fix(lambda): cannot create lambda in public subnets #9468
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nija-at
changed the title
nija-at
previously requested changes
Aug 6, 2020
nija-at
previously requested changes
Aug 10, 2020
| if (publicSubnetIds.has(subnetId)) { | ||
| throw new Error('Not possible to place Lambda Functions in a Public subnet'); | ||
| if (publicSubnetIds.has(subnetId) && !allowPublicSubnet) { | ||
| throw new Error('Lambda Functions in a Public subnet won\'t have internet access. If you need to do this, set `allowPublicSubnet` to true'); |
There was a problem hiding this comment.
Suggested change
| throw new Error('Lambda Functions in a Public subnet won\'t have internet access. If you need to do this, set `allowPublicSubnet` to true'); | |
| throw new Error('Lambda Functions in a public subnet can NOT access the internet. ' + | |
| 'If you are aware of this limitation and would still like to place the function int a public subnet, set `allowPublicSubnet` to true'); |
Comment on lines
304
to
307
| * Whether to override the error when trying to place a Function into a public subnet. Lambda functions in Public | ||
| * subnets cannot access the internet, so only do this if you need to. | ||
| * | ||
| * @default - false |
There was a problem hiding this comment.
Suggested change
| * Whether to override the error when trying to place a Function into a public subnet. Lambda functions in Public | |
| * subnets cannot access the internet, so only do this if you need to. | |
| * | |
| * @default - false | |
| * Lambda Functions in a public subnet can NOT access the internet. | |
| * Use this property to acknowledge this limitation and still place the function in a public subnet. | |
| * @see https://stackoverflow.com/questions/52992085/why-cant-an-aws-lambda-function-inside-a-public-subnet-in-a-vpc-connect-to-the/52994841#52994841 | |
| * | |
| * @default false |
| test.done(); | ||
| }, | ||
|
|
||
| 'picking public subnet type is not allowed if not overriding allowPublicSubnet'(test: Test) { |
There was a problem hiding this comment.
Suggested change
| 'picking public subnet type is not allowed if not overriding allowPublicSubnet'(test: Test) { | |
| 'picking public subnet type is not allowed by default'(test: Test) { |
| vpc, | ||
| vpcSubnets: { subnetType: ec2.SubnetType.PUBLIC }, | ||
| }); | ||
| }); |
There was a problem hiding this comment.
Check that the error is the one that we actually expect, and not some other validation/error.
Suggested change
| }); | |
| }, /Lambda Functions in a public subnet/); |
Comment on lines
247
to
265
| test.doesNotThrow(() => { | ||
| new lambda.Function(stack, 'PrivateLambda', { | ||
| code: new lambda.InlineCode('foo'), | ||
| handler: 'index.handler', | ||
| runtime: lambda.Runtime.NODEJS_10_X, | ||
| vpc, | ||
| vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE }, | ||
| }); | ||
| }); | ||
|
|
||
| test.doesNotThrow(() => { | ||
| new lambda.Function(stack, 'IsolatedLambda', { | ||
| code: new lambda.InlineCode('foo'), | ||
| handler: 'index.handler', | ||
| runtime: lambda.Runtime.NODEJS_10_X, | ||
| vpc, | ||
| vpcSubnets: { subnetType: ec2.SubnetType.ISOLATED }, | ||
| }); | ||
| }); |
There was a problem hiding this comment.
These assertions should be replaced with assertions that the CloudFormation template is correctly configured.
This will probably need to be split into separate tests for each subnet type.
There was a problem hiding this comment.
These assertions should be replaced with assertions that the CloudFormation template is correctly configured.
You mean like a hasResourceLike assertion?
nija-at
approved these changes
Aug 11, 2020
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
mergify bot
pushed a commit
that referenced
this pull request
Sep 1, 2020
…10022) Fixes #10018. Fixes #10027. #9468 added a flag (`allowPublicSubnet`) to `FunctionProps`, but `PythonFunction` and `NodejsFunction` props derive from `FunctionOptions`. This renders these derived function constructs unable to bypass the public subnet check that occurs in the base `Function` construct. We can resolve this issue by moving `allowPublicSubnet` to `FunctionOptions`. I also moved `filesystem` up to `FunctionOptions` while I was here. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #8935
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license