Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lambda as ALB target in Cloudformation #721

Open
ssoulier opened this issue Dec 14, 2018 · 28 comments

Comments

@ssoulier
Copy link

commented Dec 14, 2018

Hi,

Could you please add the cloudformation and SAM the ability to specify an events for lambda which is an Application Load Balancer ?

Thanks.

@rsram312

This comment has been minimized.

Copy link

commented Dec 14, 2018

Went through the documentations. Not sure if it is updated either. Can you please add the SAM template ability to specify ALB feature for Lambda

@lorddelicious

This comment has been minimized.

Copy link

commented Dec 17, 2018

Yes please SAM ALB is needed. Discontinuing use of API Gateway due to high cost, transitioning to ALB.

@ssoulier

This comment has been minimized.

Copy link
Author

commented Jan 30, 2019

Any update on this feature request ?

@kauphylover

This comment has been minimized.

Copy link

commented Jan 30, 2019

Another request to the AWS team to prioritize this!

@dbettin

This comment has been minimized.

Copy link

commented Feb 1, 2019

Another request. Thanks!

@brettstack

This comment has been minimized.

Copy link
Contributor

commented Feb 1, 2019

Absolutely. At a minimum we could add a new Event for ALB which create the permission for you and you could specify your existing ALB. However, it's probably more likely that you want SAM to create the ALB target group for you, or maybe even the entire ALB (similar to how we create the API).

Would love to get some more feedback from everyone on this, including some SAM syntax.

@rsram312

This comment has been minimized.

Copy link

commented Feb 2, 2019

@brettstack Ideally, what I was hoping is if SAM can create the entire ALB and register Lambda as target. Probably following might be capabilities required:

  1. Creating an ALB
  2. Creating a target group with target type as Lambda with options to enable health check
  3. Adding listeners to the ALB
  4. Adding listener rules to the ALB
  5. Adding permissions to the Lambda to access the ALB
  6. Register the targets with the target group

I am not exactly sure which of the above features are already available in SAM. So, please correct me if anything above is redundant.

Currently, I was using a workaround by creating a Lambda function which does all these operations and was invoking that lambda wherever required. However, the feature being available in SAM would be really handy in directly leveraging it within the SAM template.

@brettstack

This comment has been minimized.

Copy link
Contributor

commented Feb 2, 2019

@rsram312 that's very useful. Do you have an existing minimal template that includes all of those required resources?

@rsram312

This comment has been minimized.

Copy link

commented Feb 2, 2019

@brettstack The sample template I was using as workaround leverages boto3 to create those resources. If it might be of any use, I could probably send it over.

@deleugpn

This comment has been minimized.

Copy link

commented Feb 6, 2019

For me the preference is in specifying an existing ALB and getting the target group and permissions created by SAM.

@kauphylover

This comment has been minimized.

Copy link

commented Feb 7, 2019

I like what @deleugpn suggests - seems like the most natural way to go about it.

@brettstack

This comment has been minimized.

Copy link
Contributor

commented Feb 7, 2019

We will try to accommodate all scenarios.

  1. Create everything for you (ALB, Group, Permissions)
  2. Create just Group and Permission
  3. Create just Permission
@deleugpn

This comment has been minimized.

Copy link

commented Feb 7, 2019

I'm not sure if it would be possible, but I would guess that the following would be quite an amazing syntax:

      Events: 
        MyEventName:
          Type: ALB
          Properties:
            LoadBalancerArn: !ImportValue LoadBalancer
            ListenerArn: !ImportValue Listener
            CertificateArn: !ImportValue Certificate
            Condition: [...]

I don't know if I would need to specify anything else other than this.

The expected result would be something similar to this:

  HttpsListenerRule:
    Type: AWS::ElasticLoadBalancingV2::ListenerRule
    Properties:
      Actions:
      - Type: forward
        TargetGroupArn: !Ref TargetGroup
      Conditions: [Available on the Event Property]
      ListenerArn: [Available on the Event Property]
      Priority: [This is a tricky one. I think we have no other option than to delegate this to the user to define, unfortunately]

  TargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      TargetType: lambda
@luketn

This comment has been minimized.

Copy link

commented Mar 7, 2019

  Priority: [This is a tricky one. I think we have no other option than to delegate this to the user to define, unfortunately]

The valid range of priorities is from 1 - 50,000.

One approach we could take to this is to default the value to a random number 40,000 to 50,000 catch the exception of an already used priority and choose again.

As long as the path / domain is unique, the priority should not matter.

@deleugpn

This comment has been minimized.

Copy link

commented Mar 7, 2019

SAM would be limited to deploy up to 10,000 lambdas on a single Listener, I guess that's fine.

@ravibarkhani

This comment has been minimized.

Copy link

commented Mar 20, 2019

Hello, is SAM supports event from ALB now ?
I tried to create a TargetGroup using cloudformation it fails in two way:

  ALBTargetGroup: 
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      Name: !Ref LoadBalancerName
      VpcId: !ImportValue "VPCCreate-VpcId"
      Port : 80
      Protocol: HTTP
      TargetType: lambda
  1. With below template it fails with error : "Port cannot be specified for target groups with target type 'lambda' (Service: AmazonElasticLoadBalancingV2; Status Code: 400; Error Code: ValidationError; Request ID: 3eaa3569-4b36-11e9-a442-1f94e3803149)"

  2. When I do not provide port in above template it fails with message "Property Port cannot be empty."

@kylegordon

This comment has been minimized.

Copy link

commented Mar 20, 2019

This is still an issue. I get the same errors as @ravibarkhani

It's been 4 months since Lambda targets for ALBs was announced, and Cloudformation is lagging behind.

@keetonian

This comment has been minimized.

Copy link
Contributor

commented Mar 25, 2019

You can use any cloudformation resource in your SAM templates; SAM does not alter these resources. You should be able to use any new feature from CFN in SAM without a SAM update unless an update is required to one of the AWS::Serverless::* resources.

If this doesn't work, it's an issue with either the configuration or CFN support, not SAM.

@s0enke

This comment has been minimized.

@brettstack

This comment has been minimized.

Copy link
Contributor

commented Apr 23, 2019

Thanks @deleugpn for the proposed syntax #721 (comment) and @s0enke for the example. How might the input and output look for defining multiple paths/methods like we do for Api event? That is, we should allow defining the Rule for advanced configuration, but for common use-cases (e.g map this Path) we should provide simpler syntax which creates the necessary resources for you.

@phanssens1

This comment has been minimized.

Copy link

commented May 25, 2019

Thanks @s0enke for putting that together, I've gone one step further to add custom subdomain and auth0 authentication to the template, enjoy:
https://www.peterhanssens.com.au/blog/2019-05/alb-to-lambda-with-auth0-authentication/

@metaskills

This comment has been minimized.

Copy link

commented Jun 29, 2019

@s0enke Thanks for that sample code. For Rails & Lambda using SAM, we were able to side step official support for this by just using CloudFormation. For the Lamby/Rails community, we had no need to for the sam local because Rails development is already easy and we use SAM as a means to define what we need in staging, production, etc.

customink/lamby#37

So maybe this helps shape what is needed for SAM to support this? How much should SAM build? I feel these are two distinct questions below after going thru this exercise with Lamby.

  • Syntactic sugar for CloudFormation?
  • CLI sam local server mocking an Application Load Balancer?
@raaone7

This comment has been minimized.

Copy link

commented Jul 17, 2019

+1

@mneil

This comment has been minimized.

Copy link

commented Aug 9, 2019

I'm concerned that the example, along with any examples I've found, for how to use Lambda behind an ALB leaves the lambda open to execution from any loadbalancer on AWS. The examples in this rails app do not show how to use SourceAccount or SourceArn to restrict access. I have been unable to launch a lambda using either of those restrictions behind an ALB successfully. Could someone update the example, or provide an example, of how to use lambda behind an ALB that does not allow access to the world the entire account?

Edited: The lambda is access to the entire account, not the world

@raaone7

This comment has been minimized.

Copy link

commented Aug 10, 2019

@praneetap

This comment has been minimized.

Copy link
Contributor

commented Aug 16, 2019

Thanks for the feedback @mneil! Could you send us some links to the examples you are referring to?

@luketn

This comment has been minimized.

Copy link

commented Aug 22, 2019

BTW due to the long timeframe on this I’m using Serverless for ALB/lambda projects:
https://serverless.com/framework/docs/providers/aws/events/alb/

I’d suggest taking inspiration from their syntax - it’s pretty nice!

@deleugpn

This comment has been minimized.

Copy link

commented Aug 22, 2019

I also stopped recommending SAM as the go-to tool for serverless deployment. AWS is developing and marketing serverless A LOT but lagging behind on CloudFormation / SAM A LOT as well. 3rd party tools are doing a much better job at supporting AWS-provided features than AWS themselves.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
You can’t perform that action at this time.