interface GuFunctionProps {
    adotInstrumentation?: AdotInstrumentationConfig;
    allowAllOutbound?: boolean;
    allowPublicSubnet?: boolean;
    app: string;
    applicationLogLevel?: string;
    applicationLogLevelV2?: ApplicationLogLevel;
    architecture?: Architecture;
    bucketNamePath?: string;
    codeSigningConfig?: ICodeSigningConfig;
    currentVersionOptions?: VersionOptions;
    deadLetterQueue?: IQueue;
    deadLetterQueueEnabled?: boolean;
    deadLetterTopic?: ITopic;
    description?: string;
    enableVersioning?: boolean;
    environment?: {
        [key: string]: string;
    environmentEncryption?: IKey;
    ephemeralStorageSize?: Size;
    errorPercentageMonitoring?: GuLambdaErrorPercentageMonitoringProps;
    events?: IEventSource[];
    fileName: string;
    filesystem?: FileSystem;
    functionName?: string;
    handler: string;
    initialPolicy?: PolicyStatement[];
    insightsVersion?: LambdaInsightsVersion;
    ipv6AllowedForDualStack?: boolean;
    layers?: ILayerVersion[];
    logFormat?: string;
    logGroup?: ILogGroup;
    logRetention?: RetentionDays;
    logRetentionRetryOptions?: LogRetentionRetryOptions;
    logRetentionRole?: IRole;
    loggingFormat?: LoggingFormat;
    maxEventAge?: Duration;
    memorySize?: number;
    onFailure?: IDestination;
    onSuccess?: IDestination;
    paramsAndSecrets?: ParamsAndSecretsLayerVersion;
    profiling?: boolean;
    profilingGroup?: IProfilingGroup;
    reservedConcurrentExecutions?: number;
    retryAttempts?: number;
    role?: IRole;
    runtime: Runtime;
    runtimeManagementMode?: RuntimeManagementMode;
    securityGroups?: ISecurityGroup[];
    snapStart?: SnapStartConf;
    systemLogLevel?: string;
    systemLogLevelV2?: SystemLogLevel;
    throttlingMonitoring?: GuLambdaThrottlingMonitoringProps;
    timeout?: Duration;
    tracing?: Tracing;
    vpc?: IVpc;
    vpcSubnets?: SubnetSelection;
    withoutArtifactUpload?: boolean;
    withoutFilePrefix?: boolean;

Hierarchy (view full)


adotInstrumentation?: AdotInstrumentationConfig

Specify the configuration of AWS Distro for OpenTelemetry (ADOT) instrumentation



- No ADOT instrumentation
allowAllOutbound?: boolean

Whether to allow the Lambda to send all network traffic

If set to false, you must individually add traffic rules to allow the Lambda to connect to network targets.

Do not specify this property if the securityGroups or securityGroup property is set. Instead, configure allowAllOutbound directly on the security group.


allowPublicSubnet?: boolean

Lambda Functions in a public subnet can NOT access the internet. Use this property to acknowledge this limitation and still place the function in a public subnet.

app: string
applicationLogLevel?: string

Sets the application log level for the function.


Use applicationLogLevelV2 as a property instead.


applicationLogLevelV2?: ApplicationLogLevel

Sets the application log level for the function.


architecture?: Architecture

The system architectures compatible with this lambda function.


bucketNamePath?: string

SSM parameter for the S3 bucket that contains your lambda file.

Typically you should not override this but you may need to if, for example, you are referencing a file that is shared across many apps and/or AWS accounts.

Default Value


codeSigningConfig?: ICodeSigningConfig

Code signing config associated with this function


- Not Sign the Code
currentVersionOptions?: VersionOptions

Options for the lambda.Version resource automatically created by the fn.currentVersion method.


  • default options as described in VersionOptions
deadLetterQueue?: IQueue

The SQS queue to use if DLQ is enabled. If SNS topic is desired, specify deadLetterTopic property instead.


  • SQS queue with 14 day retention period if deadLetterQueueEnabled is true
deadLetterQueueEnabled?: boolean

Enabled DLQ. If deadLetterQueue is undefined, an SQS queue with default options will be defined for your Function.


  • false unless deadLetterQueue is set, which implies DLQ is enabled.
deadLetterTopic?: ITopic

The SNS topic to use as a DLQ. Note that if deadLetterQueueEnabled is set to true, an SQS queue will be created rather than an SNS topic. Using an SNS topic as a DLQ requires this property to be set explicitly.


- no SNS topic
description?: string

A description of the function.


- No description.
enableVersioning?: boolean

Create a new Lambda version and alias. This is only necessary if you want to use features which rely on versioning (e.g. SnapStart or Provisioned Concurrency).

If you enable versioning you must ensure that your Lambda function is updated whenever a new build is deployed via CloudFormation. The simplest way to do this is to include the build number in the fileName prop.

environment?: {
    [key: string]: string;

Key-value pairs that Lambda caches and makes available for your Lambda functions. Use environment variables to apply configuration changes, such as test and production environment configurations, without changing your Lambda function source code.

Type declaration

  • [key: string]: string


- No environment variables.
environmentEncryption?: IKey

The AWS KMS key that's used to encrypt your function's environment variables.


- AWS Lambda creates and uses an AWS managed customer master key (CMK).
ephemeralStorageSize?: Size

The size of the function’s /tmp directory in MiB.


512 MiB
errorPercentageMonitoring?: GuLambdaErrorPercentageMonitoringProps

Alarm if error percentage exceeds a threshold.

events?: IEventSource[]

Event sources for this function.

You can also add event sources using addEventSource.


- No event sources.
fileName: string

The filename for an executable package within the bucket [[GuDistributionBucketParameter]]. We'll look for fileName on the path "bucket/stack/stage/app/".

filesystem?: FileSystem

The filesystem configuration for the lambda function


- will not mount any filesystem
functionName?: string

A name for the function.


- AWS CloudFormation generates a unique physical ID and uses that
ID for the function's name. For more information, see Name Type.
handler: string

The name of the method within your code that Lambda calls to execute your function. The format includes the file name. It can also include namespaces and other qualifiers, depending on the runtime. For more information, see

Use Handler.FROM_IMAGE when defining a function from a Docker image.

NOTE: If you specify your source code as inline text by specifying the ZipFile property within the Code property, specify index.function_name as the handler.

initialPolicy?: PolicyStatement[]

Initial policy statements to add to the created Lambda Role.

You can call addToRolePolicy to the created lambda to add statements post creation.


- No policy statements are added to the created Lambda role.
insightsVersion?: LambdaInsightsVersion

Specify the version of CloudWatch Lambda insights to use for monitoring


When used with DockerImageFunction or DockerImageCode, the Docker image should have the Lambda insights agent installed.


- No Lambda Insights
ipv6AllowedForDualStack?: boolean

Allows outbound IPv6 traffic on VPC functions that are connected to dual-stack subnets.

Only used if 'vpc' is supplied.


layers?: ILayerVersion[]

A list of layers to add to the function's execution environment. You can configure your Lambda function to pull in additional code during initialization in the form of layers. Layers are packages of libraries or other dependencies that can be used by multiple functions.


- No layers.
logFormat?: string

Sets the logFormat for the function.


Use loggingFormat as a property instead.


logGroup?: ILogGroup

The log group the function sends logs to.

By default, Lambda functions send logs to an automatically created default log group named /aws/lambda/<function name>. However you cannot change the properties of this auto-created log group using the AWS CDK, e.g. you cannot set a different log retention.

Use the logGroup property to create a fully customizable LogGroup ahead of time, and instruct the Lambda function to send logs to it.

Providing a user-controlled log group was rolled out to commercial regions on 2023-11-16. If you are deploying to another type of region, please check regional availability first.


/aws/lambda/${this.functionName} - default log group created by Lambda

logRetention?: RetentionDays

The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to INFINITE.

This is a legacy API and we strongly recommend you move away from it if you can. Instead create a fully customizable log group with logs.LogGroup and use the logGroup property to instruct the Lambda function to send logs to it. Migrating from logRetention to logGroup will cause the name of the log group to change. Users and code and referencing the name verbatim will have to adjust.

In AWS CDK code, you can access the log group name directly from the LogGroup construct:

import * as logs from 'aws-cdk-lib/aws-logs';

declare const myLogGroup: logs.LogGroup;


logRetentionRetryOptions?: LogRetentionRetryOptions

When log retention is specified, a custom resource attempts to create the CloudWatch log group. These options control the retry policy when interacting with CloudWatch APIs.

This is a legacy API and we strongly recommend you migrate to logGroup if you can. logGroup allows you to create a fully customizable log group and instruct the Lambda function to send logs to it.


- Default AWS SDK retry options.
logRetentionRole?: IRole

The IAM role for the Lambda function associated with the custom resource that sets the retention policy.

This is a legacy API and we strongly recommend you migrate to logGroup if you can. logGroup allows you to create a fully customizable log group and instruct the Lambda function to send logs to it.


- A new role is created.
loggingFormat?: LoggingFormat

Sets the loggingFormat for the function.


maxEventAge?: Duration

The maximum age of a request that Lambda sends to a function for processing.

Minimum: 60 seconds Maximum: 6 hours


memorySize?: number

The amount of memory, in MB, that is allocated to your Lambda function. Lambda uses this value to proportionally allocate the amount of CPU power. For more information, see Resource Model in the AWS Lambda Developer Guide.


onFailure?: IDestination

The destination for failed invocations.


- no destination
onSuccess?: IDestination

The destination for successful invocations.


- no destination
paramsAndSecrets?: ParamsAndSecretsLayerVersion

Specify the configuration of Parameters and Secrets Extension

profiling?: boolean

Enable profiling.

profilingGroup?: IProfilingGroup

Profiling Group.



  • A new profiling group will be created if profiling is set.
reservedConcurrentExecutions?: number

The maximum of concurrent executions you want to reserve for the function.


- No specific limit - account limit.


retryAttempts?: number

The maximum number of times to retry when the function returns an error.

Minimum: 0 Maximum: 2


role?: IRole

Lambda execution role.

This is the role that will be assumed by the function upon execution. It controls the permissions that the function will have. The Role must be assumable by the '' service principal.

The default Role automatically has permissions granted for Lambda execution. If you provide a Role, you must add the relevant AWS managed policies yourself.

The relevant managed policies are "service-role/AWSLambdaBasicExecutionRole" and "service-role/AWSLambdaVPCAccessExecutionRole".


  • A unique role will be generated for this lambda function. Both supplied and generated roles can always be changed by calling addToRolePolicy.
runtime: Runtime

The runtime environment for the Lambda function that you are uploading. For valid values, see the Runtime property in the AWS Lambda Developer Guide.

Use Runtime.FROM_IMAGE when defining a function from a Docker image.

runtimeManagementMode?: RuntimeManagementMode

Sets the runtime management configuration for a function's version.


securityGroups?: ISecurityGroup[]

The list of security groups to associate with the Lambda's network interfaces.

Only used if 'vpc' is supplied.


- If the function is placed within a VPC and a security group is
not specified, either by this or securityGroup prop, a dedicated security
group will be created for this function.
snapStart?: SnapStartConf

Enable SnapStart for Lambda Function. SnapStart is currently supported only for Java 11, 17 runtime


- No snapstart
systemLogLevel?: string

Sets the system log level for the function.


Use systemLogLevelV2 as a property instead.


systemLogLevelV2?: SystemLogLevel

Sets the system log level for the function.


throttlingMonitoring?: GuLambdaThrottlingMonitoringProps

Alarm if throttling occurs. Note, it is also worth considering a concurrency limit (the reservedConcurrentExecutions prop) if you are concerned about throttling.

timeout?: Duration

The function execution time (in seconds) after which Lambda terminates the function. Because the execution time affects cost, set this value based on the function's expected execution time.


tracing?: Tracing

Enable AWS X-Ray Tracing for Lambda Function.


vpc?: IVpc

VPC network to place Lambda network interfaces

Specify this if the Lambda function needs to access resources in a VPC. This is required when vpcSubnets is specified.


- Function is not placed within a VPC.
vpcSubnets?: SubnetSelection

Where to place the network interfaces within the VPC.

This requires vpc to be specified in order for interfaces to actually be placed in the subnets. If vpc is not specify, this will raise an error.

Note: Internet access for Lambda Functions requires a NAT Gateway, so picking public subnets is not allowed (unless allowPublicSubnet is set to true).


- the Vpc default strategy if not specified
withoutArtifactUpload?: boolean

Set to true this informs consumers of this function that upload is managed elsewhere by DevX.

This is used by RiffRaffYamlFileExperimental to skip generating an uploadLambda step.

withoutFilePrefix?: boolean

Set to true to use the filename without the stage/stack/app prefix.

Typically you should not override this but you may need to if, for example, you are referencing a file that is shared across many apps and/or AWS accounts.