Lambda Deployment
This page documents deployments using the next major version dpl v2, which currently is in a beta release phase. Please see our blog post for details. The current default version is dpl v1. Check dpl v1 documentation here.
Be sure to read the v2 deployment overview.
Travis CI supports uploading to AWS Lambda.
For a minimal configuration, add the following to your .travis.yml:
deploy:
provider: lambda
access_key_id: <encrypted access_key_id>
secret_access_key: <encrypted secret_access_key>
function_name: <function_name>
edge: true # opt in to dpl v2
Status #
Support for deployments to AWS Lambda is *stable**.
Known options #
Use the following options to further configure the deployment.
access_key_id |
AWS access key id — required, secret, type: string |
secret_access_key |
AWS secret key — required, secret, type: string |
region |
AWS region the Lambda function is running in — type: string, default: us-east-1 |
function_name |
Name of the Lambda being created or updated — required, type: string |
role |
ARN of the IAM role to assign to the Lambda function — type: string, note: required when creating a new function |
handler_name |
Function the Lambda calls to begin execution. — type: string, note: required when creating a new function |
module_name |
Name of the module that exports the handler — type: string, requires: handler_name, default: index |
description |
Description of the Lambda being created or updated — type: string |
timeout |
Function execution time (in seconds) at which Lambda should terminate the function — type: string, default: 3 |
memory_size |
Amount of memory in MB to allocate to this Lambda — type: string, default: 128 |
subnet_ids |
List of subnet IDs to be added to the function — type: string or array of strings, note: Needs the ec2:DescribeSubnets and ec2:DescribeVpcs permission for the user of the access/secret key to work |
security_group_ids |
List of security group IDs to be added to the function — type: string or array of strings, note: Needs the ec2:DescribeSecurityGroups and ec2:DescribeVpcs permission for the user of the access/secret key to work |
environment |
List of Environment Variables to add to the function — type: string or array of strings, alias: environment_variables, format: /[\w\-]+=.+/, note: Can be encrypted for added security |
runtime |
Lambda runtime to use — type: string, default: nodejs10.x, known values: nodejs12.x, nodejs10.x, python3.8, python3.7, python3.6, python2.7, ruby2.7, ruby2.5, java11, java8, go1.x, dotnetcore2.1, note: required when creating a new function |
dead_letter_arn |
ARN to an SNS or SQS resource used for the dead letter queue. — type: string |
kms_key_arn |
KMS key ARN to use to encrypt environment_variables. — type: string |
tracing_mode |
Tracing mode — type: string, default: PassThrough, known values: Active, PassThrough, note: Needs xray:PutTraceSegments xray:PutTelemetryRecords on the role |
layers |
Function layer arns — type: string or array of strings |
function_tags |
List of tags to add to the function — type: string or array of strings, format: /[\w\-]+=.+/, note: Can be encrypted for added security |
publish |
Create a new version of the code instead of replacing the existing one. — type: boolean |
zip |
Path to a packaged Lambda, a directory to package, or a single file to package — type: string, default: . |
dot_match |
Include hidden .* files to the zipped archive — type: boolean |
Shared options #
cleanup |
Clean up build artifacts from the Git working directory before the deployment — type: boolean |
run |
Commands to execute after the deployment finished successfully — type: string or array of strings |
Environment variables #
All options can be given as environment variables if prefixed with AWS_ or LAMBDA_.
For example, access_key_id can be given as
AWS_ACCESS_KEY_ID=<access_key_id>orLAMBDA_ACCESS_KEY_ID=<access_key_id>Interpolation variables #
The following variables are available for interpolation on description:
dead_letter_arnfunction_namegit_author_emailgit_author_namegit_branchgit_commit_authorgit_commit_msggit_shagit_taghandler_namekms_key_arnmemory_sizemodule_nameregionroleruntimetimeouttracing_modezip
Interpolation uses the syntax %{variable-name}. For example,
"Current commit sha: %{git_sha}" would result in a string with the
current Git sha embedded.
Furthermore, environment variables present in the current build environment can be used through standard Bash variable interpolation. For example: “Current build number: ${TRAVIS_BUILD_NUMBER}”. See here for a list of default environment variables set.
Securing secrets #
Secret option values should be given as either encrypted strings in your build
configuration (.travis.yml file) or environment variables in your repository
settings.
Environment variables can be set on the settings page of your repository, or
using travis env set:
travis env set AWS_ACCESS_KEY_ID <access_key_id>
In order to encrypt option values when adding them to your .travis.yml file
use travis encrypt:
travis encrypt <access_key_id>
Or use --add to directly add it to your .travis.yml file. Note that this command has to be run in your repository’s root directory:
travis encrypt --add deploy.access_key_id <access_key_id>
AWS permissions #
The AWS user that Travis deploys as must have the following IAM permissions in order to deploy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListExistingRolesAndPolicies",
"Effect": "Allow",
"Action": [
"iam:ListRolePolicies",
"iam:ListRoles"
],
"Resource": "*"
},
{
"Sid": "CreateAndListFunctions",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:ListFunctions"
],
"Resource": "*"
},
{
"Sid": "DeployCode",
"Effect": "Allow",
"Action": [
"lambda:GetFunction",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration"
],
"Resource": [
"arn:aws:lambda:<region>:<account-id>:function:<name-of-function>"
]
},
{
"Sid": "SetRole",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::<account-id>:role/<name-of-role>"
}
]
}
It does not appear to be possible to wildcard the DeployCode statement such
that Travis CI can deploy any function in a particular region by specifying the
resource as arn:aws:lambda:<region>:<account-id>:function:* but it is
possible to limit the deployment permissions on a per function basis by
specifying the complete ARN to one or more functions, i.e.
arn:aws:lambda:<region>:<account-id>:function:<name>.
Pull Requests #
Note that pull request builds skip the deployment step altogether.