Conversation
Member
Author
|
@greptile |
Ravion Module Publish PlanDry run only. No Ravion API mutations were made.
Diffsrvn-aws-lambda n/a -> 0.1.0--- remote
+++ compiled
-
+description: AWS Lambda function with runtime configuration, IAM role management, CloudWatch logs, function URLs, aliases, permissions, and event sources.
+name: AWS Lambda
+type: rvn-aws-lambdarvn-aws-lambda n/a -> 0.1.0--- remote
+++ compiled
+inputs:
+ - id: section_aws
+ label: AWS account & region
+ type: section
+ - id: aws_account_id
+ immutable: true
+ label: AWS account
+ required: true
+ type: string
+ values: $values:ravion/aws_accounts
+ - id: aws_region
+ immutable: true
+ label: Region
+ required: true
+ type: string
+ values: $values:aws/regions
+ - id: section_function
+ label: Lambda function
+ type: section
+ - default: regional
+ id: lambda_type
+ label: Lambda type
+ required: true
+ type: string
+ values:
+ - label: Regional Lambda
+ value: regional
+ - label: CloudFront Lambda@Edge
+ value: edge
+ - default: <<project.given_id>>-<<environment.given_id>>-<<module.given_id>>
+ description: Name of the Lambda function. Must be unique in the selected AWS Region.
+ id: name
+ immutable: true
+ label: Function name
+ patterns:
+ - message: Use 1-64 letters, numbers, hyphens, or underscores.
+ pattern: ^[A-Za-z0-9-_]{1,64}$
+ required: true
+ type: string
+ - collapsible: true
+ description: Description stored on the Lambda function.
+ id: description
+ label: Description
+ type: string
+ - default: Zip
+ id: package_type
+ immutable: true
+ label: Package type
+ required: true
+ type: string
+ values:
+ - label: Zip
+ value: Zip
+ - label: Image
+ show_when:
+ lambda_type: regional
+ value: Image
+ - add_button_label: Add architecture
+ default:
+ - x86_64
+ description: Instruction set architectures for the Lambda function.
+ id: architectures
+ label: Architectures
+ required: true
+ show_when:
+ lambda_type: regional
+ type: string_array
+ values:
+ - label: x86_64
+ value: x86_64
+ - label: arm64
+ value: arm64
+ - default: false
+ description: Publish a new immutable Lambda version on function updates. Required for Lambda@Edge and aliases that target published versions.
+ id: version_publishing_enabled
+ label: Version publishing
+ show_when:
+ lambda_type: regional
+ type: boolean
+ - id: section_zip_package
+ label: Zip package
+ show_when:
+ package_type: Zip
+ type: section
+ - default: $values:first
+ description: Lambda runtime for Zip packages.
+ id: runtime
+ label: Runtime
+ placeholder: nodejs20.x
+ required: true
+ show_when:
+ package_type: Zip
+ type: string
+ values:
+ - label: Node.js 22.x
+ value: nodejs22.x
+ - label: Node.js 20.x
+ value: nodejs20.x
+ - label: Python 3.13
+ value: python3.13
+ - label: Python 3.12
+ value: python3.12
+ - label: Python 3.11
+ value: python3.11
+ - label: Ruby 3.4
+ value: ruby3.4
+ - label: Ruby 3.3
+ value: ruby3.3
+ - label: Java 21
+ value: java21
+ - label: Java 17
+ value: java17
+ - label: .NET 8
+ value: dotnet8
+ - label: Go provided AL2023
+ value: provided.al2023
+ - description: Function entrypoint for Zip packages.
+ id: handler
+ label: Handler
+ placeholder: index.handler
+ required: true
+ show_when:
+ package_type: Zip
+ type: string
+ - collapsible: true
+ description: S3 bucket containing the deployment package. Leave empty to create a managed placeholder code bucket.
+ id: s3_bucket
+ label: Package S3 bucket
+ show_when:
+ package_type: Zip
+ type: string
+ - collapsible: true
+ description: S3 key of the deployment package. Required when Package S3 bucket is set.
+ id: s3_key
+ label: Package S3 key
+ show_when:
+ package_type: Zip
+ type: string
+ - collapsible: true
+ description: S3 object version containing the deployment package.
+ id: s3_object_version
+ label: Package S3 object version
+ show_when:
+ package_type: Zip
+ type: string
+ - collapsible: true
+ description: Name for the managed code bucket created when no package S3 bucket is provided. Defaults to <function-name>-code-<account-id>.
+ id: code_bucket_name
+ label: Managed code bucket name
+ show_when:
+ package_type: Zip
+ type: string
+ - collapsible: true
+ default: true
+ description: Force-delete the managed code bucket and its objects during destroy. Use with caution.
+ id: code_bucket_force_destroy_enabled
+ label: Force destroy code bucket
+ show_when:
+ package_type: Zip
+ type: boolean
+ - collapsible: true
+ default: placeholder.zip
+ description: S3 key for the initial placeholder deployment package in the managed code bucket.
+ id: placeholder_object_key
+ label: Placeholder object key
+ show_when:
+ package_type: Zip
+ type: string
+ - id: section_image_package
+ label: Image package
+ show_when:
+ lambda_type: regional
+ package_type: Image
+ type: section
+ - description: Container image URI for Image package type.
+ id: image_uri
+ label: Image URI
+ placeholder: 123456789012.dkr.ecr.us-east-1.amazonaws.com/function:latest
+ required: true
+ show_when:
+ lambda_type: regional
+ package_type: Image
+ type: string
+ - add_button_label: Add command item
+ collapsible: true
+ default: []
+ description: Command arguments that override the container image CMD.
+ id: image_config_command
+ label: Image command
+ show_when:
+ lambda_type: regional
+ package_type: Image
+ type: string_array
+ - add_button_label: Add entry point item
+ collapsible: true
+ default: []
+ description: Entry point arguments that override the container image ENTRYPOINT.
+ id: image_config_entry_point
+ label: Image entry point
+ show_when:
+ lambda_type: regional
+ package_type: Image
+ type: string_array
+ - collapsible: true
+ description: Working directory inside the container image.
+ id: image_config_working_directory
+ label: Image working directory
+ placeholder: /var/task
+ show_when:
+ lambda_type: regional
+ package_type: Image
+ type: string
+ - id: section_runtime
+ label: Runtime configuration
+ show_when:
+ lambda_type: regional
+ type: section
+ - default: 128
+ description: Memory allocated to the function in MB. Valid range is 128-10240 MB.
+ id: memory_size
+ label: Memory size (MB)
+ max: 10240
+ min: 128
+ show_when:
+ lambda_type: regional
+ type: number
+ - default: 5
+ description: Function timeout in seconds. Valid range is 1-900 seconds.
+ id: timeout
+ label: Timeout (secs)
+ max: 900
+ min: 1
+ show_when:
+ lambda_type: regional
+ type: number
+ - collapsible: true
+ default: 512
+ description: Size of the /tmp directory in MB.
+ id: ephemeral_storage_size
+ label: Ephemeral storage (MB)
+ max: 10240
+ min: 512
+ show_when:
+ lambda_type: regional
+ type: number
+ - add_button_label: Add layer ARN
+ collapsible: true
+ default: []
+ description: Lambda layer ARNs attached to the function.
+ id: layers
+ label: Layers
+ placeholder: arn:aws:lambda:...
+ show_when:
+ lambda_type: regional
+ type: string_array
+ - collapsible: true
+ description: Reserved concurrent executions. Use -1 to remove limits.
+ id: reserved_concurrent_executions
+ label: Reserved concurrency
+ min: -1
+ show_when:
+ lambda_type: regional
+ type: number
+ - collapsible: true
+ description: KMS key ARN used to encrypt environment variables.
+ id: kms_key_arn
+ label: Environment KMS key ARN
+ placeholder: arn:aws:kms:...
+ show_when:
+ lambda_type: regional
+ type: string
+ - default: PassThrough
+ description: X-Ray tracing mode for the function.
+ id: tracing_mode
+ label: X-Ray tracing mode
+ show_when:
+ lambda_type: regional
+ type: string
+ values:
+ - label: Pass through
+ value: PassThrough
+ - label: Active
+ value: Active
+ - collapsible: true
+ description: SQS or SNS ARN used as the function dead letter queue target.
+ id: dead_letter_target_arn
+ label: Dead letter target ARN
+ placeholder: arn:aws:sqs:...
+ show_when:
+ lambda_type: regional
+ type: string
+ - collapsible: true
+ default: []
+ description: EFS access point and local mount path configurations.
+ id: file_system_configs
+ item_inputs:
+ - description: EFS access point ARN.
+ id: arn
+ label: Access point ARN
+ placeholder: arn:aws:elasticfilesystem:...
+ required: true
+ type: string
+ - description: Local mount path inside the Lambda execution environment.
+ id: local_mount_path
+ label: Local mount path
+ placeholder: /mnt/data
+ required: true
+ type: string
+ item_label: File system config
+ label: File system configs
+ required: false
+ show_when:
+ lambda_type: regional
+ type: object_array
+ - collapsible: true
+ description: Enable SnapStart for published Lambda versions.
+ id: snap_start_apply_on
+ label: SnapStart apply on
+ show_when:
+ lambda_type: regional
+ type: string
+ values:
+ - label: Published versions
+ value: PublishedVersions
+ - collapsible: true
+ description: Lambda code signing configuration ARN.
+ id: code_signing_config_arn
+ label: Code signing config ARN
+ placeholder: arn:aws:lambda:...
+ show_when:
+ lambda_type: regional
+ type: string
+ - id: section_environment
+ label: Environment variables
+ show_when:
+ lambda_type: regional
+ type: section
+ - default: {}
+ description: Plain environment variables passed to the function.
+ id: environment_variables
+ label: Environment variables
+ placeholder: |-
+ {
+ "NODE_ENV": "production",
+ "API_URL": "https://api.example.com"
+ }
+ required: false
+ show_when:
+ lambda_type: regional
+ type: object
+ - id: section_vpc
+ label: VPC config
+ show_when:
+ lambda_type: regional
+ type: section
+ - default: false
+ description: Optional. Attach the Lambda function to a VPC only when it needs private network access.
+ id: vpc_config_enabled
+ label: VPC access
+ show_when:
+ lambda_type: regional
+ type: boolean
+ - description: Optional VPC network for Lambda VPC access. Leave empty for a Lambda function that does not attach to a VPC.
+ id: network
+ immutable: true
+ label: VPC network
+ mapped_inputs:
+ - default: <<ref.stack.output.vpc_id>>
+ id: vpc_id
+ immutable: true
+ label: VPC ID
+ type: string
+ - add_button_label: Add private subnet ID
+ default: <<ref.stack.output.private_subnet_ids>>
+ description: Private subnet IDs from the selected VPC network.
+ id: private_subnet_ids
+ immutable: true
+ label: Private subnet IDs
+ type: string_array
+ - add_button_label: Add public subnet ID
+ default: <<ref.stack.output.public_subnet_ids>>
+ description: Public subnet IDs from the selected VPC network.
+ id: public_subnet_ids
+ immutable: true
+ label: Public subnet IDs
+ type: string_array
+ required: true
+ show_when:
+ lambda_type: regional
+ vpc_config_enabled: true
+ type: $ref:rvn-aws-network
+ - default: true
+ description: Use private subnets from the selected VPC network. Turn off to use public subnets.
+ id: private_subnet_placement_enabled
+ label: Run in private subnets
+ show_when:
+ lambda_type: regional
+ vpc_config_enabled: true
+ type: boolean
+ - add_button_label: Add security group ID
+ description: Security group IDs to attach to the Lam
... diff truncated ... |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Comment on lines
+310
to
+327
| - collapsible: true | ||
| description: Enable SnapStart for published Lambda versions. | ||
| id: snap_start_apply_on | ||
| label: SnapStart apply on | ||
| show_when: | ||
| lambda_type: regional | ||
| type: string | ||
| values: | ||
| - label: Published versions | ||
| value: PublishedVersions | ||
| - collapsible: true | ||
| description: Lambda code signing configuration ARN. | ||
| id: code_signing_config_arn | ||
| label: Code signing config ARN | ||
| placeholder: arn:aws:lambda:... | ||
| show_when: | ||
| lambda_type: regional | ||
| type: string |
There was a problem hiding this comment.
snap_start_apply_on has no show_when constraint tied to the runtime field. AWS only supports SnapStart for java11, java17, and java21 runtimes — enabling it for Node.js, Python, Ruby, Go, or .NET causes a Terraform apply error. A user who expands the collapsible field and sets "Published versions" on a non-Java runtime will deploy successfully up to terraform apply, then hit an AWS validation failure with no UI-side warning.
Prompt To Fix With AI
This is a comment left during a code review.
Path: compute/lambda/rvn-aws-lambda-definition.yml
Line: 310-327
Comment:
**SnapStart not restricted to Java runtimes**
`snap_start_apply_on` has no `show_when` constraint tied to the `runtime` field. AWS only supports SnapStart for `java11`, `java17`, and `java21` runtimes — enabling it for Node.js, Python, Ruby, Go, or .NET causes a Terraform apply error. A user who expands the collapsible field and sets "Published versions" on a non-Java runtime will deploy successfully up to `terraform apply`, then hit an AWS validation failure with no UI-side warning.
How can I resolve this? If you propose a fix, please make it concise.
Comment on lines
+862
to
+892
| memory_size: >- | ||
| << module.input.lambda_type == "edge" ? 128 : module.input.memory_size >> | ||
| name: << module.input.name >> | ||
| package_type: >- | ||
| << module.input.lambda_type == "edge" ? "Zip" : module.input.package_type >> | ||
| permissions: >- | ||
| << module.input.lambda_type == "edge" ? [] : (module.input.permissions || []) >> | ||
| placeholder_object_key: << module.input.placeholder_object_key >> | ||
| region: << module.input.aws_region >> | ||
| reserved_concurrent_executions: >- | ||
| << module.input.lambda_type == "edge" ? nil : module.input.reserved_concurrent_executions >> | ||
| role_arn: << module.input.role_arn >> | ||
| role_creation_enabled: << module.input.role_creation_enabled >> | ||
| role_inline_policies: << module.input.role_inline_policies || {} >> | ||
| role_managed_policy_arns: << module.input.role_managed_policy_arns || [] >> | ||
| role_name: << module.input.role_name >> | ||
| role_path: << module.input.role_path >> | ||
| role_permissions_boundary: << module.input.role_permissions_boundary >> | ||
| runtime: << module.input.runtime >> | ||
| s3_bucket: << module.input.s3_bucket >> | ||
| s3_key: << module.input.s3_key >> | ||
| s3_object_version: << module.input.s3_object_version >> | ||
| snap_start_apply_on: >- | ||
| << module.input.lambda_type == "edge" ? nil : module.input.snap_start_apply_on >> | ||
| tags: | ||
| $include: ../../partials/stack/ravion-tags.yml | ||
| timeout: >- | ||
| << module.input.lambda_type == "edge" ? 5 : module.input.timeout >> | ||
| tracing_mode: >- | ||
| << module.input.lambda_type == "edge" ? "PassThrough" : module.input.tracing_mode >> | ||
| version_publishing_enabled: >- |
There was a problem hiding this comment.
memory_size and timeout are hardcoded to 128 MB and 5 seconds for all lambda_type == "edge" deployments. Lambda@Edge origin request and response functions support up to 10,240 MB memory and 30-second timeouts — the viewer-function limits are only 128 MB / 5 s. Because the overrides spread (...overrides) appears before the explicit assignments in the terraform_variables block, advanced_terraform_variables cannot override these values. Any origin request/response edge function deployed through this definition will be unnecessarily constrained and will fail for workloads that need more than 5 seconds or 128 MB.
Prompt To Fix With AI
This is a comment left during a code review.
Path: compute/lambda/rvn-aws-lambda-definition.yml
Line: 862-892
Comment:
**Lambda@Edge hardcoded limits prevent origin request/response use cases**
`memory_size` and `timeout` are hardcoded to `128` MB and `5` seconds for all `lambda_type == "edge"` deployments. Lambda@Edge **origin** request and response functions support up to 10,240 MB memory and 30-second timeouts — the viewer-function limits are only 128 MB / 5 s. Because the overrides spread (`...overrides`) appears before the explicit assignments in the `terraform_variables` block, `advanced_terraform_variables` cannot override these values. Any origin request/response edge function deployed through this definition will be unnecessarily constrained and will fail for workloads that need more than 5 seconds or 128 MB.
How can I resolve this? If you propose a fix, please make it concise.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Greptile Summary
This PR adds the
rvn-aws-lambda-definition.ymlmodule definition for AWS Lambda (regional and Lambda@Edge) and bumps the@opencode-ai/plugindependency from 1.16.2 to 1.17.7. The definition is comprehensive, covering IAM roles, CloudWatch logging, VPC config, function URLs with CORS, event source mappings, aliases, and image/Zip packaging.show_whenlogic correctly hides regional-only fields whenlambda_type: edgeis selected.memory_sizeandtimeoutare unconditionally hardcoded to 128 MB / 5 s in the template expression, which covers viewer functions but silently breaks origin request/response functions that support up to 10,240 MB and 30 seconds.Confidence Score: 3/5
The Lambda module definition is largely well-structured, but two issues in the YAML will cause Terraform apply failures for specific configurations (SnapStart on non-Java runtimes, and Lambda@Edge origin functions hitting hardcoded memory/timeout limits).
The definition covers a wide surface area correctly — VPC config, IAM role creation, event source mappings, aliases, function URLs, and CORS are all handled consistently. The two blocking issues are narrowly scoped: SnapStart only affects users who deliberately expand that collapsible field on a non-Java runtime, and the Lambda@Edge limits only affect origin request/response functions. Neither would break the common regional-Lambda or viewer-function-edge path, but both produce silent misconfiguration rather than a form-level error.
compute/lambda/rvn-aws-lambda-definition.yml — the SnapStart runtime gate and the Lambda@Edge memory/timeout expressions need attention before this definition is published to production users.
Important Files Changed
Flowchart
%%{init: {'theme': 'neutral'}}%% flowchart TD A[User selects lambda_type] --> B{lambda_type} B -- regional --> C[Show all regional inputs\nmemory, timeout, VPC, env vars, etc.] B -- edge --> D[Hide regional-only fields\nForce: x86_64, Zip pkg\nHardcode: memory=128MB, timeout=5s\nversion_publishing=true] C --> E{package_type} E -- Zip --> F[Show Zip section\nruntime, handler, S3 config] E -- Image --> G[Show Image section\nimage_uri, image_config] C --> H{vpc_config_enabled} H -- true --> I[Require VPC network ref\nsubnet_ids, security_group_ids] H -- false --> J[vpc_config = nil] C --> K{function_url_enabled} K -- true --> L[Show URL config\nauth_type, invoke_mode] L --> M{function_url_cors_enabled} M -- true --> N[Show CORS inputs\norigins, methods, headers] C --> O{role_creation_enabled} O -- true --> P[Create IAM role\nwith managed/inline policies] O -- false --> Q[Use existing role_arn] D --> R[Terraform stack\ncompute/lambda] C --> R%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%% flowchart TD A[User selects lambda_type] --> B{lambda_type} B -- regional --> C[Show all regional inputs\nmemory, timeout, VPC, env vars, etc.] B -- edge --> D[Hide regional-only fields\nForce: x86_64, Zip pkg\nHardcode: memory=128MB, timeout=5s\nversion_publishing=true] C --> E{package_type} E -- Zip --> F[Show Zip section\nruntime, handler, S3 config] E -- Image --> G[Show Image section\nimage_uri, image_config] C --> H{vpc_config_enabled} H -- true --> I[Require VPC network ref\nsubnet_ids, security_group_ids] H -- false --> J[vpc_config = nil] C --> K{function_url_enabled} K -- true --> L[Show URL config\nauth_type, invoke_mode] L --> M{function_url_cors_enabled} M -- true --> N[Show CORS inputs\norigins, methods, headers] C --> O{role_creation_enabled} O -- true --> P[Create IAM role\nwith managed/inline policies] O -- false --> Q[Use existing role_arn] D --> R[Terraform stack\ncompute/lambda] C --> RComments Outside Diff (1)
compute/lambda/rvn-aws-lambda-definition.yml, line 951-957 (link)The
readmesection contains only a placeholder noting that documentation "is coming soon." Users who install this module from the registry will see this instead of actual usage guidance, input/output documentation, or examples. The AGENTS.md documentation requirements call for a complete README before publishing.Prompt To Fix With AI
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
Prompt To Fix All With AI
Reviews (1): Last reviewed commit: "add lambda module" | Re-trigger Greptile
Context used: