[cloudfront] [lambda] Cross-region Lambda construct for Lambda@Edge #9862
Comments
njlynch
added
p2
feature-request
|
@njlynch This might be premature to ask right now, but would it be possible to handle Lambda@Edge scenarios where experimenting with it (especially renaming/deleting) causes stack deployments to fail due to the nature of lambda@edge versioning? Due to this we've elected to move out L@E into separate stack/repo (that and region issue of course)... Same goes for ACM :).
Note: I've noticed this by using aws-solutions-construct library which currently uses older version of the aws-cloudfront constructs (awslabs/aws-solutions-constructs#39). Also, aws-solutions-constructs doesn't do multi-region deployments for their aws-cloudfront-s3 solution (everything goes into us-east-1). Thus, this issue is something I'm excited to see in action (and it hopefully trickles down to aws-cloudfront-solutions repo at some point). 👍 |
DRAFT PR - Looking for early-stages feedback This PR creates a construct (`EdgeFunction`) for Lambda@Edge functions. CloudFront requires that a function be in us-east-1 to be used with Lambda@Edge, even if the logical distribution is created via another region. The initial goal of this construct is to make it easier to request and work with a function in us-east-1 when the primary stack is in another region. In the future, this can be extended to validate other Lambda@Edge restrictions. See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-requirements-limits.html and #9833 for more information on those limitations. DRAFT -- What exists does work and has been successfully deployed with a CloudFront distribution based in eu-west-1, but all of the normal Lambda functionality (e.g., permissions) has not been verified to work yet. Some open questions: 1. Where does this belong? There are circular dependency issues with `custom-resources` that prevents this from being in `aws-lambda`. `aws-cloudfront` seems possibly the next-best thing, but I can also see an argument for moving this into its own module. 2. Does this approach (creating a new stack and using SSM + an AWS custom resource) make sense, or should another approach be taken? 3. I intentionally didn't extend from `FunctionBase` in order to override most of the methods there to redirect to the delegate function; it's not clear (yet) that this will work and/or is a good idea. Feedback welcome. Thanks to @asterikx for the inspiration and consolidated writeup in #1575. fixes #9862
DRAFT PR - Looking for early-stages feedback This PR creates a construct (`EdgeFunction`) for Lambda@Edge functions. CloudFront requires that a function be in us-east-1 to be used with Lambda@Edge, even if the logical distribution is created via another region. The initial goal of this construct is to make it easier to request and work with a function in us-east-1 when the primary stack is in another region. In the future, this can be extended to validate other Lambda@Edge restrictions. See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-requirements-limits.html and #9833 for more information on those limitations. Some open questions: 1. Is there a more clever way to "refresh" the SSM parameter reader when the underlying function changes? 2. How to make this and `edgeArn` play nicely together? Thanks to @asterikx for the inspiration and consolidated writeup in #1575. fixes #9862
DRAFT PR - Looking for early-stages feedback This PR creates a construct (`EdgeFunction`) for Lambda@Edge functions. CloudFront requires that a function be in us-east-1 to be used with Lambda@Edge, even if the logical distribution is created via another region. The initial goal of this construct is to make it easier to request and work with a function in us-east-1 when the primary stack is in another region. In the future, this can be extended to validate other Lambda@Edge restrictions. See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-requirements-limits.html and #9833 for more information on those limitations. Some open questions: 1. Is there a more clever way to "refresh" the SSM parameter reader when the underlying function changes? 2. How to make this and `edgeArn` play nicely together? Thanks to @asterikx for the inspiration and consolidated writeup in #1575. fixes #9862
DRAFT PR - Looking for early-stages feedback This PR creates a construct (`EdgeFunction`) for Lambda@Edge functions. CloudFront requires that a function be in us-east-1 to be used with Lambda@Edge, even if the logical distribution is created via another region. The initial goal of this construct is to make it easier to request and work with a function in us-east-1 when the primary stack is in another region. In the future, this can be extended to validate other Lambda@Edge restrictions. See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-requirements-limits.html and #9833 for more information on those limitations. Some open questions: 1. Is there a more clever way to "refresh" the SSM parameter reader when the underlying function changes? 2. How to make this and `edgeArn` play nicely together? Thanks to @asterikx for the inspiration and consolidated writeup in #1575. fixes #9862
|
@robertd did you ever find a workaround for dealing with Lambda@Edge functions? Waiting 24 hours to try and destroy again is pretty painful. A hack that would work is for the Lambda@Edge API to return a 200/204 when you try to delete a replicated function. CloudFront is going to delete it automatically anyways, so why give the user a spurious error? I posted a forum thread, if anyone would like to show support for the idea: https://forums.aws.amazon.com/thread.jspa?threadID=331402 |
|
@jbaileyashe Unfortunately no. We have name suffix randomizer component added to our Lambda@Edge functions so that each time we make change new function is deployed (rather than changed/deleted) and associated to our CF distro. Then we clean them up later on through scheduled task thru Gitlab CI/CD. Edit: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-edge-delete-replicas.html and https://aws.amazon.com/blogs/networking-and-content-delivery/managing-lambdaedge-and-cloudfront-deployments-by-using-a-ci-cd-pipeline/
|
|
Our teams have also had success with a custom resource provider that creates the source code s3 bucket and lambda function using the aws sdk. It's a bit ick, but it lets you keep everything in one stack. I can't share code, but basically:
I'm glad this problem is being addressed since it's been a huge pita for us, but are you also putting pressure on the Lambda@Edge / ACM teams to remove this constraint? |
This PR creates a construct (`EdgeFunction`) for Lambda@Edge functions. CloudFront requires that a function be in us-east-1 to be used with Lambda@Edge, even if the logical distribution is created via another region. The initial goal of this construct is to make it easier to request and work with a function in us-east-1 when the primary stack is in another region. In the future, this can be extended to validate other Lambda@Edge restrictions. See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-requirements-limits.html and #9833 for more information on those limitations. Thanks to @asterikx for the inspiration and consolidated writeup in #1575. Related changes: * When updating the CloudFront README, I noticed that the `Distribution` sub-section hadn't been updated when it was flipped from Experimental to Dev Preview. * A minor docstring fix for Lambda. fixes #9862 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Create a construct (e.g.,
EdgeLambda) which facilitates defining Lambda functions cross-region.Use Case
CloudFront is a "global" service, but requires that both certificates and Lambda@Edge functions be defined in
us-east-1(N Virginia) to use them with a distribution. This creates a lot of overhead for users who have stacks that include CloudFront in different regions.Customers must have separate stacks to host the Lambda function, then use SSM (or another alternative) to communicate the ARN between stacks. See #1575 (comment) for a detailed explanation of the process as it exists today.
Proposed Solution
The other CloudFront-constrained service (AWS Certificate Manager) has a custom resource for this purpose:
DnsValidationCertificate. Stealing ideas from that pattern may be useful. One of the complications for Lambda (vs ACM) is that Lambda functions often require assets, which is more heavy-weight than just passing the defining parameters/props.CodePipeline has a mechanism for cross-region deployments (see the README section titled 'Cross-region CodePipelines'). This relies on creating sub-stacks in the target region with defined buckets for replicating the assets:
aws-cdk/packages/@aws-cdk/aws-codepipeline/lib/pipeline.ts
Line 467 in b5f2f75
This is a 🚀 Feature Request
The text was updated successfully, but these errors were encountered: