I'm trying to add a VPC to a lambda, via CloudFormation. We're using SAM, so it's a "AWS::Serverless::Function". I have added the VpcConfig section of the CF template as per the docs, but the VPC is never attached to the lambda. No error, successful deploy, but no VPC. I can then add the VPC (and later EFS) config via the console. Drift detection shows no discrepancy between actual and expected, either before or after I manually add the VPC. Deploying again later, using "sam deploy", silently removes the VPC config.
Below is a minimal CloudFormation template displaying the behavior. I've tried everything I can think of, including a "DependsOn" clause referencing the VPC and subnets. What am I missing?
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Test template for VPC/Lambda config
Resources:
MyVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: "10.0.0.0/24"
EnableDnsHostnames: true
EnableDnsSupport: true
MyVPCSubnetMaster:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref MyVPC
AvailabilityZone: !Select [0, !GetAZs ""]
CidrBlock: "10.0.0.0/28"
MapPublicIpOnLaunch: true
MyVPCSubnetBackup:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref MyVPC
AvailabilityZone: !Select [ 1, !GetAZs "" ]
CidrBlock: "10.0.0.16/28"
MapPublicIpOnLaunch: true
MyLambda:
Type: AWS::Serverless::Function
VpcConfig:
SecurityGroupIds:
- !GetAtt MyVPC.DefaultSecurityGroup
SubnetIds:
- !GetAtt MyVPCSubnetMaster.SubnetId
- !GetAtt MyVPCSubnetBackup.SubnetId
Properties:
FunctionName: "MyLambda"
Runtime: "python3.8"
Handler: "index.handler"
CodeUri: test/MyLambda
Thanks for the very quick response! In fact this doesn't seem necessary (in my case the managed policy AWSLambdaVPCAccessExecutionRole was attached to the lambda automatically), but your answer did lead me to the real problem, which was that my "VpcConfig" statement was outside the "Properties" heading, and thus effectively invisible to CF.