search

amplify-education / serverless-vpc-discovery

Serverless plugin for discovering VPC / Subnet / Security Group configuration by name.
MIT License
38 stars 15 forks source link

Possible to reference a Security Group being created? #44

Open corydorning53 opened 3 years ago

corydorning53 commented 3 years ago

In my serverless.yml I create the following security group in the resources section:

resources:
  Resources:
      MySecurityGroup:
        Type: AWS::EC2::SecurityGroup
        Properties:
          GroupDescription: Allow all outbound traffic, no inbound for Lambdas
          SecurityGroupEgress:
            - IpProtocol: tcp
              FromPort: 443
              ToPort: 443
              CidrIp: 0.0.0.0/0
          VpcId: ${self:custom.${self:provider.stage}.vpcId}

Then in my functions I reference it as:

functions:
  mylambda:
    handler: api/my.lambda
    runtime: nodejs14.x
    vpc:
      securityGroupIds:
        - Ref: MySecurityGroup

This has the side effect of giving the following configuration warning, even though its not really an issue, because I reference the subnets in the custom.vpcDiscovery:

Serverless: Configuration warning:
Serverless:   at 'functions.myLambda.vpc': should have required property 'subnetIds'

So I was wondering if I could remove the vpc.securityGroupIds altogether and just reference MySecurityGroup in the plugin config:

  vpcDiscovery:
    vpcName: ${self:custom.tk.vpc}
    subnets:
      - tagKey: Name
        tagValues:
          - app_sn_0
          - app_sn_1
          - app_sn_2
    securityGroups:
      - Ref: MySecurityGroup
missedone commented 3 years ago

i have the exact same case, the SG is created with severless framework, i want severless-vpc-discovery plugin discover subnets only.

corydorning53 commented 3 years ago

any plans to implement this? asking because if I add configValidationMode: error to my serverless.yml it breaks.

corydorning commented 2 years ago

bumping this issue...as it still persists and serverless v3 has been released.

rcwsr commented 2 years ago

Same issue here, I am also using this plugin to discover subnets of an existing VPC, but defining a security group as a resource and I get the same validation warning.

Bonus, it would also be really nice to get access to the resolved VPC ID from this plugin, so that you don't have to define both a VPC name for auto-discovery and a VPC ID that needs to be referenced in the SG resource.

@corydorning I know it was a year ago now, but did you find a way to work with this?