aws-cdk-lib.aws_lambda.DockerImageFunction

class DockerImageFunction (construct)

LanguageType name
.NETAmazon.CDK.AWS.Lambda.DockerImageFunction
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awslambda#DockerImageFunction
Javasoftware.amazon.awscdk.services.lambda.DockerImageFunction
Pythonaws_cdk.aws_lambda.DockerImageFunction
TypeScript (source)aws-cdk-lib » aws_lambda » DockerImageFunction

Implements IConstruct, IDependable, IResource, IFunction, IConnectable, IGrantable, IClientVpnConnectionHandler

Create a lambda function where the handler is a docker image.

Example

new lambda.DockerImageFunction(this, 'AssetFunction', {
  code: lambda.DockerImageCode.fromImageAsset(path.join(__dirname, 'docker-handler')),
});

Initializer

new DockerImageFunction(scope: Construct, id: string, props: DockerImageFunctionProps)

Parameters

  • scope Construct
  • id string
  • props DockerImageFunctionProps

Construct Props

NameTypeDescription
codeDockerImageCodeThe source code of your Lambda function.
adotInstrumentation?AdotInstrumentationConfigSpecify the configuration of AWS Distro for OpenTelemetry (ADOT) instrumentation.
allowAllOutbound?booleanWhether to allow the Lambda to send all network traffic.
allowPublicSubnet?booleanLambda Functions in a public subnet can NOT access the internet.
architecture?ArchitectureThe system architectures compatible with this lambda function.
codeSigningConfig?ICodeSigningConfigCode signing config associated with this function.
currentVersionOptions?VersionOptionsOptions for the lambda.Version resource automatically created by the fn.currentVersion method.
deadLetterQueue?IQueueThe SQS queue to use if DLQ is enabled.
deadLetterQueueEnabled?booleanEnabled DLQ.
deadLetterTopic?ITopicThe SNS topic to use as a DLQ.
description?stringA description of the function.
environment?{ [string]: string }Key-value pairs that Lambda caches and makes available for your Lambda functions.
environmentEncryption?IKeyThe AWS KMS key that's used to encrypt your function's environment variables.
ephemeralStorageSize?SizeThe size of the function’s /tmp directory in MiB.
events?IEventSource[]Event sources for this function.
filesystem?FileSystemThe filesystem configuration for the lambda function.
functionName?stringA name for the function.
initialPolicy?PolicyStatement[]Initial policy statements to add to the created Lambda Role.
insightsVersion?LambdaInsightsVersionSpecify the version of CloudWatch Lambda insights to use for monitoring.
layers?ILayerVersion[]A list of layers to add to the function's execution environment.
logRetention?RetentionDaysThe number of days log events are kept in CloudWatch Logs.
logRetentionRetryOptions?LogRetentionRetryOptionsWhen log retention is specified, a custom resource attempts to create the CloudWatch log group.
logRetentionRole?IRoleThe IAM role for the Lambda function associated with the custom resource that sets the retention policy.
maxEventAge?DurationThe maximum age of a request that Lambda sends to a function for processing.
memorySize?numberThe amount of memory, in MB, that is allocated to your Lambda function.
onFailure?IDestinationThe destination for failed invocations.
onSuccess?IDestinationThe destination for successful invocations.
paramsAndSecrets?ParamsAndSecretsLayerVersionSpecify the configuration of Parameters and Secrets Extension.
profiling?booleanEnable profiling.
profilingGroup?IProfilingGroupProfiling Group.
reservedConcurrentExecutions?numberThe maximum of concurrent executions you want to reserve for the function.
retryAttempts?numberThe maximum number of times to retry when the function returns an error.
role?IRoleLambda execution role.
runtimeManagementMode?RuntimeManagementModeSets the runtime management configuration for a function's version.
securityGroups?ISecurityGroup[]The list of security groups to associate with the Lambda's network interfaces.
timeout?DurationThe function execution time (in seconds) after which Lambda terminates the function.
tracing?TracingEnable AWS X-Ray Tracing for Lambda Function.
vpc?IVpcVPC network to place Lambda network interfaces.
vpcSubnets?SubnetSelectionWhere to place the network interfaces within the VPC.

code

Type: DockerImageCode

The source code of your Lambda function.

You can point to a file in an Amazon Simple Storage Service (Amazon S3) bucket or specify your source code as inline text.


adotInstrumentation?

Type: AdotInstrumentationConfig (optional, default: No ADOT instrumentation)

Specify the configuration of AWS Distro for OpenTelemetry (ADOT) instrumentation.

See also: https://aws-otel.github.io/docs/getting-started/lambda


allowAllOutbound?

Type: boolean (optional, default: true)

Whether to allow the Lambda to send all network traffic.

If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets.


allowPublicSubnet?

Type: boolean (optional, default: false)

Lambda Functions in a public subnet can NOT access the internet.

Use this property to acknowledge this limitation and still place the function in a public subnet.

See also: https://stackoverflow.com/questions/52992085/why-cant-an-aws-lambda-function-inside-a-public-subnet-in-a-vpc-connect-to-the/52994841#52994841


architecture?

Type: Architecture (optional, default: Architecture.X86_64)

The system architectures compatible with this lambda function.


codeSigningConfig?

Type: ICodeSigningConfig (optional, default: Not Sign the Code)

Code signing config associated with this function.


currentVersionOptions?

Type: VersionOptions (optional, default: default options as described in VersionOptions)

Options for the lambda.Version resource automatically created by the fn.currentVersion method.


deadLetterQueue?

Type: IQueue (optional, default: SQS queue with 14 day retention period if deadLetterQueueEnabled is true)

The SQS queue to use if DLQ is enabled.

If SNS topic is desired, specify deadLetterTopic property instead.


deadLetterQueueEnabled?

Type: boolean (optional, default: false unless deadLetterQueue is set, which implies DLQ is enabled.)

Enabled DLQ.

If deadLetterQueue is undefined, an SQS queue with default options will be defined for your Function.


deadLetterTopic?

Type: ITopic (optional, default: no SNS topic)

The SNS topic to use as a DLQ.

Note that if deadLetterQueueEnabled is set to true, an SQS queue will be created rather than an SNS topic. Using an SNS topic as a DLQ requires this property to be set explicitly.


description?

Type: string (optional, default: No description.)

A description of the function.


environment?

Type: { [string]: string } (optional, default: No environment variables.)

Key-value pairs that Lambda caches and makes available for your Lambda functions.

Use environment variables to apply configuration changes, such as test and production environment configurations, without changing your Lambda function source code.


environmentEncryption?

Type: IKey (optional, default: AWS Lambda creates and uses an AWS managed customer master key (CMK).)

The AWS KMS key that's used to encrypt your function's environment variables.


ephemeralStorageSize?

Type: Size (optional, default: 512 MiB)

The size of the function’s /tmp directory in MiB.


events?

Type: IEventSource[] (optional, default: No event sources.)

Event sources for this function.

You can also add event sources using addEventSource.


filesystem?

Type: FileSystem (optional, default: will not mount any filesystem)

The filesystem configuration for the lambda function.


functionName?

Type: string (optional, default: AWS CloudFormation generates a unique physical ID and uses that ID for the function's name. For more information, see Name Type.)

A name for the function.


initialPolicy?

Type: PolicyStatement[] (optional, default: No policy statements are added to the created Lambda role.)

Initial policy statements to add to the created Lambda Role.

You can call addToRolePolicy to the created lambda to add statements post creation.


insightsVersion?

Type: LambdaInsightsVersion (optional, default: No Lambda Insights)

Specify the version of CloudWatch Lambda insights to use for monitoring.

See also: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights-Getting-Started-docker.html


layers?

Type: ILayerVersion[] (optional, default: No layers.)

A list of layers to add to the function's execution environment.

You can configure your Lambda function to pull in additional code during initialization in the form of layers. Layers are packages of libraries or other dependencies that can be used by multiple functions.


logRetention?

Type: RetentionDays (optional, default: logs.RetentionDays.INFINITE)

The number of days log events are kept in CloudWatch Logs.

When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to INFINITE.


logRetentionRetryOptions?

Type: LogRetentionRetryOptions (optional, default: Default AWS SDK retry options.)

When log retention is specified, a custom resource attempts to create the CloudWatch log group.

These options control the retry policy when interacting with CloudWatch APIs.


logRetentionRole?

Type: IRole (optional, default: A new role is created.)

The IAM role for the Lambda function associated with the custom resource that sets the retention policy.


maxEventAge?

Type: Duration (optional, default: Duration.hours(6))

The maximum age of a request that Lambda sends to a function for processing.

Minimum: 60 seconds Maximum: 6 hours


memorySize?

Type: number (optional, default: 128)

The amount of memory, in MB, that is allocated to your Lambda function.

Lambda uses this value to proportionally allocate the amount of CPU power. For more information, see Resource Model in the AWS Lambda Developer Guide.


onFailure?

Type: IDestination (optional, default: no destination)

The destination for failed invocations.


onSuccess?

Type: IDestination (optional, default: no destination)

The destination for successful invocations.


paramsAndSecrets?

Type: ParamsAndSecretsLayerVersion (optional, default: No Parameters and Secrets Extension)

Specify the configuration of Parameters and Secrets Extension.

See also: https://docs.aws.amazon.com/systems-manager/latest/userguide/ps-integration-lambda-extensions.html


profiling?

Type: boolean (optional, default: No profiling.)

Enable profiling.

See also: https://docs.aws.amazon.com/codeguru/latest/profiler-ug/setting-up-lambda.html


profilingGroup?

Type: IProfilingGroup (optional, default: A new profiling group will be created if profiling is set.)

Profiling Group.

See also: https://docs.aws.amazon.com/codeguru/latest/profiler-ug/setting-up-lambda.html


reservedConcurrentExecutions?

Type: number (optional, default: No specific limit - account limit.)

The maximum of concurrent executions you want to reserve for the function.

See also: https://docs.aws.amazon.com/lambda/latest/dg/concurrent-executions.html


retryAttempts?

Type: number (optional, default: 2)

The maximum number of times to retry when the function returns an error.

Minimum: 0 Maximum: 2


role?

Type: IRole (optional, default: A unique role will be generated for this lambda function. Both supplied and generated roles can always be changed by calling addToRolePolicy.)

Lambda execution role.

This is the role that will be assumed by the function upon execution. It controls the permissions that the function will have. The Role must be assumable by the 'lambda.amazonaws.com' service principal.

The default Role automatically has permissions granted for Lambda execution. If you provide a Role, you must add the relevant AWS managed policies yourself.

The relevant managed policies are "service-role/AWSLambdaBasicExecutionRole" and "service-role/AWSLambdaVPCAccessExecutionRole".


runtimeManagementMode?

Type: RuntimeManagementMode (optional, default: Auto)

Sets the runtime management configuration for a function's version.


securityGroups?

Type: ISecurityGroup[] (optional, default: If the function is placed within a VPC and a security group is not specified, either by this or securityGroup prop, a dedicated security group will be created for this function.)

The list of security groups to associate with the Lambda's network interfaces.

Only used if 'vpc' is supplied.


timeout?

Type: Duration (optional, default: Duration.seconds(3))

The function execution time (in seconds) after which Lambda terminates the function.

Because the execution time affects cost, set this value based on the function's expected execution time.


tracing?

Type: Tracing (optional, default: Tracing.Disabled)

Enable AWS X-Ray Tracing for Lambda Function.


vpc?

Type: IVpc (optional, default: Function is not placed within a VPC.)

VPC network to place Lambda network interfaces.

Specify this if the Lambda function needs to access resources in a VPC. This is required when vpcSubnets is specified.


vpcSubnets?

Type: SubnetSelection (optional, default: the Vpc default strategy if not specified)

Where to place the network interfaces within the VPC.

This requires vpc to be specified in order for interfaces to actually be placed in the subnets. If vpc is not specify, this will raise an error.

Note: Internet access for Lambda Functions requires a NAT Gateway, so picking public subnets is not allowed (unless allowPublicSubnet is set to true).

Properties

NameTypeDescription
architectureArchitectureThe architecture of this Lambda Function (this is an optional attribute and defaults to X86_64).
connectionsConnectionsAccess the Connections object.
currentVersionVersionReturns a lambda.Version which represents the current version of this Lambda function. A new version will be created every time the function's configuration changes.
envResourceEnvironmentThe environment this resource belongs to.
functionArnstringARN of this function.
functionNamestringName of this function.
grantPrincipalIPrincipalThe principal this Lambda Function is running as.
isBoundToVpcbooleanWhether or not this Lambda function was bound to a VPC.
latestVersionIVersionThe $LATEST version of this function.
logGroupILogGroupThe LogGroup where the Lambda function's logs are made available.
nodeNodeThe tree node.
permissionsNodeNodeThe construct node where permissions are attached.
resourceArnsForGrantInvokestring[]The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke().
runtimeRuntimeThe runtime configured for this lambda.
stackStackThe stack in which this resource is defined.
deadLetterQueue?IQueueThe DLQ (as queue) associated with this Lambda Function (this is an optional attribute).
deadLetterTopic?ITopicThe DLQ (as topic) associated with this Lambda Function (this is an optional attribute).
role?IRoleExecution role associated with this function.
timeout?DurationThe timeout configured for this lambda.

architecture

Type: Architecture

The architecture of this Lambda Function (this is an optional attribute and defaults to X86_64).


connections

Type: Connections

Access the Connections object.

Will fail if not a VPC-enabled Lambda Function


currentVersion

Type: Version

Returns a lambda.Version which represents the current version of this Lambda function. A new version will be created every time the function's configuration changes.

You can specify options for this version using the currentVersionOptions prop when initializing the lambda.Function.


env

Type: ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.


functionArn

Type: string

ARN of this function.


functionName

Type: string

Name of this function.


grantPrincipal

Type: IPrincipal

The principal this Lambda Function is running as.


isBoundToVpc

Type: boolean

Whether or not this Lambda function was bound to a VPC.

If this is is false, trying to access the connections object will fail.


latestVersion

Type: IVersion

The $LATEST version of this function.

Note that this is reference to a non-specific AWS Lambda version, which means the function this version refers to can return different results in different invocations.

To obtain a reference to an explicit version which references the current function configuration, use lambdaFunction.currentVersion instead.


logGroup

Type: ILogGroup

The LogGroup where the Lambda function's logs are made available.

If either logRetention is set or this property is called, a CloudFormation custom resource is added to the stack that pre-creates the log group as part of the stack deployment, if it already doesn't exist, and sets the correct log retention period (never expire, by default).

Further, if the log group already exists and the logRetention is not set, the custom resource will reset the log retention to never expire even if it was configured with a different value.


node

Type: Node

The tree node.


permissionsNode

Type: Node

The construct node where permissions are attached.


resourceArnsForGrantInvoke

Type: string[]

The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke().


runtime

Type: Runtime

The runtime configured for this lambda.


stack

Type: Stack

The stack in which this resource is defined.


deadLetterQueue?

Type: IQueue (optional)

The DLQ (as queue) associated with this Lambda Function (this is an optional attribute).


deadLetterTopic?

Type: ITopic (optional)

The DLQ (as topic) associated with this Lambda Function (this is an optional attribute).


role?

Type: IRole (optional)

Execution role associated with this function.


timeout?

Type: Duration (optional)

The timeout configured for this lambda.

Methods

NameDescription
addAlias(aliasName, options?)Defines an alias for this function.
addEnvironment(key, value, options?)Adds an environment variable to this Lambda function.
addEventSource(source)Adds an event source to this function.
addEventSourceMapping(id, options)Adds an event source that maps to this AWS Lambda function.
addFunctionUrl(options?)Adds a url to this lambda function.
addLayers(...layers)Adds one or more Lambda Layers to this Lambda function.
addPermission(id, permission)Adds a permission to the Lambda resource policy.
addToRolePolicy(statement)Adds a statement to the IAM role assumed by the instance.
applyRemovalPolicy(policy)Apply the given removal policy to this resource.
configureAsyncInvoke(options)Configures options for asynchronous invocation.
considerWarningOnInvokeFunctionPermissions(scope, action)A warning will be added to functions under the following conditions: - permissions that include lambda:InvokeFunction are added to the unqualified function.
grantInvoke(grantee)Grant the given identity permissions to invoke this Lambda.
grantInvokeUrl(grantee)Grant the given identity permissions to invoke this Lambda Function URL.
invalidateVersionBasedOn(x)Mix additional information into the hash of the Version object.
metric(metricName, props?)Return the given named metric for this Function.
metricDuration(props?)How long execution of this Lambda takes.
metricErrors(props?)How many invocations of this Lambda fail.
metricInvocations(props?)How often this Lambda is invoked.
metricThrottles(props?)How often this Lambda is throttled.
toString()Returns a string representation of this construct.

addAlias(aliasName, options?)

public addAlias(aliasName: string, options?: AliasOptions): Alias

Parameters

  • aliasName string — The name of the alias.
  • options AliasOptions — Alias options.

Returns

  • Alias

Defines an alias for this function.

The alias will automatically be updated to point to the latest version of the function as it is being updated during a deployment.

declare const fn: lambda.Function;

fn.addAlias('Live');

// Is equivalent to

new lambda.Alias(this, 'AliasLive', {
  aliasName: 'Live',
  version: fn.currentVersion,
});

addEnvironment(key, value, options?)

public addEnvironment(key: string, value: string, options?: EnvironmentOptions): Function

Parameters

  • key string — The environment variable key.
  • value string — The environment variable's value.
  • options EnvironmentOptions — Environment variable options.

Returns

  • Function

Adds an environment variable to this Lambda function.

If this is a ref to a Lambda function, this operation results in a no-op.


addEventSource(source)

public addEventSource(source: IEventSource): void

Parameters

  • source IEventSource

Adds an event source to this function.

Event sources are implemented in the @aws-cdk/aws-lambda-event-sources module.

The following example adds an SQS Queue as an event source:

import { SqsEventSource } from '@aws-cdk/aws-lambda-event-sources';
myFunction.addEventSource(new SqsEventSource(myQueue));

addEventSourceMapping(id, options)

public addEventSourceMapping(id: string, options: EventSourceMappingOptions): EventSourceMapping

Parameters

  • id string
  • options EventSourceMappingOptions

Returns

  • EventSourceMapping

Adds an event source that maps to this AWS Lambda function.


addFunctionUrl(options?)

public addFunctionUrl(options?: FunctionUrlOptions): FunctionUrl

Parameters

  • options FunctionUrlOptions

Returns

  • FunctionUrl

Adds a url to this lambda function.


addLayers(...layers)

public addLayers(...layers: ILayerVersion[]): void

Parameters

  • layers ILayerVersion — the layers to be added.

Adds one or more Lambda Layers to this Lambda function.


addPermission(id, permission)

public addPermission(id: string, permission: Permission): void

Parameters

  • id string — The id for the permission construct.
  • permission Permission — The permission to grant to this Lambda function.

Adds a permission to the Lambda resource policy.

See also: [Permission for details.](Permission for details.)


addToRolePolicy(statement)

public addToRolePolicy(statement: PolicyStatement): void

Parameters

  • statement PolicyStatement

Adds a statement to the IAM role assumed by the instance.


applyRemovalPolicy(policy)

public applyRemovalPolicy(policy: RemovalPolicy): void

Parameters

  • policy RemovalPolicy

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).


configureAsyncInvoke(options)

public configureAsyncInvoke(options: EventInvokeConfigOptions): void

Parameters

  • options EventInvokeConfigOptions

Configures options for asynchronous invocation.


considerWarningOnInvokeFunctionPermissions(scope, action)

public considerWarningOnInvokeFunctionPermissions(scope: Construct, action: string): void

Parameters

  • scope Construct
  • action string

A warning will be added to functions under the following conditions: - permissions that include lambda:InvokeFunction are added to the unqualified function.

  • function.currentVersion is invoked before or after the permission is created.

This applies only to permissions on Lambda functions, not versions or aliases. This function is overridden as a noOp for QualifiedFunctionBase.


grantInvoke(grantee)

public grantInvoke(grantee: IGrantable): Grant

Parameters

  • grantee IGrantable

Returns

  • Grant

Grant the given identity permissions to invoke this Lambda.


grantInvokeUrl(grantee)

public grantInvokeUrl(grantee: IGrantable): Grant

Parameters

  • grantee IGrantable

Returns

  • Grant

Grant the given identity permissions to invoke this Lambda Function URL.


invalidateVersionBasedOn(x)

public invalidateVersionBasedOn(x: string): void

Parameters

  • x string

Mix additional information into the hash of the Version object.

The Lambda Function construct does its best to automatically create a new Version when anything about the Function changes (its code, its layers, any of the other properties).

However, you can sometimes source information from places that the CDK cannot look into, like the deploy-time values of SSM parameters. In those cases, the CDK would not force the creation of a new Version object when it actually should.

This method can be used to invalidate the current Version object. Pass in any string into this method, and make sure the string changes when you know a new Version needs to be created.

This method may be called more than once.


metric(metricName, props?)

public metric(metricName: string, props?: MetricOptions): Metric

Parameters

  • metricName string
  • props MetricOptions

Returns

  • Metric

Return the given named metric for this Function.


metricDuration(props?)

public metricDuration(props?: MetricOptions): Metric

Parameters

  • props MetricOptions

Returns

  • Metric

How long execution of this Lambda takes.

Average over 5 minutes


metricErrors(props?)

public metricErrors(props?: MetricOptions): Metric

Parameters

  • props MetricOptions

Returns

  • Metric

How many invocations of this Lambda fail.

Sum over 5 minutes


metricInvocations(props?)

public metricInvocations(props?: MetricOptions): Metric

Parameters

  • props MetricOptions

Returns

  • Metric

How often this Lambda is invoked.

Sum over 5 minutes


metricThrottles(props?)

public metricThrottles(props?: MetricOptions): Metric

Parameters

  • props MetricOptions

Returns

  • Metric

How often this Lambda is throttled.

Sum over 5 minutes


toString()

public toString(): string

Returns

  • string

Returns a string representation of this construct.