Running Terraform in AWS Lambda

3,156 views
Skip to first unread message

Sathiya Shunmugasundaram

unread,
Apr 25, 2016, 12:15:36 PM4/25/16
to Terraform
To run Terraform stack that is available to run multiple users, we use jenkins jobs and use parameter files to dictate the execution.

Wondering if we can use Lambda to execute the stack and store state in S3.

Lambda limits the deployment size to 250 MB and /tmp disk to 512 MB. So I can't unzip the whole Terraform zip.

I am thinking just use the aws executable plus terraform plus couple of  provisioners.

Also we have a 5 min limit to execute, hopefully thats not an issue. Apply can run < 10 secs using asg_waitime = 0, destroy takes few mins though

Any thoughts?


ja...@fpcomplete.com

unread,
Apr 26, 2016, 6:09:35 AM4/26/16
to Terraform

Many of the "managed" services (RDS, elasticache, etc) will take many minutes to reply.

Overall, it sounds like it would not be reliable or robust enough for the work to set it up. You might as well just run a t2.micro with ASG.
Any thoughts?


Sathiya Shunmugasundaram

unread,
May 2, 2016, 4:17:33 AM5/2/16
to Terraform
Thanks for the suggestion.

I packed just the AWS binary along with terraform and couple or provisioners I used to keep it under the 250 mb limit.

I just have an ASG and ELB, so far simple.

Used wait_for_capacity_timeout = "0" so that apply finishes within 10 secs.

Destroy took 2 mins though, I think it waits for ASG to delete? I wish there's a flag like "wait_for_capacity_timeout " that can issue destroy and quit, but I guess it has to destroy and have a clean state file.

It took sometime to figure out IAM roles for the Lambda execution.

Overall, not bad, compared to waiting on Jenkins executors and depending on another system. 

I will plan to share the code as community project

Thx

ben arundel

unread,
Jul 26, 2017, 5:10:04 AM7/26/17
to Terraform
Did you end up sharing the code? 
Message has been deleted

YoKzy88

unread,
Oct 18, 2017, 10:15:58 AM10/18/17
to Terraform
Hi,
Is there anyone else successfully running Terraform in Lambda?

Sathiya S

unread,
Oct 18, 2017, 10:16:08 AM10/18/17
to terrafo...@googlegroups.com
We have done - what's the specific issue you are facing?

On Wed, Oct 18, 2017 at 10:15 AM 'YoKzy88' via Terraform <terrafo...@googlegroups.com> wrote:
Hi,
Is there anyone else successfully running Terraform in Lambda?
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to a topic in the Google Groups "Terraform" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/terraform-tool/zSax-bq_q1E/unsubscribe.
To unsubscribe from this group and all its topics, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/38b3832f-bc51-4548-8cdd-c5e0e21a6b79%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

YoKzy88

unread,
Oct 19, 2017, 2:14:25 AM10/19/17
to Terraform
Hi Sathiya,
Thanks for asking. First of all, I want to make sure if what I have done is correct:

Terraform:
  • I create a python script to execute Terraform commands. Basically my Terraform is for creating a farm consist of 3 EC2 servers and 2 Security Groups.
  • I'm using S3 as my remote state configuration
  • I'm also creating modules in terraform. First module for EC2, second module for Security Group
  • I'm also using workspace so that user can replicate the farm
  • I zipped my python script together with all of my terraform scripts, as well as terraform binary.
  • To speed up the Terraform initialization process, I've also copied some of the plugins needed inside the zip
Now here's the Lambda part:
  • I create a lambda with Python 3.6
  • I create a new IAM role for my lambda, grant it s3:* into my bucket that was used to save the remote state
  • Since executing Terraform will create temporary files, I have to copy all of the scripts (python & terraform) into /tmp/ folder, where we can have write access. -> Which being done by Python script
  • Now I got the error on the very first command (duh!):
    • Terraform init -plugin-dir=/var/task/plugins -verify-plugin=false
  • Here's the summary of my cloudwatch log:
    • Downloading modules...
    • Get: file:///tmp/jmeter/modules/security_groups
    • Get: file:///tmp/jmeter/modules/instances
    • Initializing the backend...
    • Successfully configured the backend "s3"! Terraform will automatically use this backend unless the backend configuration changes.
    • Error loading state: AccessDenied: Access Denied
    • status code: 403
    • Command '['/var/task/terraform', 'init', '-plugin-dir', '/var/task/plugins', '-verify-plugins=false']' returned non-zero exit status 1:CalledProcessError

I'm wondering why the error is Error loading state?

When it's said Successfully configured the backend "S3", doesn't it means it have successfully download the state from S3 into lambda /tmp/ folder?

p.s. It works in my local machine, so I guess it has something to do with the Lambda.

YoKzy88

unread,
Oct 20, 2017, 4:11:44 AM10/20/17
to Terraform
Nevermind. Turn out I forgot to grant ec2:* for my Lambda execution role :D

cz

unread,
Feb 4, 2020, 11:31:52 AM2/4/20
to Terraform
Could you please share the details? 
"terraform init" is giving me the below error:

b'\x1b[31mThe init command expects at least one arguments.\n\x1b[0m\x1b[0m\n\x1b[31mUsage: terraform init [options] SOURCE [PATH]\n\n  Downloads the module given by SOURCE into the PATH. The PATH defaults\n  to the working directory. PATH must be empty of any Terraform files.\n  Any conflicting non-Terraform files will be overwritten.\n\n  The module downloaded is a copy. If you\'re downloading a module from\n  Git, it will not preserve the Git history, it will only copy the\n  latest files.\n\nOptions:\n\n  -backend=atlas         Specifies the type of remote backend. If not\n                         specified, local storage will be used.\n\n  -backend-config="k=v"  Specifies configuration for the remote storage\n                         backend. This can be specified multiple times.\n\n  -no-color           If specified, output won\'t contain any color.\x1b[0m\x1b[0m\n' 
 Command '['terraform', 'init']' returned non-zero exit status 1.: CalledProcessError

Shantanu Gadgil

unread,
Feb 6, 2020, 6:08:41 AM2/6/20
to Terraform
Not to digress the issue, but to piggy back on the ASG + tiny EC2 scenario, Nomad's "parameterized" job is just like Lambda, without the artificial limitations.
So, theoretically you could model your executions as 'parameterized' jobs instead of Lambas.

Bill Anderson

unread,
Feb 10, 2020, 2:25:02 PM2/10/20
to Terraform
I'll add my vote for this as an option. I've done this and it works simply and effectively. I prefer to wrap TF in a Makefile so I can add additional checks, but it all works seamlessly as a parameterized job in Nomad.
Reply all
Reply to author
Forward
0 new messages