如何通过CloudFormation模板将lambda放入VPC中

Question

我正在开发 lambda CloudFormationbySAM

我template.yaml的在这儿。

它可以部署，但是该 lambda 未在 VPC 中设置。

我想将 lambda 放在默认 VPC 中（以访问 RDS）

任何设置都可以在这里使用，或者我应该做其他的事情？

（并且，模板会IAmRole自动生成，有什么方法可以将策略附加到它？例如RDSFullAccess）

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  python3.9   Sample SAM Template for chatbot-sam

Parameters:
  DBNAME:
    Type: String
  DBUSER:
    Type: String
  DBPASSWORD:
    Type: String
  DBHOST:
    Type: String
  DBPORT:
    Type: String
  LINELONGLIVETOKEN:
    Type: String
Globals:
  Function:
    Timeout: 30
    Environment:
      Variables:
        DBNAME: !Ref DBNAME
        DBUSER: !Ref DBUSER
        DBPASSWORD: !Ref DBPASSWORD
        DBHOST: !Ref DBHOST
        DBPORT: !Ref DBPORT  
        LINELONGLIVETOKEN: !Ref LINELONGLIVETOKEN  
Resources:
  WebhookFunction:
    Type: AWS::Serverless::Function 
    Properties:
      PackageType: Image
      Architectures:
        - x86_64
      Events:
        Webhook:
          Type: Api 
          Properties:
            Path: /webhook
            Method: post
    Metadata:
      Dockerfile: Dockerfile.webhook
      DockerContext: ./chatbotapp
      DockerTag: python3.9-v1




Outputs:
  WebhookApi:
    Description: "API Gateway endpoint URL for Prod stage for Hello World function"
    Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/webhook/"
  WebhookFunction:
    Description: "Webhook Lambda Function ARN"
    Value: !GetAtt WebhookFunction.Arn
  WebhookFunctionIamRole:
    Description: "Implicit IAM Role created for Webhook function"
    Value: !GetAtt WebhookFunctionRole.Arn

我更新了。

附加VpcConfig和Policies，但看起来没有变化。

lambda -> 设置 -> vpc，没有 vpc 设置，找不到它属于 SecurityGroup 和 Subnet 的线索

  Policies: AWSLambdaVPCAccessExecutionRole
  VpcConfig:
    SubnetIds:
      - subnet-fb6fa4d0
      - subnet-bf8ab8e4
    SecurityGroupIds:
      - sg-0641506b4ec3782de


AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  python3.9   Sample SAM Template for chatbot-sam

Parameters:
  DBNAME:
    Type: String
  DBUSER:
    Type: String
  DBPASSWORD:
    Type: String
  DBHOST:
    Type: String
  DBPORT:
    Type: String
  LINELONGLIVETOKEN:
    Type: String
Globals:
  Function:
    Timeout: 30
    Environment:
      Variables:
        DBNAME: !Ref DBNAME
        DBUSER: !Ref DBUSER
        DBPASSWORD: !Ref DBPASSWORD
        DBHOST: !Ref DBHOST
        DBPORT: !Ref DBPORT  
        LINELONGLIVETOKEN: !Ref LINELONGLIVETOKEN  
Resources:
  WebhookFunction:
    Type: AWS::Serverless::Function 
    Properties:
      PackageType: Image
      Architectures:
        - x86_64
      Events:
        Webhook:
          Type: Api 
          Properties:
            Path: /webhook
            Method: post
      Policies: AWSLambdaVPCAccessExecutionRole
      VpcConfig:
        SubnetIds:
          - subnet-fb6fa4d0
          - subnet-bf8ab8e4
        SecurityGroupIds:
          - sg-0641506b4ec3782de
    Metadata:
      Dockerfile: Dockerfile.webhook
      DockerContext: ./chatbotapp
      DockerTag: python3.9-v1




Outputs:
  WebhookApi:
    Description: "API Gateway endpoint URL for Prod stage for Hello World function"
    Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/webhook/"
  WebhookFunction:
    Description: "Webhook Lambda Function ARN"
    Value: !GetAtt WebhookFunction.Arn
  WebhookFunctionIamRole:
    Description: "Implicit IAM Role created for Webhook function"
    Value: !GetAtt WebhookFunctionRole.Arn

Answer 1

您需要将 a 添加VpcConfig到函数定义的属性中。您可以在此处查看如何使用它的示例。

您还可以将策略添加到为该功能创建的默认角色，或者您可以提供自己的角色，在这种情况下，将不会创建默认角色。