Lambda Deployment

This page documents deployments using the next major version dpl v2 which currently is in a beta release phase. Please see our blog post for details. The current default version is dpl v1. Check dpl v1 documentation here.

Travis CI supports uploading to AWS Lambda.

For a minimal configuration, add the following to your .travis.yml:

deploy:
  provider: lambda
  access_key_id: <encrypted access_key_id>
  secret_access_key: <encrypted secret_access_key>
  function_name: <function_name>
  edge: true # opt in to dpl v2

Status #

Support for deployments to AWS Lambda is *stable**.

Known options #

Use the following options to further configure the deployment.

access_key_id AWS access key id — required, secret, type: string
secret_access_key AWS secret key — required, secret, type: string
region AWS region the Lambda function is running in — type: string, default: us-east-1
function_name Name of the Lambda being created or updated — required, type: string
role ARN of the IAM role to assign to the Lambda function — type: string, note: required when creating a new function
handler_name Function the Lambda calls to begin execution. — type: string, note: required when creating a new function
module_name Name of the module that exports the handler — type: string, requires: handler_name, default: index
description Description of the Lambda being created or updated — type: string
timeout Function execution time (in seconds) at which Lambda should terminate the function — type: string, default: 3
memory_size Amount of memory in MB to allocate to this Lambda — type: string, default: 128
subnet_ids List of subnet IDs to be added to the function — type: string or array of strings, note: Needs the ec2:DescribeSubnets and ec2:DescribeVpcs permission for the user of the access/secret key to work
security_group_ids List of security group IDs to be added to the function — type: string or array of strings, note: Needs the ec2:DescribeSecurityGroups and ec2:DescribeVpcs permission for the user of the access/secret key to work
environment List of Environment Variables to add to the function — type: string or array of strings, alias: environment_variables, format: /[\w\-]+=.+/, note: Can be encrypted for added security
runtime Lambda runtime to use — type: string, default: nodejs8.10, known values: java8, nodejs8.10, nodejs10.x, python2.7, python3.6, python3.7, dotnetcore2.1, go1.x, ruby2.5, note: required when creating a new function
dead_letter_arn ARN to an SNS or SQS resource used for the dead letter queue. — type: string
kms_key_arn KMS key ARN to use to encrypt environment_variables. — type: string
tracing_mode Tracing mode — type: string, default: PassThrough, known values: Active, PassThrough, note: Needs xray:PutTraceSegments xray:PutTelemetryRecords on the role
layers Function layer arns — type: string or array of strings
function_tags List of tags to add to the function — type: string or array of strings, format: /[\w\-]+=.+/, note: Can be encrypted for added security
publish Create a new version of the code instead of replacing the existing one. — type: boolean
zip Path to a packaged Lambda, a directory to package, or a single file to package — type: string, default: .
dot_match Include hidden .* files to the zipped archive — type: boolean

Shared options #

cleanup Clean up build artifacts from the Git working directory before the deployment — type: boolean
run Commands to execute after the deployment finished successfully — type: string or array of strings

Environment variables #

All options can be given as environment variables if prefixed with AWS_ or LAMBDA_.

For example, access_key_id can be given as

  • AWS_ACCESS_KEY_ID=<access_key_id> or
  • LAMBDA_ACCESS_KEY_ID=<access_key_id>

    Interpolation variables #

The following variables are available for interpolation on description:

  • dead_letter_arn
  • function_name
  • git_author_email
  • git_author_name
  • git_branch
  • git_commit_author
  • git_commit_msg
  • git_sha
  • git_tag
  • handler_name
  • kms_key_arn
  • memory_size
  • module_name
  • region
  • role
  • runtime
  • timeout
  • tracing_mode
  • zip

Interpolation uses the syntax %{variable-name}. For example, "Current commit sha: %{git_sha}" would result in a string with the current Git sha embedded.

Furthermore, environment variables present in the current build environment can be used through standard Bash variable interpolation. For example: “Current build number: ${TRAVIS_BUILD_NUMBER}”. See here for a list of default environment variables set.

Securing secrets #

Secret option values should be given as either encrypted strings in your build configuration (.travis.yml file) or environment variables in your repository settings.

Environment variables can be set on the settings page of your repository, or using travis env set:

travis env set AWS_ACCESS_KEY_ID <access_key_id>

In order to encrypt option values when adding them to your .travis.yml file use travis encrypt:

travis encrypt <access_key_id>

Or use --add to directly add it to your .travis.yml file. Note that this command has to be run in your repository’s root directory:

travis encrypt --add deploy.access_key_id <access_key_id>

AWS permissions #

The AWS user that Travis deploys as must have the following IAM permissions in order to deploy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ListExistingRolesAndPolicies",
      "Effect": "Allow",
      "Action": [
        "iam:ListRolePolicies",
        "iam:ListRoles"
      ],
      "Resource": "*"
    },
    {
      "Sid": "CreateAndListFunctions",
      "Effect": "Allow",
      "Action": [
        "lambda:CreateFunction",
        "lambda:ListFunctions"
      ],
      "Resource": "*"
    },
    {
      "Sid": "DeployCode",
      "Effect": "Allow",
      "Action": [
        "lambda:GetFunction",
        "lambda:UpdateFunctionCode",
        "lambda:UpdateFunctionConfiguration"
      ],
      "Resource": [
        "arn:aws:lambda:<region>:<account-id>:function:<name-of-function>"
      ]
    },
    {
     "Sid": "SetRole",
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": "arn:aws:iam::<account-id>:role/<name-of-role>"
    }
  ]
}

It does not appear to be possible to wildcard the DeployCode statement such that Travis CI can deploy any function in a particular region by specifying the resource as arn:aws:lambda:<region>:<account-id>:function:* but it is possible to limit the deployment permissions on a per function basis by specifying the complete ARN to one or more functions, i.e. arn:aws:lambda:<region>:<account-id>:function:<name>.

Pull Requests #

Note that pull request builds skip the deployment step altogether.

See also #