Silent failure in CloudFormation Lambda VpcConfig

0

I'm trying to add a VPC to a lambda, via CloudFormation. We're using SAM, so it's a "AWS::Serverless::Function". I have added the VpcConfig section of the CF template as per the docs, but the VPC is never attached to the lambda. No error, successful deploy, but no VPC. I can then add the VPC (and later EFS) config via the console. Drift detection shows no discrepancy between actual and expected, either before or after I manually add the VPC. Deploying again later, using "sam deploy", silently removes the VPC config.

Below is a minimal CloudFormation template displaying the behavior. I've tried everything I can think of, including a "DependsOn" clause referencing the VPC and subnets. What am I missing?

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Test template for VPC/Lambda config

Resources:
  MyVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: "10.0.0.0/24"
      EnableDnsHostnames: true
      EnableDnsSupport: true

  MyVPCSubnetMaster:
        Type: AWS::EC2::Subnet
        Properties:
            VpcId: !Ref MyVPC
            AvailabilityZone: !Select [0, !GetAZs ""]
            CidrBlock: "10.0.0.0/28"
            MapPublicIpOnLaunch: true

  MyVPCSubnetBackup:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref MyVPC
      AvailabilityZone: !Select [ 1, !GetAZs "" ]
      CidrBlock: "10.0.0.16/28"
      MapPublicIpOnLaunch: true

  MyLambda:
    Type: AWS::Serverless::Function
    VpcConfig:
      SecurityGroupIds:
        - !GetAtt MyVPC.DefaultSecurityGroup
      SubnetIds:
        - !GetAtt MyVPCSubnetMaster.SubnetId
        - !GetAtt MyVPCSubnetBackup.SubnetId
    Properties:
      FunctionName: "MyLambda"
      Runtime: "python3.8"
      Handler: "index.handler"
      CodeUri: test/MyLambda
Eric
已提問 1 年前檢視次數 723 次
2 個答案
0
已接受的答案

Turns out the problem was very simple: the "VpcConfig" statement in my CF template needed to be under the lambda's "Properties" config section.

Eric
已回答 1 年前
0

You need to add a policy to your function that allows the lambda to attach/detatch a network interface:

  SomeLambda:
    Type: AWS::Serverless::Function
    Properties:
# content ommitted
      Policies:
        - Statement:
            - Sid: AttachToVpc
              Effect: Allow
              Action:
                - ec2:CreateNetworkInterface
                - ec2:DescribeNetworkInterfaces
                - ec2:DeleteNetworkInterface
              Resource: "*"
# more content ommitted
profile picture
已回答 1 年前
  • Thanks for the very quick response! In fact this doesn't seem necessary (in my case the managed policy AWSLambdaVPCAccessExecutionRole was attached to the lambda automatically), but your answer did lead me to the real problem, which was that my "VpcConfig" statement was outside the "Properties" heading, and thus effectively invisible to CF.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南