Lambda Managed Instance stack
Progress checklist
Overview
Section titled “Overview”The walkthrough VPC lab provisions subnets and a security group. This module builds the capacity provider side: the operator IAM role, the aws_lambda_capacity_provider (VPC placement, instance requirements, scaling), and the service-linked role that lets Lambda manage EC2 fleet lifecycle.
The Lambda function itself — execution role, log group, and aws_lambda_function — lives in the next lab: Lambda Managed Function.
Sections follow the comment groups in examples/waf-loki/main.tf. Code blocks use illustrative literals so you can read the shape without tracing variables.
Identity
Section titled “Identity”The operator role uses a name_prefix and is wired into the capacity provider’s permissions_config. The capacity provider has its own unique name.
# aws_iam_role.operatorname_prefix = "demo-op-"
# aws_lambda_capacity_provider.thisname = "demo-capacity"
permissions_config { capacity_provider_operator_role_arn = "arn:aws:iam::111122223333:role/demo-op-abc123"}Further reading: IAM roles (execution vs operator).
Capacity provider and scaling
Section titled “Capacity provider and scaling”instance_requirements constrains CPU architecture and optional allow/deny instance-type lists. capacity_provider_scaling_config sets mode and vCPU ceiling; in Manual mode a CPU target policy is added.
instance_requirements { architectures = ["x86_64"] allowed_instance_types = null excluded_instance_types = null } capacity_provider_scaling_config { scaling_mode = "Auto" max_vcpu_count = 16 }Further reading: Placement & capacity, Elasticity & CPU, Supported instance families.
VPC placement
Section titled “VPC placement”vpc_config lives on aws_lambda_capacity_provider (fleet ENIs). This is separate from any VPC config on an aws_lambda_function.
vpc_config { subnet_ids = ["subnet-0a1b2c3d", "subnet-0e5f6a7b"] security_group_ids = ["sg-0123456789abcdef0"] }VPC lab wires aws_security_group.lmi and private subnets passed in here.
tags = var.tags appears on the operator role and aws_lambda_capacity_provider.
tags = { Project = "demo" Owner = "platform" }Review the plan
Section titled “Review the plan”-
From
examples/waf-loki, runterraform plan. RequiredExpect the service-linked role, the operator role and its attachment, and the capacity provider (VPC config, instance requirements, scaling).
-
Apply when the plan matches expectations. Note the
capacity_provider_arnoutput — the next lab uses it.