VPC config support in Lambda functions

fixes #5105
hashicorp · Feb 16, 2016 · 3baabb0 · 3baabb0
1 parent 97af014
commit 3baabb0
Show file tree

Hide file tree

Showing 3 changed files with 134 additions and 0 deletions.
diff --git a/builtin/providers/aws/resource_aws_lambda_function.go b/builtin/providers/aws/resource_aws_lambda_function.go
@@ -83,6 +83,29 @@ func resourceAwsLambdaFunction() *schema.Resource {
  Default: 3,
  ForceNew: true, // TODO make this editable
  },
+ "vpc_config": &schema.Schema{
+ Type: schema.TypeList,
+ Optional: true,
+ ForceNew: true,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "subnet_ids": &schema.Schema{
+ Type: schema.TypeSet,
+ Required: true,
+ ForceNew: true,
+ Elem: &schema.Schema{Type: schema.TypeString},
+ Set: schema.HashString,
+ },
+ "security_group_ids": &schema.Schema{
+ Type: schema.TypeSet,
+ Required: true,
+ ForceNew: true,
+ Elem: &schema.Schema{Type: schema.TypeString},
+ Set: schema.HashString,
+ },
+ },
+ },
+ },
  "arn": &schema.Schema{
  Type: schema.TypeString,
  Computed: true,
@@ -149,6 +172,31 @@ func resourceAwsLambdaFunctionCreate(d *schema.ResourceData, meta interface{}) e
  Timeout: aws.Int64(int64(d.Get("timeout").(int))),
  }
 
+ if v, ok := d.GetOk("vpc_config"); ok {
+ configs := v.([]interface{})
+
+ if len(configs) > 1 {
+ return errors.New("Only a single vpc_config block is expected")
+ } else if len(configs) == 1 {
+ config := configs[0].(map[string]interface{})
+ var subnetIds []*string
+ for _, id := range config["subnet_ids"].(*schema.Set).List() {
+ subnetIds = append(subnetIds, aws.String(id.(string)))
+ }
+
+ var securityGroupIds []*string
+ for _, id := range config["security_group_ids"].(*schema.Set).List() {
+ securityGroupIds = append(securityGroupIds, aws.String(id.(string)))
+ }
+
+ var vpcConfig = &lambda.VpcConfig{
+ SubnetIds: subnetIds,
+ SecurityGroupIds: securityGroupIds,
+ }
+ params.VpcConfig = vpcConfig
+ }
+ }
+
  // IAM profiles can take ~10 seconds to propagate in AWS:
  // http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#launch-instance-with-role-console
  // Error creating Lambda function: InvalidParameterValueException: The role defined for the task cannot be assumed by Lambda.
@@ -157,10 +205,12 @@ func resourceAwsLambdaFunctionCreate(d *schema.ResourceData, meta interface{}) e
  if err != nil {
  if awserr, ok := err.(awserr.Error); ok {
  if awserr.Code() == "InvalidParameterValueException" {
+ log.Printf("[DEBUG] InvalidParameterValueException creating Lambda Function: %s", awserr)
  // Retryable
  return awserr
  }
  }
+ log.Printf("[DEBUG] Error creating Lambda Function: %s", err)
  // Not retryable
  return resource.RetryError{Err: err}
  }
@@ -207,6 +257,7 @@ func resourceAwsLambdaFunctionRead(d *schema.ResourceData, meta interface{}) err
  d.Set("role", function.Role)
  d.Set("runtime", function.Runtime)
  d.Set("timeout", function.Timeout)
+ d.Set("vpc_config", flattenLambdaVpcConfigResponse(function.VpcConfig))
 
  return nil
 }

diff --git a/builtin/providers/aws/resource_aws_lambda_function_test.go b/builtin/providers/aws/resource_aws_lambda_function_test.go
@@ -97,6 +97,36 @@ func testAccCheckAWSLambdaAttributes(function *lambda.GetFunctionOutput) resourc
 }
 
 const testAccAWSLambdaConfig = `
+resource "aws_iam_role_policy" "iam_policy_for_lambda" {
+ name = "iam_policy_for_lambda"
+ role = "${aws_iam_role.iam_for_lambda.id}"
+ policy = <<EOF
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "logs:CreateLogGroup",
+ "logs:CreateLogStream",
+ "logs:PutLogEvents"
+ ],
+ "Resource": "arn:aws:logs:*:*:*"
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "ec2:CreateNetworkInterface"
+ ],
+ "Resource": [
+ "*"
+ ]
+ }
+ ]
+}
+EOF
+}
+
 resource "aws_iam_role" "iam_for_lambda" {
  name = "iam_for_lambda"
  assume_role_policy = <<EOF
@@ -116,10 +146,48 @@ resource "aws_iam_role" "iam_for_lambda" {
 EOF
 }
 
+resource "aws_vpc" "vpc_for_lambda" {
+ cidr_block = "10.0.0.0/16"
+}
+
+resource "aws_subnet" "subnet_for_lambda" {
+ vpc_id = "${aws_vpc.vpc_for_lambda.id}"
+ cidr_block = "10.0.1.0/24"
+
+ tags {
+ Name = "lambda"
+ }
+}
+
+resource "aws_security_group" "sg_for_lambda" {
+ name = "sg_for_lambda"
+ description = "Allow all inbound traffic for lambda test"
+ vpc_id = "${aws_vpc.vpc_for_lambda.id}"
+
+ ingress {
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ egress {
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+}
+
 resource "aws_lambda_function" "lambda_function_test" {
  filename = "test-fixtures/lambdatest.zip"
  function_name = "example_lambda_name"
  role = "${aws_iam_role.iam_for_lambda.arn}"
  handler = "exports.example"
+
+ vpc_config = {
+ subnet_ids = ["${aws_subnet.subnet_for_lambda.id}"]
+ security_group_ids = ["${aws_security_group.sg_for_lambda.id}"]
+ }
 }
 `
diff --git a/builtin/providers/aws/structure.go b/builtin/providers/aws/structure.go
@@ -15,6 +15,7 @@ import (
  "github.com/aws/aws-sdk-go/service/elasticache"
  elasticsearch "github.com/aws/aws-sdk-go/service/elasticsearchservice"
  "github.com/aws/aws-sdk-go/service/elb"
+ "github.com/aws/aws-sdk-go/service/lambda"
  "github.com/aws/aws-sdk-go/service/rds"
  "github.com/aws/aws-sdk-go/service/redshift"
  "github.com/aws/aws-sdk-go/service/route53"
@@ -680,6 +681,20 @@ func flattenDSVpcSettings(
  return []map[string]interface{}{settings}
 }
 
+func flattenLambdaVpcConfigResponse(s *lambda.VpcConfigResponse) []map[string]interface{} {
+ settings := make(map[string]interface{}, 0)
+
+ if s == nil {
+ return nil
+ }
+
+ settings["subnet_ids"] = schema.NewSet(schema.HashString, flattenStringList(s.SubnetIds))
+ settings["security_group_ids"] = schema.NewSet(schema.HashString, flattenStringList(s.SecurityGroupIds))
+ settings["vpc_id"] = *s.VpcId
+
+ return []map[string]interface{}{settings}
+}
+
 func flattenDSConnectSettings(
  customerDnsIps []*string,
  s *directoryservice.DirectoryConnectSettingsDescription) []map[string]interface{} {