AWS Compute Blog
AWS SAM support for HashiCorp Terraform now generally available
In November 2022, AWS announced the public preview of AWS Serverless Application Model (AWS SAM) support for HashiCorp Terraform. The public preview introduces a subset of features to help Terraform users test serverless applications locally. Today, AWS is announcing the general availability of Terraform support in AWS SAM. This GA release expands AWS SAM’s feature set to enhance the local development of serverless applications.
Terraform and AWS SAM are both open-source frameworks allowing developers to define infrastructure as code (IaC). Developers can version and share infrastructure definitions in the same way they share code. However, because AWS SAM is specifically designed for serverless, it includes a command line interface (CLI) designed for serverless development. The CLI enables developers to create, debug, and deploy serverless applications using local emulators along with build and deployment tools. In this release, AWS SAM is making a subset of those tools to Terraform users as well.
Terraform support
The public preview blog demonstrated the initial support for Terraform. This blog demonstrates AWS SAM’s expanded feature set for local development. The blog also simplifies the implementation by using the modules for AWS Lambda functions and layers rather than the native Terraform resources.
Modules can build the deployment artifacts for the Lambda functions and layers. Additionally, the module automatically generates the metadata required by AWS SAM to interface with the Terraform resources. To use the native Terraform resources, refer to the preview blog for metadata configuration.
Downloading the code
To explore AWS SAM’s support for Terraform, visit the aws-sam-terraform-examples repository. Clone the repository and change to the ga directory to get started:
git clone
In this directory, there are two demo applications. Both of the applications are identical except for api_gateway_v1 uses an Amazon API Gateway REST API (v1) and api_gateway_v2 uses an Amazon API Gateway HTTP API (v2). Choose one and change to the tf-resources folder in that directory.
Unless indicated otherwise, examples in this post reference the api_gateway_v1 application.
Code structure
Terraform supports spreading IaC across multiple files. Because of this, developers often collect all the Terraform files in a single directory and keep the resource files elsewhere. The example applications are configured this way.
Any Terraform or AWS SAM command must run from the location of the file, in this case, the tf-resources directory. Because AWS SAM commands are generally run from the project root, AWS SAM has a command to support nested structures. If running the sam build command from a nested folder, pass the flag terraform-project-root-path with a relative or absolute path to the root of the project.
Local invoke
The preview version of Terraform supported local invocation but the team simplified the experience with support for The demonstration applications have two functions in them. A responder function is the backend integration for the API Gateway endpoints and the Auth function is a custom authorizer. Find both module definitions in the file.
Responder function
There are two important parameters:
- source_path, which points to a local folder. Because this is not a zip file, builds the artifacts as needed.
- create_sam_data, which generates the metadata required for AWS SAM to locate the necessary files and modules.
To invoke the function locally, run the following commands:
- Run build to run any build scripts
- Run local invoke to invoke the desired Lambda function
Because the project is Terraform, the hook-name parameter with the value terraform is required to let AWS SAM know how to proceed. The function name is a combination of the module name and the resource type that it becomes. If you are unsure of the name, run the command without the name:
AWS SAM evaluates the template. If there is only one function, AWS SAM proceeds to invoke it. If there are more than one, as is the case here, AWS SAM asks you which one and provides a list of options.
Auth function
The authorizer function requires some input data as a mock event. To generate a mock event for the api_gateway_v1 project:
For the api_gateway_v2 project use:
The resulting events are different because API Gateway REST and HTTP APIs can handle custom authorizers differently. In these examples, REST uses a standard token authorizer and returns the proper AWS Identity and Access Management (IAM) role. The HTTP API example uses a simple pass or fail option.
Each of the examples already has the properly formatted event for testing included at events/auth.json. To invoke the Auth function, run the following:
There is no need to run the sam build command again because the application has not changed.
Local start-api
You can now emulate a local version of API Gateway with the generally available release. Each of these examples have two endpoints. One endpoint is open and a custom authorizer secures the other. Both return the same response:
To start the local emulator, run the following:
AWS SAM starts the emulator and exposes the two endpoints for local testing.
Open endpoint
Using curl, test the open endpoint:
The local emulator processes the request and provides a response in the terminal window. The emulator also includes logs from the Lambda function.
Auth endpoint
Test the secure endpoint and pass the extra required header, myheader:
The endpoint returns an authorized response with the “Hello TF World” messaging. Try the endpoint again with an invalid header value:
The endpoint returns an unauthenticated response.
There are several options when using AWS SAM with Terraform:
- Hook-name: required for every command when working with Terraform. This informs AWS SAM that the project is a Terraform application.
- Skip-prepare-infra: AWS SAM uses the terraform plan command identify and process all the required artifacts. However, it should only be run when new resources are added or modified. This option keeps AWS SAM from running the terraform plan command. If this flag is passed and a plan does not exist, AWS SAM ignores the flag and run the terraform plan command anyway.
- Prepare-infra: forces AWS SAM to run the terraform plan command.
- Terraform-project-root-path: overrides the current directory as the root of the project. You can use an absolute path (/path/to/project/root) or relative path (../ or ../../).
- Terraform-plan-file: allows a developer to specify a specific Terraform plan file. This command also enables Terraform users to use local commands.
Combining these options can create long commands:
You can use the samconfig file to set defaults, shorten commands, and optimize the development process. Using the new samconfig YAML support, the file looks like this:
By setting these defaults, the command is now shorter:
AWS SAM now knows it is a Terraform project and skips the preparation task unless the Terraform plan is missing. If a plan refresh is required, add the –prepare-infra flag to override the default setting.
Deployment and remote debugging
The applications in these projects are regular Terraform applications. Deploy them as any other Terraform project.
Currently, AWS SAM accelerate does not support Terraform projects. However, because Terraform deploys using the API method, serverless applications deploy quickly. Use a third party watch and the terraform apply –auto-approve command to approximate this experience.
For logging, take advantage of the sam logs command. Refer to the deploy output of the projects for an example of tailing the logs for one or all of the resources.
HashiCorp Cloud Platform
HashiCorp Cloud Platform allows developers to run deployments using a centralized location to maintain security and state. When developers run builds in the cloud, a local plan file is not available for AWS SAM to use in local testing and debugging. However, developers can generate a plan in the cloud and use the plan locally for development. For instructions, refer to the documentation.
HashiCorp Terraform is a popular IaC framework for building applications in the AWS Cloud. AWS SAM is an IaC framework and the CLI is specifically designed to help developers build serverless applications.
This blog covers the new AWS SAM support for Terraform and how developers can use them together to maximize the development experience. The blog covers locally invoking a single function, emulating API Gateway endpoints locally, and testing a Lambda authorizer locally before deploying. Finally, the blog deploys the application and uses AWS SAM to monitor the deployed resources.
For more serverless learning resources, visit Serverless Land.