feat(custom-resource): allow AwsCustomResource to be placed in vpc#21357
feat(custom-resource): allow AwsCustomResource to be placed in vpc#21357mergify[bot] merged 4 commits intoaws:mainfrom
Conversation
|
While this is a feature and may need a README update, I wasn't sure how to go about documenting that naturally; most of the docs go over the features more unique to |
|
|
https://github.com/aws/aws-cdk/tree/main/packages/%40aws-cdk/custom-resources#customizing-the-lambda-function-implementing-the-custom-resource discusses configuration a bit. Seems like a good place to add documentation for this. |
| /** | ||
| * Which subnets from the VPC to place the lambda function in. | ||
| * | ||
| * Only used if 'vpc' is supplied. Note: internet access for Lambdas |
There was a problem hiding this comment.
The comments here are doing a lot of heavy lifting. Rather than commenting that this can only be supplied if VPC is supplied, I think we need the contract/code to enforce this. Based off this I would be unclear if vpcSubnets is also required when vpc is supplied.
There was a problem hiding this comment.
I think like a lot of situations with lambda.Function this may be tricky? Because I think vpc.selectSubnets()/vpc.selectSubnets(undefined) will return private subnets if you only have private subnets and may return other values if that's not the case. It's a little hard to validate since ec2.SubnetSelection can have such a variety of options. The base construct seems to be pretty good at catching obviously-broken scenarios.
So I think the comments are just documenting some of the synth-time failures that can occur if the expected behavior isn't happening, even though those checks happen in the Lambda package and not here.
There was a problem hiding this comment.
Right, there's validation happening elsewhere that will catch some of this. Given that, there should be test cases to ensure that it fails how we expect it to fail in those scenarios.
| * Which subnets from the VPC to place the lambda function in. | ||
| * | ||
| * Only used if 'vpc' is supplied. Note: internet access for Lambdas | ||
| * requires a NAT gateway, so picking Public subnets is not allowed. |
There was a problem hiding this comment.
Another thing that needs to be enforced in code. What happens if someone picks public subnets? Will this fail at deployment time or at synth?
There was a problem hiding this comment.
I believe synth time.
aws-cdk/packages/@aws-cdk/aws-lambda/lib/function.ts
Lines 1131 to 1136 in 17f1ec8
This doesn't allow for passing the allowPublicSubnets prop.
| * | ||
| * @default - the Vpc default strategy if not specified | ||
| */ | ||
| readonly vpcSubnets?: ec2.SubnetSelection; |
There was a problem hiding this comment.
What happens if this is supplied when VPC is not? Does it fail silently/fail at deployment/fail at synth?
There was a problem hiding this comment.
I think it's just ignored? Which seems to be a pattern (here, with lambda.Function, and customresources.Provider). It's not especially ideal but it seems to be semi-predictable.
props.vpcSubnets I see in the Function construct, so no validation seems to be performed there to guard against it being passed senselessly.
If something is done to validate this prop here, it'd probably also need to work for the Provider construct.
aws-cdk/packages/@aws-cdk/custom-resources/lib/provider-framework/provider.ts
Lines 205 to 219 in 17f1ec8
There was a problem hiding this comment.
Having a value that just gets ignored is not a pattern I think we should be perpetuating. It's unfortunate that we haven't been validating this already because adding it to the right place (in lambda) could potentially break someone's code. We should, however, have enough test coverage added so that we know the answer to if/how this will fail.
There was a problem hiding this comment.
I agree. I've opened #21369 to at least have the conversation about throwing an Error. And maybe at least it could fall back to an Annotations.of(this).addWarning() either here or there. But I'll save the specific of that discussion for that PR.
Pull request has been modified.
|
I've added an example to the README. Thanks for the suggestion on location. I added an additional example to be able to talk more about the And as mentioned in replies to individual line comments, it seems like Maybe there'd be value in adding a unit test to ensure that something like aws-cdk/packages/@aws-cdk/aws-lambda/test/vpc-lambda.test.ts Lines 316 to 325 in 17f1ec8 |
I commented on the comments above before seeing this one. I always err on the side of more tests so even though we have that test in lambda, I think we should add it here as well. Basically, for anything where we only think we know what the output will be, but we don't know for sure, should have a test case to ensure that output is what we expect. I also acknowledge that this is a higher test coverage than we've probably asked for in the past, but our test coverage is something that I'd like to improve going forward. |
TheRealAmazonKendra
left a comment
There was a problem hiding this comment.
As noted in in-line comments, please add some more test coverage to verify validation is working as expected and that it fails in the right ways.
Pull request has been modified.
This is almost certainly never something that a user would intend. As-is, `vpcSubnets` does nothing if `vpc` is unspecified, so the Lambda Function would have no interfaces placed in a VPC. This is unlikely what a user would have expected if they passed a set of private subnets. This should be an error to prevent users from accidentally thinking they've put a Lambda Function into a VPC. If throwing an Error is a breaking change and not acceptable, then perhaps at least a Warning Annotation should be added in this case. This is motivated by the feedback received during review of aws#21357.
Yeah, I think that makes a lot of sense. So I've added tests for the following configurations:
These feel like most of the typical cases. It's not possible to construct a VPC with only |
This is almost certainly never something that a user would intend. As-is, `vpcSubnets` does nothing if `vpc` is unspecified, so the Lambda Function would have no interfaces placed in a VPC. This is unlikely what a user would have expected if they passed a set of private subnets. This should be an error to prevent users from accidentally thinking they've put a Lambda Function into a VPC. If throwing an Error is a breaking change and not acceptable, then perhaps at least a Warning Annotation should be added in this case. This is motivated by the feedback received during review of aws#21357.
|
So, I've been thinking about this and, after taking a look at the linked issue that was resolved, I feel unclear about what the value add here is. Given that I'm still relatively new, I've asked @rix0rrr to take a look at this. |
Thanks for the review and the feedback that you have given so far! For clarification, if you mean the issue on cdklabs/cdk-nag, that was just about telling that tool how to ignore this problem. For compliance reasons, I'd still really like to be able to actually put But in any case, |
This is almost certainly never something that a user would intend. As-is, `vpcSubnets` does nothing if `vpc` is unspecified, so the Lambda Function would have no interfaces placed in a VPC. This is unlikely to be what a user would have expected if they passed a set of private subnets. This should be an error to prevent users from accidentally thinking they've put a Lambda Function into a VPC. If throwing an Error is a breaking change and not acceptable, then perhaps at least a Warning Annotation should be added in this case. This is motivated by the feedback received during review of #21357. ---- ### All Submissions: * [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
I've also updated the tests now that #21369 has been merged to follow the pattern of expecting various error conditions. |
|
Going to convert this to draft -- I accidentally checked in snapshots from a dry run and I don't think this can be properly implemented until #21348 is resolved. |
This will allow for users with a need for all Lambda functions to be placed in a VPC to more easily adopt the use of `AwsCustomResource`. This is implemented by accepting a `vpc` and `vpcSubnets` property and passing those up to the created `SingletonFunction`. Then tests are added to ensure that it builds correctly and that errors are thrown in the expected circumstances (in the same situations that `lambda.Function` does).
985d55d to
976bd50
Compare
|
Okay, I think this is ready for review again now that #21369 (and #21572) and #21495 have been merged that fix various related issues with this. Overall, the functionality remains the same. I ran into some issues with the merge after this so I rebased, which I know may make review of the incremental changes a little harder (but honestly whatever I did to the merge this time wouldn't have helped and it's been awhile since the last change on this branch anyway). After the rebase, I re-ran the new integration test (without I've also updated the PR opening message with more clarification on the purpose for this change. I'll wait for the build bot to come back with results (hopefully all green) before formally marking this as ready for review. |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Oops! Looks like #21856. I'll re-run the new integration test. |
This is due to changes in the default setup for integration tests, not anything changed in this package specifically.
Pull request has been modified.
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
This will allow for users with a need for all Lambda functions to be
placed in a VPC to more easily adopt the use of
AwsCustomResource.This is implemented by accepting a
vpcandvpcSubnetsproperty andpassing those up to the created
SingletonFunction. Then tests areadded to ensure that it builds correctly and that errors are thrown in
the expected circumstances (in the same situations that
lambda.Functiondoes).This mimics the setup already used by
Providerin the same package.All Submissions:
Adding new Unconventional Dependencies:
New Features
yarn integto deploy the infrastructure and generate the snapshot (i.e.yarn integwithout--dry-run)?By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license