Configuring VPC and RDS via Cloudformation for AWS Lambda

I have outlined the overall “project” and here is my notes on the RDS + VPC challange:

Setting up RDS (and VPC) via CloudFormation

The Serverless Framework has fields to include verbatim CloudFormation template data - but I found myself unable to figure out how to get the resulting connection information into my lambda function without running CloudFormation api calls to get outputs of a given CloudFormation stack either as plugin that repackages the zipfile of the lambda after the CloudFormation stack has executed or as seperate standalone stack where values are then available when the serverless framework deploys. Both as cross-stack references (VPC info) and as CloudFront outputs which could be dumped to a python or json file and loaded at runtime of the lambda function. I decided on the latter approach and effective added in another step before doing serverless deploy

aws cloudformation update-stack \
    --stack-name something-database \
    --template-body ....  \
    --parameters ...  # [1][2]
aws cloudformation describe-stacks \
    --stack-name something-database > db.out.json # [3]
serverless deploy --stage mystage

[1]I ended up doing it via boto3 and python
[2]: I based my template of something I found online and augmented with Outputs for my needs
[3]: I also ended up doing that via boto3 and python

Doing it this way meant that I could write

vpc:
  securityGroupIds:
    - {"Fn::ImportValue": "db-${self:custom.stage}-SecurityGroupID"}
  subnetIds:
    - {"Fn::ImportValue": "db-${self:custom.stage}-SubnetA"}
    - {"Fn::ImportValue": "db-${self:custom.stage}-SubnetB"}
    - {"Fn::ImportValue": "db-${self:custom.stage}-SubnetC"}

in my serverless.yml and do something like the json.load in handler.py With current versions of serverless and AWS Lambda it should also be possible to add the values to the environment via a yaml load

VPC considerations

With regards to VPC it’s worth noticing that when you add your Lambdas to custom VPCs internet access, S3 access is no longer implictly available. Specifically I met some gotchas around S3 VPC Endpoint configuration along with Security Groups and VPC and general access from Lambda to the RDS network-wise. The main result is this:


Comments