amazon-web-services - 如何通过CloudFormation模板将lambda放入VPC中

Question

我正在通过 SAM 使用 CloudFormation 开发 lambda

我的template.yaml在这里。

可以部署，但是该 lambda 未在 VPC 中设置。

我想将 lambda 放入默认 VPC(以访问 RDS)

这里可以使用任何设置，否则我应该做其他的事情？

(并且，模板自动生成 IAmRole，有什么方法可以将策略附加到它？例如 RDSFullAccess)

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  python3.9   Sample SAM Template for chatbot-sam

Parameters:
  DBNAME:
    Type: String
  DBUSER:
    Type: String
  DBPASSWORD:
    Type: String
  DBHOST:
    Type: String
  DBPORT:
    Type: String
  LINELONGLIVETOKEN:
    Type: String
Globals:
  Function:
    Timeout: 30
    Environment:
      Variables:
        DBNAME: !Ref DBNAME
        DBUSER: !Ref DBUSER
        DBPASSWORD: !Ref DBPASSWORD
        DBHOST: !Ref DBHOST
        DBPORT: !Ref DBPORT  
        LINELONGLIVETOKEN: !Ref LINELONGLIVETOKEN  
Resources:
  WebhookFunction:
    Type: AWS::Serverless::Function 
    Properties:
      PackageType: Image
      Architectures:
        - x86_64
      Events:
        Webhook:
          Type: Api 
          Properties:
            Path: /webhook
            Method: post
    Metadata:
      Dockerfile: Dockerfile.webhook
      DockerContext: ./chatbotapp
      DockerTag: python3.9-v1




Outputs:
  WebhookApi:
    Description: "API Gateway endpoint URL for Prod stage for Hello World function"
    Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/webhook/"
  WebhookFunction:
    Description: "Webhook Lambda Function ARN"
    Value: !GetAtt WebhookFunction.Arn
  WebhookFunctionIamRole:
    Description: "Implicit IAM Role created for Webhook function"
    Value: !GetAtt WebhookFunctionRole.Arn

我更新了。

附加 VpcConfig 和 Policies ，但看起来没有变化。

lambda -> 设置 -> vpc，没有 vpc 设置，找不到它属于 SecurityGroup 和 Subnet 的线索

  Policies: AWSLambdaVPCAccessExecutionRole
  VpcConfig:
    SubnetIds:
      - subnet-fb6fa4d0
      - subnet-bf8ab8e4
    SecurityGroupIds:
      - sg-0641506b4ec3782de


AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  python3.9   Sample SAM Template for chatbot-sam

Parameters:
  DBNAME:
    Type: String
  DBUSER:
    Type: String
  DBPASSWORD:
    Type: String
  DBHOST:
    Type: String
  DBPORT:
    Type: String
  LINELONGLIVETOKEN:
    Type: String
Globals:
  Function:
    Timeout: 30
    Environment:
      Variables:
        DBNAME: !Ref DBNAME
        DBUSER: !Ref DBUSER
        DBPASSWORD: !Ref DBPASSWORD
        DBHOST: !Ref DBHOST
        DBPORT: !Ref DBPORT  
        LINELONGLIVETOKEN: !Ref LINELONGLIVETOKEN  
Resources:
  WebhookFunction:
    Type: AWS::Serverless::Function 
    Properties:
      PackageType: Image
      Architectures:
        - x86_64
      Events:
        Webhook:
          Type: Api 
          Properties:
            Path: /webhook
            Method: post
      Policies: AWSLambdaVPCAccessExecutionRole
      VpcConfig:
        SubnetIds:
          - subnet-fb6fa4d0
          - subnet-bf8ab8e4
        SecurityGroupIds:
          - sg-0641506b4ec3782de
    Metadata:
      Dockerfile: Dockerfile.webhook
      DockerContext: ./chatbotapp
      DockerTag: python3.9-v1




Outputs:
  WebhookApi:
    Description: "API Gateway endpoint URL for Prod stage for Hello World function"
    Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/webhook/"
  WebhookFunction:
    Description: "Webhook Lambda Function ARN"
    Value: !GetAtt WebhookFunction.Arn
  WebhookFunctionIamRole:
    Description: "Implicit IAM Role created for Webhook function"
    Value: !GetAtt WebhookFunctionRole.Arn

Answer 1

您需要将 VpcConfig 添加到函数定义的属性中。您可以查看如何使用 here 的示例.

您还可以向为该功能创建的默认角色添加策略，或者您可以提供自己的角色，在这种情况下，将不会创建默认角色。