Releasing terraform-aws-go-lambda: A Production-Ready Module for Go Functions on AWS

Intro

I’ve been working with Go and AWS Lambda quite a bit lately, and one thing that consistently slowed me down was the amount of boilerplate required to deploy Go functions with Terraform (or OpenTofu). Between cross-compilation, source hash computation for change detection, IAM roles, CloudWatch log groups, and all the security configuration you actually want in production — there’s a lot of repetitive, easy-to-get-wrong work.

So I built a reusable module to handle all of it: terraform-aws-go-lambda.

It’s now published on the Terraform Registry and available for anyone to use.

What the Module Handles

The module covers the full lifecycle of deploying a Go Lambda function:

• Cross-compilation for Linux (arm64 by default for Graviton price/performance)
• Source hash computation from your .go files, go.mod, and go.sum for automatic change detection
• CloudWatch log group with configurable retention and optional KMS encryption
• IAM role creation with a basic execution policy, or support for a bring-your-own role
• Flexible naming via prefix + name conventions or full function_name control

Security Features

I wanted this to be production-ready out of the box, with optional controls you can enable as your requirements grow:

• VPC support for network isolation
• KMS encryption for environment variables and logs
• Permission boundaries to prevent privilege escalation
• Reserved concurrency for DoS protection and cost control
• Dead letter queues for capturing failed async invocations
• X-Ray tracing for observability

Quick Start

module "my_lambda" {
  source  = "sl1nki/go-lambda/aws"
  version = "~> 1.1"

  prefix       = "myapp"
  name         = "orders-api"
  source_path  = "cmd/orders"
  project_root = path.root
  environment  = "production"

  memory_size = 256
  timeout     = 30

  environment_variables = {
    LOG_LEVEL = "info"
  }
}

That’s it. The module compiles your Go code, packages it, creates the Lambda function, sets up logging, and configures IAM—with sensible, production-oriented defaults.

With Security Features

For a more locked-down deployment:

module "secure_lambda" {
  source  = "sl1nki/go-lambda/aws"
  version = "~> 1.1"

  prefix       = "myapp"
  name         = "secure-api"
  source_path  = "cmd/secure"
  project_root = path.root
  environment  = "production"

  # Network isolation
  vpc_subnet_ids         = var.private_subnet_ids
  vpc_security_group_ids = [aws_security_group.lambda.id]

  # Encryption
  kms_key_arn           = aws_kms_key.lambda.arn
  log_group_kms_key_arn = aws_kms_key.logs.arn

  # Security controls
  permission_boundary_arn        = aws_iam_policy.boundary.arn
  reserved_concurrent_executions = 100
  dead_letter_queue_arn          = aws_sqs_queue.dlq.arn

  # Observability
  enable_xray_tracing = true
}

Links

• GitHub: sl1nki/terraform-aws-go-lambda
• Terraform Registry: sl1nki/go-lambda/aws
• Examples: The repo includes examples for basic usage, VPC deployment, advanced IAM, multiple functions, and API Gateway integration.

If you’re deploying Go Lambda functions and want to skip the boilerplate without cutting corners, give it a try. Issues and PRs are welcome!