feat: transform and pass in lambda vars (#3)

chrispsheehan · web-flow · commit edce5bf9f7d3 · 2025-09-11T14:32:24.000+01:00
* feat: set deployment strategy at module level

* feat: provisioned concurrency variable

* fix: variable validations

* feat: better local consumption

* fix: only use provisioned concurrency when fixed count &gt; 0

* fix: allow oidc application-autoscaling

* chore: allow cloudwatch oidc

* feat: readme on provisioned con usage + fixes

* chore: readme updates

* chore: rm comments

* fix: fmt
diff --git a/README.md b/README.md
@@ -14,4 +14,93 @@ Given a terragrunt file is found at `infra/live/dev/aws/api/terragrunt.hcl`
 
 ```sh
 just tg dev aws/api plan
-```
+```
+
+## types of lambda provisioned concurrency
+
+```hcl
+module "lambda_example" {
+  source = "../lambda"
+  ...
+  provisioned_config = var.your_provisioned_config
+}
+```
+
+#### [default] No provisioned lambdas
+- use case: background processes
+- we can handle an initial lag while lambda warms up/boots
+```hcl
+provisioned_config = {
+    fixed = 0
+}
+```
+
+#### X number of provisioned lambdas
+- use case: high predictable usage
+- we never want lag due to warm up and can predict traffic
+```hcl
+provisioned_config = {
+    fixed = 1
+}
+```
+
+#### Scale provisioning when usage exceeds % tolerance 
+- use case: react to traffic i.e. api backend
+- limit the cost with autoscale.max
+- ensure minimal concurrency (no cold starts) with autoscale.min
+- set tolerance to amount of used concurrent executions. Below will trigger when 70% are used and add more to meet demands.
+- set cool down seconds to reasonable time before you would like the system to react.
+```hcl
+provisioned_config = {
+    auto_scale = {
+        max               = 3,
+        min               = 1,
+        trigger_percent   = 70
+        cool_down_seconds = 60
+    }
+}
+```
+
+## types of lambda deploy
+
+```hcl
+module "lambda_example" {
+  source = "../lambda"
+  ...
+  deployment_config = var.your_deployment_config
+}
+```
+
+#### [default] All at once (fastest):
+
+- use case: background processes
+```hcl
+deployment_config = {
+    strategy = "all_at_once"
+}
+```
+
+#### canary deployment:
+
+- use case: api or service serving traffic
+- incrementally rolls out new version to 10% of lambdas and rolls back if errors detected. If not goes to 100%.
+- waits to make a decision on health after 1 minute
+```hcl
+deployment_config = {
+    strategy         = "linear"
+    percentage       = 10
+    interval_minutes = 1
+}
+```
+
+#### linear deployment:
+
+- use case: api or service serving traffic
+- checks for lambda health on 10% of lambdas and rolls back if errors detected
+- rolls out changes on increments of 1 minute
+```hcl
+deployment_config = {
+    strategy         = "linear"
+    percentage       = 10
+    interval_minutes = 1
+}
diff --git a/infra/live/global_vars.hcl b/infra/live/global_vars.hcl
@@ -6,7 +6,9 @@ locals {
     "lambda:*",
     "logs:*",
     "apigateway:*",
-    "codedeploy:*"
+    "codedeploy:*",
+    "application-autoscaling:*",
+    "cloudwatch:*"
   ]
 }
 
diff --git a/infra/modules/aws/api/main.tf b/infra/modules/aws/api/main.tf
@@ -7,6 +7,14 @@ module "lambda_api" {
 
   lambda_name    = "api"
   lambda_version = var.lambda_version
+
+  deployment_config = {
+    strategy = "all_at_once"
+  }
+
+  provisioned_config = {
+    fixed = 0
+  }
 }
 
 resource "aws_apigatewayv2_api" "http_api" {
diff --git a/infra/modules/aws/lambda/locals.tf b/infra/modules/aws/lambda/locals.tf
@@ -4,4 +4,26 @@ locals {
 
   lambda_name         = "${var.environment}-${var.project_name}-${var.lambda_name}"
   lambda_code_zip_key = "${var.lambda_version}/${var.lambda_name}.zip"
-}
+
+  deploy_all_at_once_type = "AllAtOnce"
+  deploy_canary_type      = "TimeBasedCanary"
+  deploy_linear_type      = "TimeBasedLinear"
+
+  deploy_config_type_map = {
+    all_at_once = local.deploy_all_at_once_type
+    canary      = local.deploy_canary_type
+    linear      = local.deploy_linear_type
+  }
+  deploy_config = {
+    type    = local.deploy_config_type_map[var.deployment_config.strategy]
+    percent = var.deployment_config.percentage
+    minutes = var.deployment_config.interval_minutes
+  }
+
+  fixed_mode           = try(var.provisioned_config.fixed != null, true)
+  pc_fixed_count       = try(var.provisioned_config.fixed, 0)
+  pc_min_capacity      = try(var.provisioned_config.auto_scale.min, 0)
+  pc_max_capacity      = try(var.provisioned_config.auto_scale.max, 0)
+  pc_trigger_percent   = try(var.provisioned_config.auto_scale.trigger_percent, var.provisioned_config_defaults.trigger_percent) / 100
+  pc_cool_down_seconds = try(var.provisioned_config.auto_scale.cool_down_seconds, var.provisioned_config_defaults.cool_down_seconds)
+}
diff --git a/infra/modules/aws/lambda/main.tf b/infra/modules/aws/lambda/main.tf
@@ -41,6 +41,16 @@ resource "aws_lambda_alias" "live" {
   }
 }
 
+resource "aws_lambda_provisioned_concurrency_config" "alias_pc_fixed" {
+  count = local.fixed_mode && coalesce(local.pc_fixed_count, 0) > 0 ? 1 : 0
+
+  function_name                     = aws_lambda_function.lambda.function_name
+  qualifier                         = aws_lambda_alias.live.name
+  provisioned_concurrent_executions = local.pc_fixed_count
+
+  depends_on = [aws_lambda_alias.live]
+}
+
 resource "aws_codedeploy_app" "app" {
   name             = "${local.lambda_name}-app"
   compute_platform = "Lambda"
@@ -57,16 +67,27 @@ resource "aws_iam_role_policy" "cd_lambda" {
   policy = data.aws_iam_policy_document.codedeploy_lambda.json
 }
 
-resource "aws_codedeploy_deployment_config" "lambda_deployment_config" {
-  # A custom Lambda deployment config that sends 50% traffic for 1 minute, then shifts to 100% (with your DG using it and auto-rollback on failure/alarms).
-  deployment_config_name = "${local.lambda_name}-deployment-config"
+resource "aws_codedeploy_deployment_config" "lambda_config" {
+  deployment_config_name = "${local.lambda_name}-deploy-config"
   compute_platform       = "Lambda"
 
   traffic_routing_config {
-    type = "TimeBasedCanary"
-    time_based_canary {
-      percentage = 50
-      interval   = 1
+    type = local.deploy_config.type
+
+    dynamic "time_based_canary" {
+      for_each = local.deploy_config.type == local.deploy_canary_type ? [1] : []
+      content {
+        percentage = local.deploy_config.percent
+        interval   = local.deploy_config.minutes
+      }
+    }
+
+    dynamic "time_based_linear" {
+      for_each = local.deploy_config.type == local.deploy_linear_type ? [1] : []
+      content {
+        percentage = local.deploy_config.percent
+        interval   = local.deploy_config.minutes
+      }
     }
   }
 }
@@ -81,10 +102,36 @@ resource "aws_codedeploy_deployment_group" "dg" {
     deployment_option = "WITH_TRAFFIC_CONTROL"
   }
 
-  deployment_config_name = aws_codedeploy_deployment_config.lambda_deployment_config.id
+  deployment_config_name = aws_codedeploy_deployment_config.lambda_config.deployment_config_name
 
   auto_rollback_configuration {
     enabled = true
     events  = ["DEPLOYMENT_FAILURE", "DEPLOYMENT_STOP_ON_ALARM"]
   }
 }
+
+resource "aws_appautoscaling_target" "pc_target" {
+  min_capacity       = local.pc_min_capacity
+  max_capacity       = local.pc_max_capacity
+  resource_id        = "function:${local.lambda_name}:${var.environment}"
+  scalable_dimension = "lambda:function:ProvisionedConcurrency"
+  service_namespace  = "lambda"
+}
+
+resource "aws_appautoscaling_policy" "pc_policy" {
+  count              = local.fixed_mode ? 0 : 1
+  name               = "${local.lambda_name}-pc-tt"
+  policy_type        = "TargetTrackingScaling"
+  resource_id        = aws_appautoscaling_target.pc_target.resource_id
+  scalable_dimension = aws_appautoscaling_target.pc_target.scalable_dimension
+  service_namespace  = aws_appautoscaling_target.pc_target.service_namespace
+
+  target_tracking_scaling_policy_configuration {
+    target_value       = local.pc_trigger_percent
+    scale_in_cooldown  = local.pc_min_capacity
+    scale_out_cooldown = local.pc_max_capacity
+    predefined_metric_specification {
+      predefined_metric_type = "LambdaProvisionedConcurrencyUtilization"
+    }
+  }
+}
diff --git a/infra/modules/aws/lambda/variables.tf b/infra/modules/aws/lambda/variables.tf
@@ -33,4 +33,103 @@ variable "log_retention_days" {
   type        = number
   description = "Number of days to hold logs"
   default     = 1
+}
+
+variable "deployment_config" {
+  description = "Traffic shifting: all_at_once | canary | linear"
+  type = object({
+    strategy         = string           # all_at_once | canary | linear
+    percentage       = optional(number) # 1..99 (req for canary/linear)
+    interval_minutes = optional(number) # >=1  (req for canary/linear)
+  })
+  default = { strategy = "all_at_once" }
+
+  validation {
+    condition = (
+      contains(["all_at_once", "canary", "linear"], var.deployment_config.strategy)
+      &&
+      (
+        var.deployment_config.strategy == "all_at_once"
+        ||
+        (
+          coalesce(var.deployment_config.percentage, 0) >= 1
+          && coalesce(var.deployment_config.percentage, 0) <= 99
+          && coalesce(var.deployment_config.interval_minutes, 0) >= 1
+        )
+      )
+    )
+    error_message = "Use strategy all_at_once | canary | linear. For canary/linear, set percentage (1..99) and interval_minutes (>=1)."
+  }
+}
+
+variable "provisioned_config_defaults" {
+  description = "Fall back values for provisioned_config.auto_scale.trigger_percent and provisioned_config.auto_scale.cool_down_seconds"
+  type = object({
+    trigger_percent   = number
+    cool_down_seconds = number
+  })
+  default = {
+    trigger_percent   = 70
+    cool_down_seconds = 60
+  }
+}
+
+variable "provisioned_config" {
+  description = "Either fixed provisioned concurrency (fixed) or autoscaled (auto_scale); omit/zero = none"
+  type = object({
+    fixed = optional(number) # 0/omit = off, >0 = fixed PC
+    auto_scale = optional(object({
+      min               = number
+      max               = number
+      trigger_percent   = optional(number)
+      cool_down_seconds = optional(number)
+    }))
+  })
+  default = {
+    fixed = 0
+    # auto_scale = {
+    #   max               = 1,
+    #   min               = 0,
+    #   trigger_percent   = 70
+    #   cool_down_seconds = 60
+    # }
+  }
+
+  validation {
+    condition = !(
+      (var.provisioned_config.fixed != null) &&
+      (var.provisioned_config.auto_scale != null)
+    )
+    error_message = "Specify either 'fixed' or 'auto_scale' (or neither), not both."
+  }
+
+  # When autoscale is set, ensure max > min
+  validation {
+    condition = (
+      var.provisioned_config.auto_scale != null
+      ? (var.provisioned_config.auto_scale.max > var.provisioned_config.auto_scale.min)
+      : true
+    )
+    error_message = "When auto_scale is set, 'max' must be greater than 'min'."
+  }
+
+  # When autoscale.trigger_percent is set, ensure is 1-99
+  validation {
+    condition = (
+      var.provisioned_config.auto_scale != null
+      ? (var.provisioned_config.auto_scale.trigger_percent > 0 && var.provisioned_config.auto_scale.trigger_percent < 100)
+      : true
+    )
+    error_message = "When autoscale.trigger_percent, must be > 0 && < 100"
+  }
+
+  # When autoscale.cool_down_seconds is set, ensure is at least a minute, max and hour
+  validation {
+    condition = (
+      var.provisioned_config.auto_scale != null
+      ? (var.provisioned_config.auto_scale.cool_down_seconds > 59 && var.provisioned_config.auto_scale.cool_down_seconds < 3600)
+      : true
+    )
+    error_message = "When autoscale.cool_down_seconds, must be > 59 && < 3600"
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,9 @@ locals {`
`6`	`6`	`"lambda:*",`
`7`	`7`	`"logs:*",`
`8`	`8`	`"apigateway:*",`
`9`		`- "codedeploy:*"`
	`9`	`+ "codedeploy:*",`
	`10`	`+ "application-autoscaling:*",`
	`11`	`+ "cloudwatch:*"`
`10`	`12`	`]`
`11`	`13`	`}`
`12`	`14`