Login/Register
how to put the lambda in VPC by CloudFormation template
Asked Answered
Solved amazon-web-servicesaws-cloudformationaws-cdkaws-sam
P

1

5

I am developping lambda with CloudFormation by SAM

My template.yaml is here.

It can be deployed, however this lambda is not set in VPC.

I want to put the lambda in default VPC (to access RDS)

Any setting can be used here or I should do something another??

(And, template makes IAmRole automatically, is there any way I can attach policy to it?? for example RDSFullAccess)

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  python3.9   Sample SAM Template for chatbot-sam

Parameters:
  DBNAME:
    Type: String
  DBUSER:
    Type: String
  DBPASSWORD:
    Type: String
  DBHOST:
    Type: String
  DBPORT:
    Type: String
  LINELONGLIVETOKEN:
    Type: String
Globals:
  Function:
    Timeout: 30
    Environment:
      Variables:
        DBNAME: !Ref DBNAME
        DBUSER: !Ref DBUSER
        DBPASSWORD: !Ref DBPASSWORD
        DBHOST: !Ref DBHOST
        DBPORT: !Ref DBPORT  
        LINELONGLIVETOKEN: !Ref LINELONGLIVETOKEN  
Resources:
  WebhookFunction:
    Type: AWS::Serverless::Function 
    Properties:
      PackageType: Image
      Architectures:
        - x86_64
      Events:
        Webhook:
          Type: Api 
          Properties:
            Path: /webhook
            Method: post
    Metadata:
      Dockerfile: Dockerfile.webhook
      DockerContext: ./chatbotapp
      DockerTag: python3.9-v1




Outputs:
  WebhookApi:
    Description: "API Gateway endpoint URL for Prod stage for Hello World function"
    Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/webhook/"
  WebhookFunction:
    Description: "Webhook Lambda Function ARN"
    Value: !GetAtt WebhookFunction.Arn
  WebhookFunctionIamRole:
    Description: "Implicit IAM Role created for Webhook function"
    Value: !GetAtt WebhookFunctionRole.Arn

I updated.

Attaches VpcConfig and Policies , however it doesn't look change.

lambda -> setting -> vpc, there is no vpc setting and can't find the clue it belongs to SecurityGroup and Subnet

  Policies: AWSLambdaVPCAccessExecutionRole
  VpcConfig:
    SubnetIds:
      - subnet-fb6fa4d0
      - subnet-bf8ab8e4
    SecurityGroupIds:
      - sg-0641506b4ec3782de


AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  python3.9   Sample SAM Template for chatbot-sam

Parameters:
  DBNAME:
    Type: String
  DBUSER:
    Type: String
  DBPASSWORD:
    Type: String
  DBHOST:
    Type: String
  DBPORT:
    Type: String
  LINELONGLIVETOKEN:
    Type: String
Globals:
  Function:
    Timeout: 30
    Environment:
      Variables:
        DBNAME: !Ref DBNAME
        DBUSER: !Ref DBUSER
        DBPASSWORD: !Ref DBPASSWORD
        DBHOST: !Ref DBHOST
        DBPORT: !Ref DBPORT  
        LINELONGLIVETOKEN: !Ref LINELONGLIVETOKEN  
Resources:
  WebhookFunction:
    Type: AWS::Serverless::Function 
    Properties:
      PackageType: Image
      Architectures:
        - x86_64
      Events:
        Webhook:
          Type: Api 
          Properties:
            Path: /webhook
            Method: post
      Policies: AWSLambdaVPCAccessExecutionRole
      VpcConfig:
        SubnetIds:
          - subnet-fb6fa4d0
          - subnet-bf8ab8e4
        SecurityGroupIds:
          - sg-0641506b4ec3782de
    Metadata:
      Dockerfile: Dockerfile.webhook
      DockerContext: ./chatbotapp
      DockerTag: python3.9-v1




Outputs:
  WebhookApi:
    Description: "API Gateway endpoint URL for Prod stage for Hello World function"
    Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/webhook/"
  WebhookFunction:
    Description: "Webhook Lambda Function ARN"
    Value: !GetAtt WebhookFunction.Arn
  WebhookFunctionIamRole:
    Description: "Implicit IAM Role created for Webhook function"
    Value: !GetAtt WebhookFunctionRole.Arn
Philippa answered 4/2, 2022 at 14:34 Comment(1)
I'd be tempted to tear down your stack, if that's not an undue burden, and then re-deploy from scratch now that you've added VpcConfig.Klingensmith
C
10

You'll need to add a VpcConfig to the properties of your function definition. You can see an example of how to use that here.

You can also add policies to the default role that is made for the function, or you can supply your own role, in which case the default role will not be created.

Codicodices answered 4/2, 2022 at 15:16 Comment(3)
Thank you very much you gave me the great hint and I added Policies and VpcConfig, it can be deployed without error, but I can't see it is beloging to VPC, because open lambda->setting->VPC there is nothing. I updated the articlePhilippa
I don't have a good explanation for that. If you're looking at the correct function, and it has definitely deployed successfully, the VPC settings should be visible. You could try querying the function with the CLI to see if it's just an issue with the Console.Codicodices
Thank you very much.I understand and consequently it was correctly deployed. what I am checking is lambda->setting->VPC shows another parameter, I misunderstood. my problem is solved.Philippa

© 2022 - 2024 — McMap. All rights reserved.