How to create a CloudFormation template for Lambda Deployment

4 min readJul 2, 2021

CloudFormation (CF) Templates are an incredible way to deploy solution stack in AWS. CF templates enable rapid deployment, updates and sharing of lambda function in a definitive and declarative way through deployable artifacts written in readable YML syntax. CF templates are well integrated with the DevOps solution to make Infrastructure as Code (IaC), an automated, repeatable and auditable solution.

In the following paragraphs, I have detailed steps to deploy a lambda function that has integration with SQS as an event trigger, reads event description and sends an email through SES or sends the message to a Webhook.

Objective: Deploy a lambda solution through CloudFormation template that; Reads SQS events, determines message delivery destination and sends an email or a Slack message.

Prerequisite

An Email address configured and verified as a receiver in AWS Simple Email Service (SES)

Outline

There are 3 AWS resources needed for this solution stack:

An IAM Role that allows reading messages from AWS Simple Queue Service
An SQS to Lambda mapper that configures SQS as a trigger for Lambda function
The Lambda function itself that performs send message action

Setting up Parameters. We will start with setting up parameters that will be used within the CloudFormation template. These parameters enable customized deployment of the stack and keep the CloudFormation highly flexible for adoption by multiple clients.

Declaring Resources. After, declaring the parameters, we will move on to declare the resources of our solution stack. First, we will declare the IAM role that will be assigned to the Lambda Function.

Declare an IAM Role

Look at the “Properties” of this IAM resource definition in the following image to identify 3 key details of this role as described below:

AssumeRolePolicyDocument (Line: 28–35) — This section declares and adds a trust policy to this IAM role. This trust policy says that AssumeRole STS call for this role can be invoked from Lambda Services.
Managed Policies (Line: 37–39) — AWS Managed policies that are assigned to this role. SQS Read-only access and LambdaSQSQueueExecutionRole
Customer Managed Policies (Line 41–72) — This section declares custom policy definitions that are unique to the use case. Here, we added 2 policies:

ses_policy: To allow SES access from Lambda
cloudWatch_policy: To allow CloudWatch log access from Lambda

Declare the Lambda Function

I have declared a new Lambda Fn resource, SQSActionFunction in the CloudFormation template. This declaration has 6 Key elements:

1. Type: AWS::Lambda::Function — declare that you are creating a Lambda
2. Properties: Role — Declare the role that your lambda has been assigned. Here the key thing to note is, we will reference the Role create earlier. We will use the “GetAtt” Function — Get Attribute to retrieve the ARN of the newly created Role.

CloudFormation provides helper functions to reference other resources, parameters and also performs some nifty tricks like string manipulation in your templates. e.g. !GetAtt and !Ref used below

3. Handler: name of the function that will be triggered for execution
4. Code: Declare the location of the Lambda code. Specify the S3 bucket where the code resides. I have declared an inline Python code for this use-case.
5. Environment: Declare the environment variables that are used by the lambda function. Check out how these environment variables are set to use the values of CF Parameters by !Ref <Parameter> function call
6. Runtime: Declare the runtime of your lambda Function

Declare the SQS Lambda Mapper

This resource is the key ingredient of the recipe that makes the whole thing works. As outlined in the following screenshot, it takes the SQS queue name parameter and LambdaFunction name that needs to be called. Additional configuration items like batch size etc. control the run time behaviour of this trigger.