search

silvermine / serverless-plugin-cloudfront-lambda-edge

Adds Lambda@Edge support to Serverless
MIT License
296 stars 41 forks source link

Associate existing distribution based on ARN #15

Closed alexandrubese closed 6 years ago

alexandrubese commented 6 years ago

Hi, Was planning to use your plugin but I face a problem: I already have a cloudfront distribution and would like to associate it directly based on its arn, example: lambdaAtEdge: distribution: 'arn:aws:cloudfront::accountid:distribution/distributionId' eventType: 'origin-response'

In your WebsiteDistribution example I couldn't see any association based on arn or so on - which in the end would create a new cloudfront distribution, something I do not want.

Is there a way to achieve this?

Thanks in advance,

jthomerson commented 6 years ago

@alexandrubese no, sorry, that's not the intent of the plugin. The intent all along was that it would update your CloudFront distribution (definition in the CloudFormation template) before sending it to CloudFormation. That would allow your functions to be associated as soon as the CloudFront distribution was created. Unfortunately, in version 1.0 of this plugin that wasn't possible because CloudFormation did not support Lambda@Edge. Now CloudFormation does support Lambda@Edge, so in the upcoming version 2.0 of this plugin we will take advantage of that (see the work already done on master).

The problem with associating a function with an existing CloudFront distribution is that it means:

  1. Updating the entire distribution using UpdateDistribution. This has its risks because it's not an atomic operation - read the distribution configuration, then update it in-memory, then submit that back to the UpdateDistribution API.
  2. It means deploying the CloudFront distribution twice - once however you're already deploying it, and then once to add the Lambda@Edge associations.
  3. Whatever you have that's managing your CloudFront distribution could potentially remove your Lambda@Edge associations (e.g. if you're using another CloudFormation stack to manage the distribution).

Those issues are a) bad for the developer, but also b) could lead to security issues. For example, we want to use Lambda@Edge functions to provide authorization to a distribution. If some other CloudFormation stack managed our CloudFront distribution and erased our (separately configured) Lambda@Edge associations, our security would be gone. That's why we want them always baked into the distribution 100% of the time.

If you still really need your usecase after considering all that, just look at v1.0.0 of the code for this plugin - it did essentially what you were asking for by associating Lambda@Edge functions to an existing distribution. You can fork that code to make your own plugin for that usecase, or copy the code and do a local plugin: https://github.com/silvermine/serverless-plugin-cloudfront-lambda-edge/blob/v1.0.0/src/index.js