Skip to main content

Required

These variables have no default values and must be set in every module call.
sns_topic_name
string
required
The name of the SNS topic to create or reference.
slack_webhook_url
string
required
The Slack incoming webhook URL. If the URL is KMS-encrypted, provide the base64-encoded ciphertext and set kms_key_arn.
slack_channel
string
required
The name of the Slack channel that receives notifications (for example, #alerts).
slack_username
string
required
The display name that appears on Slack messages posted by the bot.

General

create
boolean
default:"true"
Whether to create all module resources. Set to false to disable the entire module without removing it from your configuration.
tags
map(string)
default:"{}"
A map of tags to add to all resources created by this module.

Slack settings

slack_emoji
string
default:":aws:"
A custom emoji that appears as the bot icon on Slack messages.
log_events
boolean
default:"false"
When true, the Lambda function logs the full incoming event payload to CloudWatch at the INFO level. Useful for debugging, but increases log volume.
log_level
string
default:"INFO"
Logging level for the Lambda function. Valid values are DEBUG, INFO, WARNING, ERROR, and CRITICAL.

SNS topic

create_sns_topic
boolean
default:"true"
Whether to create a new SNS topic. Set to false when you want to subscribe the Lambda function to an existing topic identified by sns_topic_name.
sns_topic_kms_key_id
string
default:"\"\""
ARN of the KMS key used to enable server-side encryption (SSE) on the SNS topic.
enable_sns_topic_delivery_status_logs
boolean
default:"false"
Whether to enable SNS delivery status logging for Lambda deliveries. When enabled, success and failure delivery attempts are logged to CloudWatch using an IAM feedback role.
sns_topic_lambda_feedback_role_arn
string
default:"\"\""
ARN of an existing IAM role to use for SNS delivery status logging. When set, the module does not create a new feedback role.
sns_topic_feedback_role_name
string
default:"null"
Name of the IAM role created for SNS delivery status logging. Only used when enable_sns_topic_delivery_status_logs = true and no existing role ARN is provided.
sns_topic_feedback_role_description
string
default:"null"
Description of the IAM role used for SNS delivery status logging.
sns_topic_feedback_role_path
string
default:"null"
IAM path for the SNS feedback role.
sns_topic_feedback_role_force_detach_policies
boolean
default:"true"
Whether to force-detach any policies from the SNS feedback IAM role before destroying it.
sns_topic_feedback_role_permissions_boundary
string
default:"null"
ARN of a permissions boundary policy to attach to the SNS feedback IAM role.
sns_topic_feedback_role_tags
map(string)
default:"{}"
Additional tags to assign to the SNS topic feedback IAM role.
sns_topic_lambda_feedback_sample_rate
number
default:"100"
Percentage of successful Lambda deliveries to log. Accepts values from 0 to 100.
sns_topic_tags
map(string)
default:"{}"
Additional tags for the SNS topic, merged with tags.

Lambda function

lambda_function_name
string
default:"notify_slack"
The name given to the Lambda function.
lambda_description
string
default:"null"
A description for the Lambda function, visible in the AWS console.
lambda_source_path
string
default:"null"
Path to a custom Lambda function source file, relative to your Terraform root module. When null, the bundled functions/notify_slack.py is used.
runtime
string
default:"python3.13"
The Lambda runtime identifier. Defaults to python3.13.
architectures
list(string)
default:"null"
Instruction set architecture for the Lambda function. Valid values are ["x86_64"] and ["arm64"].
reserved_concurrent_executions
number
default:"-1"
The number of reserved concurrent executions for the Lambda function. 0 disables invocations; -1 removes concurrency limits.
lambda_function_ephemeral_storage_size
number
default:"512"
Amount of ephemeral /tmp storage in MB available to the Lambda function at runtime. Valid range is 512–10240 MB.
lambda_function_tags
map(string)
default:"{}"
Additional tags for the Lambda function, merged with tags.
recreate_missing_package
boolean
default:"true"
Whether to recreate the Lambda deployment package if it is missing locally.
hash_extra
string
default:"\"\""
An extra string added to the hash used for the Lambda deployment package. Useful when building the same source path for multiple functions.
trigger_on_package_timestamp
boolean
default:"false"
When true, the file timestamp is used when deciding whether to recreate the deployment archive. When false (the default), the timestamp is ignored and the archive is only recreated when the source content changes.

Lambda networking

Both lambda_function_vpc_subnet_ids and lambda_function_vpc_security_group_ids must be set together to place the Lambda function inside a VPC. The module automatically attaches the required AWSLambdaVPCAccessExecutionRole policy when subnets are provided.
lambda_function_vpc_subnet_ids
list(string)
default:"null"
List of subnet IDs the Lambda function should run in. Use private or intra subnets to keep traffic inside the VPC.
lambda_function_vpc_security_group_ids
list(string)
default:"null"
List of security group IDs to associate with the Lambda function when running inside a VPC.

Lambda IAM

lambda_role
string
default:"\"\""
ARN of an existing IAM role to attach to the Lambda function. When set, the module does not create a new role.
iam_role_name_prefix
string
default:"lambda"
Prefix for the generated IAM role name. The full name is {prefix}-{lambda_function_name}.
iam_role_path
string
default:"null"
IAM path for the Lambda execution role.
iam_role_boundary_policy_arn
string
default:"null"
ARN of a permissions boundary policy to attach to the Lambda execution role.
iam_role_tags
map(string)
default:"{}"
Additional tags for the Lambda IAM role.

Lambda storage

lambda_function_store_on_s3
boolean
default:"false"
Whether to upload the Lambda deployment package to S3 rather than storing it locally.
lambda_function_s3_bucket
string
default:"null"
Name of the S3 bucket used to store the Lambda deployment artifact. Required when lambda_function_store_on_s3 = true.

Lambda dead letter

lambda_dead_letter_target_arn
string
default:"null"
ARN of an SNS topic or SQS queue to notify when a Lambda invocation fails after all retries are exhausted.
lambda_attach_dead_letter_policy
boolean
default:"false"
Whether to attach an IAM policy granting the Lambda role permission to send to the dead letter target.

Encryption

kms_key_arn
string
default:"\"\""
ARN of the KMS key used to decrypt an encrypted Slack webhook URL. When set, kms:Decrypt is added to the Lambda execution role policy.
cloudwatch_log_group_kms_key_id
string
default:"null"
ARN of the KMS key used to encrypt log data in the Lambda CloudWatch log group.

CloudWatch

cloudwatch_log_group_retention_in_days
number
default:"0"
Number of days to retain log events in the Lambda log group. 0 means logs are retained indefinitely.
cloudwatch_log_group_tags
map(string)
default:"{}"
Additional tags for the CloudWatch log group, merged with tags.

Subscription filter

subscription_filter_policy
string
default:"null"
A valid SNS filter policy JSON string. When set, only messages matching this policy are delivered to the Lambda function.
subscription_filter_policy_scope
string
default:"null"
The scope of the filter policy. Valid values are MessageAttributes and MessageBody.

Build docs developers (and LLMs) love

Get started for freeTalk to us