Lambda Deployment

This page documents deployments using the dpl v2. Please see our blog post for details. You can check previous dpl v1 documentation here.

Travis CI supports uploading to AWS Lambda.

For a minimal configuration, add the following to your .travis.yml:

deploy:
  provider: lambda
  access_key_id: <encrypted access_key_id>
  secret_access_key: <encrypted secret_access_key>
  function_name: <function_name>
  edge: true # opt in to dpl v2

Status #

Support for deployments to AWS Lambda is stable.

Known options #

Use the following options to further configure the deployment.

Shared options #

Environment variables #

All options can be given as environment variables if prefixed with AWS_ or LAMBDA_.

For example, access_key_id can be given as

• AWS_ACCESS_KEY_ID=<access_key_id> or
• LAMBDA_ACCESS_KEY_ID=<access_key_id>

  Interpolation variables #

The following variables are available for interpolation on description:

• dead_letter_arn
• function_name
• git_author_email
• git_author_name
• git_branch
• git_commit_author
• git_commit_msg
• git_sha
• git_tag
• handler_name
• kms_key_arn
• memory_size
• module_name
• region
• role
• runtime
• timeout
• tracing_mode
• zip

Interpolation uses the syntax %{variable-name}. For example, "Current commit sha: %{git_sha}" would result in a string with the current Git sha embedded.

Furthermore, environment variables present in the current build environment can be used through standard Bash variable interpolation. For example: “Current build number: ${TRAVIS_BUILD_NUMBER}”. See here for a list of default environment variables set.

Securing secrets #

Secret option values should be given as either encrypted strings in your build configuration (.travis.yml file) or environment variables in your repository settings.

Environment variables can be set on the settings page of your repository, or using travis env set:

travis env set AWS_ACCESS_KEY_ID <access_key_id>

In order to encrypt option values when adding them to your .travis.yml file use travis encrypt:

travis encrypt <access_key_id>

Or use --add to directly add it to your .travis.yml file. Note that this command has to be run in your repository’s root directory:

travis encrypt --add deploy.access_key_id <access_key_id>

AWS permissions #

The AWS user that Travis deploys as must have the following IAM permissions in order to deploy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ListExistingRolesAndPolicies",
      "Effect": "Allow",
      "Action": [
        "iam:ListRolePolicies",
        "iam:ListRoles"
      ],
      "Resource": "*"
    },
    {
      "Sid": "CreateAndListFunctions",
      "Effect": "Allow",
      "Action": [
        "lambda:CreateFunction",
        "lambda:ListFunctions"
      ],
      "Resource": "*"
    },
    {
      "Sid": "DeployCode",
      "Effect": "Allow",
      "Action": [
        "lambda:GetFunction",
        "lambda:UpdateFunctionCode",
        "lambda:UpdateFunctionConfiguration"
      ],
      "Resource": [
        "arn:aws:lambda:<region>:<account-id>:function:<name-of-function>"
      ]
    },
    {
     "Sid": "SetRole",
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": "arn:aws:iam::<account-id>:role/<name-of-role>"
    }
  ]
}

It does not appear to be possible to wildcard the DeployCode statement such that Travis CI can deploy any function in a particular region by specifying the resource as arn:aws:lambda:<region>:<account-id>:function:* but it is possible to limit the deployment permissions on a per function basis by specifying the complete ARN to one or more functions, i.e. arn:aws:lambda:<region>:<account-id>:function:<name>.

Pull Requests #

Note that pull request builds skip the deployment step altogether.

See also #

• Making deployments conditional
• Running commands before and after the deploy step
• Deploying to multiple targets
• Running an edge version