search

nervous-systems / cljs-lambda

Utilities around deploying Clojurescript functions to AWS Lambda
The Unlicense
311 stars 34 forks source link

VPC configuration #47

Closed zrzka closed 7 years ago

zrzka commented 7 years ago

There's no way how to configure VPC for lambda function. We do use it heavily now and we have to do it manually.

There's --vpc-config in AWS CLI for lambda create-function and lambda update-function-configuration. Documentation says:

   --vpc-config (structure)
      If your Lambda function accesses resources in  a  VPC,  you  provide
      this parameter identifying the list of security group IDs and subnet
      IDs. These must belong to the same VPC. You must  provide  at  least
      one security group and one subnet ID.

   Shorthand Syntax:

      SubnetIds=string,string,SecurityGroupIds=string,string

So, my proposal is to add :vpc-config which will accept shorthand syntax. So, Lambda configuration can look like:

{:name ...
 :invoke ...
 :role ...
 :vpc-config "SubnetIds=a,b,SecurityGroupIds=d,e"}

Or we can split it to :vpc-subnet-ids and :vpc-security-group-ids. Depends.

The first one is easier to maintain in case AWS CLI will be changed in the future. Which one do you like more? I'll create pull request, just want to discuss it before I really do it.

moea commented 7 years ago

That sounds good. Splitting it, or having it be :vpc {:subnets [] :security-groups []} (which is my personal preference) would be great, but I'm not likely to cause a fuss if you prefer something that still provides the equivalent functionality.

The only snag I'd mention is making sure that the config gets transparently added remotely on the next deploy of a function, if added to a fn which didn't have a vpc config when first deployed. Which I think just involves including the configuration values in the comparison that's done in aws.clj when retrieving function configuration before each deploy.

zrzka commented 7 years ago

Okay, I like :vpc {:subnets .... No problem with it.

Scenarios

Lambda not deployed

This one's pretty easy, because we can add --vpc-config to AWS CLI call.

Lambda already deployed, but without VPC

We can enhance same-config? in aws.clj to compare configuration and if it differs, update-function-configuration will be issued.

Lambda already deployed, with VPC, but VPC removed from config

Same as the previous one. We can enhance same-config? and remove VPC configuration with update-function-configuration.

The only thing I have to test is how to remove VPC configuration. Maybe empty string in --vpc-config can do it. Will investigate. If it will work, we will have to enhance cljs-lambda in a way that we have to pass --vpc-config "" always when the :vpc will not be presented. This one needs to be checked.

Today/tomorrow we're releasing new production versions, so, I'll start on this on Friday, maybe next week, still time to think about it.

moea commented 7 years ago

Great, sounds good.

zrzka commented 7 years ago

Note ...

zrzka commented 7 years ago

Check https://github.com/nervous-systems/cljs-lambda/pull/48