lambda/example_function",
retention_in_days=14,
tags={
"Environment": "production",
"Application": "example",
})
example_function = aws.lambda_.Function("example",
code=pulumi.FileArchive("function.zip"),
name="example_function",
role=example_aws_iam_role["arn"],
handler="index.handler",
runtime=aws.lambda_.Runtime.NODE_JS20D_X,
logging_config={
"log_format": "JSON",
"application_log_level": "INFO",
"system_log_level": "WARN",
},
opts = pulumi.ResourceOptions(depends_on=[example]))
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/cloudwatch"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/lambda"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := cloudwatch.NewLogGroup(ctx, "example", &cloudwatch.LogGroupArgs{
Name: pulumi.String("/aws/lambda/example_function"),
RetentionInDays: pulumi.Int(14),
Tags: pulumi.StringMap{
"Environment": pulumi.String("production"),
"Application": pulumi.String("example"),
},
})
if err != nil {
return err
}
_, err = lambda.NewFunction(ctx, "example", &lambda.FunctionArgs{
Code: pulumi.NewFileArchive("function.zip"),
Name: pulumi.String("example_function"),
Role: pulumi.Any(exampleAwsIamRole.Arn),
Handler: pulumi.String("index.handler"),
Runtime: pulumi.String(lambda.RuntimeNodeJS20dX),
LoggingConfig: &lambda.FunctionLoggingConfigArgs{
LogFormat: pulumi.String("JSON"),
ApplicationLogLevel: pulumi.String("INFO"),
SystemLogLevel: pulumi.String("WARN"),
},
}, pulumi.DependsOn([]pulumi.Resource{
example,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.CloudWatch.LogGroup("example", new()
{
Name = "/aws/lambda/example_function",
RetentionInDays = 14,
Tags =
{
{ "Environment", "production" },
{ "Application", "example" },
},
});
var exampleFunction = new Aws.Lambda.Function("example", new()
{
Code = new FileArchive("function.zip"),
Name = "example_function",
Role = exampleAwsIamRole.Arn,
Handler = "index.handler",
Runtime = Aws.Lambda.Runtime.NodeJS20dX,
LoggingConfig = new Aws.Lambda.Inputs.FunctionLoggingConfigArgs
{
LogFormat = "JSON",
ApplicationLogLevel = "INFO",
SystemLogLevel = "WARN",
},
}, new CustomResourceOptions
{
DependsOn =
{
example,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudwatch.LogGroup;
import com.pulumi.aws.cloudwatch.LogGroupArgs;
import com.pulumi.aws.lambda.Function;
import com.pulumi.aws.lambda.FunctionArgs;
import com.pulumi.aws.lambda.inputs.FunctionLoggingConfigArgs;
import com.pulumi.asset.FileArchive;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new LogGroup("example", LogGroupArgs.builder()
.name("/aws/lambda/example_function")
.retentionInDays(14)
.tags(Map.ofEntries(
Map.entry("Environment", "production"),
Map.entry("Application", "example")
))
.build());
var exampleFunction = new Function("exampleFunction", FunctionArgs.builder()
.code(new FileArchive("function.zip"))
.name("example_function")
.role(exampleAwsIamRole.arn())
.handler("index.handler")
.runtime("nodejs20.x")
.loggingConfig(FunctionLoggingConfigArgs.builder()
.logFormat("JSON")
.applicationLogLevel("INFO")
.systemLogLevel("WARN")
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(example)
.build());
}
}
resources:
example:
type: aws:cloudwatch:LogGroup
properties:
name: /aws/lambda/example_function
retentionInDays: 14
tags:
Environment: production
Application: example
exampleFunction:
type: aws:lambda:Function
name: example
properties:
code:
fn::FileArchive: function.zip
name: example_function
role: ${exampleAwsIamRole.arn}
handler: index.handler
runtime: nodejs20.x
loggingConfig:
logFormat: JSON
applicationLogLevel: INFO
systemLogLevel: WARN
options:
dependsOn:
- ${example}
The loggingConfig block controls log format and verbosity. Setting logFormat to “JSON” produces structured logs that CloudWatch Logs Insights can query. The applicationLogLevel controls your code’s log output, while systemLogLevel controls Lambda runtime logs. The function depends on the Log Group existing first to ensure logs are captured from the first invocation.
Route failures to dead letter queues
Asynchronous invocations that fail can be routed to SQS or SNS for later analysis or reprocessing, preventing silent failures.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Main Lambda function
const example = new aws.lambda.Function("example", {
code: new pulumi.asset.FileArchive("function.zip"),
name: "example_function",
role: exampleAwsIamRole.arn,
handler: "index.handler",
runtime: aws.lambda.Runtime.NodeJS20dX,
deadLetterConfig: {
targetArn: dlq.arn,
},
});
// Event invoke configuration for retries
const exampleFunctionEventInvokeConfig = new aws.lambda.FunctionEventInvokeConfig("example", {
functionName: example.name,
maximumEventAgeInSeconds: 60,
maximumRetryAttempts: 2,
destinationConfig: {
onFailure: {
destination: dlq.arn,
},
onSuccess: {
destination: success.arn,
},
},
});
import pulumi
import pulumi_aws as aws
# Main Lambda function
example = aws.lambda_.Function("example",
code=pulumi.FileArchive("function.zip"),
name="example_function",
role=example_aws_iam_role["arn"],
handler="index.handler",
runtime=aws.lambda_.Runtime.NODE_JS20D_X,
dead_letter_config={
"target_arn": dlq["arn"],
})
# Event invoke configuration for retries
example_function_event_invoke_config = aws.lambda_.FunctionEventInvokeConfig("example",
function_name=example.name,
maximum_event_age_in_seconds=60,
maximum_retry_attempts=2,
destination_config={
"on_failure": {
"destination": dlq["arn"],
},
"on_success": {
"destination": success["arn"],
},
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/lambda"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// Main Lambda function
example, err := lambda.NewFunction(ctx, "example", &lambda.FunctionArgs{
Code: pulumi.NewFileArchive("function.zip"),
Name: pulumi.String("example_function"),
Role: pulumi.Any(exampleAwsIamRole.Arn),
Handler: pulumi.String("index.handler"),
Runtime: pulumi.String(lambda.RuntimeNodeJS20dX),
DeadLetterConfig: &lambda.FunctionDeadLetterConfigArgs{
TargetArn: pulumi.Any(dlq.Arn),
},
})
if err != nil {
return err
}
// Event invoke configuration for retries
_, err = lambda.NewFunctionEventInvokeConfig(ctx, "example", &lambda.FunctionEventInvokeConfigArgs{
FunctionName: example.Name,
MaximumEventAgeInSeconds: pulumi.Int(60),
MaximumRetryAttempts: pulumi.Int(2),
DestinationConfig: &lambda.FunctionEventInvokeConfigDestinationConfigArgs{
OnFailure: &lambda.FunctionEventInvokeConfigDestinationConfigOnFailureArgs{
Destination: pulumi.Any(dlq.Arn),
},
OnSuccess: &lambda.FunctionEventInvokeConfigDestinationConfigOnSuccessArgs{
Destination: pulumi.Any(success.Arn),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
// Main Lambda function
var example = new Aws.Lambda.Function("example", new()
{
Code = new FileArchive("function.zip"),
Name = "example_function",
Role = exampleAwsIamRole.Arn,
Handler = "index.handler",
Runtime = Aws.Lambda.Runtime.NodeJS20dX,
DeadLetterConfig = new Aws.Lambda.Inputs.FunctionDeadLetterConfigArgs
{
TargetArn = dlq.Arn,
},
});
// Event invoke configuration for retries
var exampleFunctionEventInvokeConfig = new Aws.Lambda.FunctionEventInvokeConfig("example", new()
{
FunctionName = example.Name,
MaximumEventAgeInSeconds = 60,
MaximumRetryAttempts = 2,
DestinationConfig = new Aws.Lambda.Inputs.FunctionEventInvokeConfigDestinationConfigArgs
{
OnFailure = new Aws.Lambda.Inputs.FunctionEventInvokeConfigDestinationConfigOnFailureArgs
{
Destination = dlq.Arn,
},
OnSuccess = new Aws.Lambda.Inputs.FunctionEventInvokeConfigDestinationConfigOnSuccessArgs
{
Destination = success.Arn,
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lambda.Function;
import com.pulumi.aws.lambda.FunctionArgs;
import com.pulumi.aws.lambda.inputs.FunctionDeadLetterConfigArgs;
import com.pulumi.aws.lambda.FunctionEventInvokeConfig;
import com.pulumi.aws.lambda.FunctionEventInvokeConfigArgs;
import com.pulumi.aws.lambda.inputs.FunctionEventInvokeConfigDestinationConfigArgs;
import com.pulumi.aws.lambda.inputs.FunctionEventInvokeConfigDestinationConfigOnFailureArgs;
import com.pulumi.aws.lambda.inputs.FunctionEventInvokeConfigDestinationConfigOnSuccessArgs;
import com.pulumi.asset.FileArchive;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
// Main Lambda function
var example = new Function("example", FunctionArgs.builder()
.code(new FileArchive("function.zip"))
.name("example_function")
.role(exampleAwsIamRole.arn())
.handler("index.handler")
.runtime("nodejs20.x")
.deadLetterConfig(FunctionDeadLetterConfigArgs.builder()
.targetArn(dlq.arn())
.build())
.build());
// Event invoke configuration for retries
var exampleFunctionEventInvokeConfig = new FunctionEventInvokeConfig("exampleFunctionEventInvokeConfig", FunctionEventInvokeConfigArgs.builder()
.functionName(example.name())
.maximumEventAgeInSeconds(60)
.maximumRetryAttempts(2)
.destinationConfig(FunctionEventInvokeConfigDestinationConfigArgs.builder()
.onFailure(FunctionEventInvokeConfigDestinationConfigOnFailureArgs.builder()
.destination(dlq.arn())
.build())
.onSuccess(FunctionEventInvokeConfigDestinationConfigOnSuccessArgs.builder()
.destination(success.arn())
.build())
.build())
.build());
}
}
resources:
# Main Lambda function
example:
type: aws:lambda:Function
properties:
code:
fn::FileArchive: function.zip
name: example_function
role: ${exampleAwsIamRole.arn}
handler: index.handler
runtime: nodejs20.x
deadLetterConfig:
targetArn: ${dlq.arn}
# Event invoke configuration for retries
exampleFunctionEventInvokeConfig:
type: aws:lambda:FunctionEventInvokeConfig
name: example
properties:
functionName: ${example.name}
maximumEventAgeInSeconds: 60
maximumRetryAttempts: 2
destinationConfig:
onFailure:
destination: ${dlq.arn}
onSuccess:
destination: ${success.arn}
The deadLetterConfig sends failed invocations to an SQS queue or SNS topic after exhausting retries. The FunctionEventInvokeConfig resource controls retry behavior: maximumRetryAttempts sets how many times Lambda retries, and maximumEventAgeInSeconds discards events older than the threshold. The destinationConfig routes successful and failed invocations to different targets.
Beyond these examples
These snippets focus on specific Lambda function features: container images and Layers, VPC networking and EFS mounts, and structured logging and error handling. They’re intentionally minimal rather than full serverless applications.
The examples may reference pre-existing infrastructure such as IAM execution roles with appropriate permissions, ECR repositories with pushed container images, VPC subnets, security groups, and EFS file systems, and CloudWatch Log Groups, SQS queues, or SNS topics. They focus on configuring the function rather than provisioning everything around it.
To keep things focused, common Lambda patterns are omitted, including:
- Environment variables and KMS encryption (environment, kmsKeyArn)
- Memory and timeout tuning (memorySize, timeout)
- Concurrency controls (reservedConcurrentExecutions)
- X-Ray distributed tracing (tracingConfig)
- Function versioning and aliases (publish, publishTo)
- Snap Start for faster cold starts (snapStart)
These omissions are intentional: the goal is to illustrate how each Lambda feature is wired, not provide drop-in serverless modules. See the Lambda Function resource reference for all available configuration options.
Let's create and Configure AWS Lambda Functions
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Common Errors & Pitfalls
Why am I getting KMSAccessDeniedException when invoking my function?
This occurs when the function’s IAM role is deleted and recreated after the function was created. Lambda loses KMS key permissions for decrypting environment variables. Fix it by updating the function’s role to another role, then back to the recreated role, or recreate the function to refresh the KMS grant.
Why does deleting my Lambda function take so long?
VPC-enabled functions can take up to 45 minutes to delete due to ENI cleanup (provider 2.31.0+ handles this automatically). Functions with durable configuration can take up to 60 minutes to stop executions and delete.
What's the difference between the role argument and aws.lambda.Permission?
The
role argument provides the function’s execution role for accessing AWS services and resources. aws.lambda.Permission grants external sources (like EventBridge, SNS, or S3) permission to invoke the function.Code Deployment & Package Types
How do I deploy my Lambda function code?
You have three mutually exclusive options:
- Local file - Use
codewith FileArchive - S3 bucket - Use
s3Bucket,s3Key, and optionallys3ObjectVersion - Container image - Use
imageUripointing to an ECR image
What's required for Zip vs Image package types?
Zip packages (default) require
handler and runtime properties. Image packages require imageUri pointing to an ECR image and don’t need handler or runtime.How do I attach Lambda layers to my function?
Use the
layers property with a list of layer ARNs (maximum 5). For provider version 2.x, reference the layer’s arn attribute, not layerArn (these were swapped in version 2.0.0).Resource Limits & Configuration
What are the timeout limits for Lambda functions?
Lambda functions default to 3 seconds with a maximum of 900 seconds (15 minutes). Valid values are between 1 and 900 seconds.
What are the memory limits for Lambda functions?
Memory defaults to 128 MB with a maximum of 10,240 MB (10 GB), configurable in 1 MB increments.
How do I disable my Lambda function from being triggered?
Set
reservedConcurrentExecutions to 0 to disable the function. Use -1 (default) to remove concurrency limitations.Networking & Storage
How do I connect my Lambda function to a VPC?
Configure
vpcConfig with subnetIds and securityGroupIds. The function’s execution role needs appropriate EC2 permissions for network interface management.How do I attach an EFS file system to my Lambda function?
Create EFS mount targets in your VPC subnets, create an access point, then configure
fileSystemConfig with the access point ARN and localMountPath. The function must be VPC-enabled.Logging & Monitoring
How do I send Lambda logs to S3 or Firehose?
Create a CloudWatch Log Group with
logGroupClass set to DELIVERY and add a subscription filter pointing to your S3 bucket or Firehose stream. Reference the log group name in loggingConfig.logGroup.What IAM permissions does Lambda need for CloudWatch Logs?
The execution role needs
logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents permissions.