All geek questions in one place

Prevent CloudFormation from removing Lambda Edge associations with CloudFront

I use CloudFormation to manage CloudFront distribution .

In this CloudFront distribution, I linked the Lambda Edge function (without using CloudFormation).

The problem is that when I upgrade the CloudFront distribution with the same CloudFormation stack, it removes all Lambda Edge associations .

How to prevent this?

This is really unsuccessful ..

PS: Sometimes CloudFormation removes lambda associations (when updating the ARN certificate for an example), and sometimes not.

Edit: I can try using https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/protect-stack-resources.html , but is there a less hacky way? No..

Edit: the same question on the AWS forum https://forums.aws.amazon.com/thread.jspa?threadID=274111 (login required)

+4
source share
1 answer

In CloudFront with CloudFormation, you can “deploy” the new Lambda @Edge features.

CloudFront and Lambda @Edge require a version of Lambda. Therefore, you need to make sure that your CloudFront template publishes a new version of the Lambda code changes and that your distribution uses the version alias.

CloudFormation Go/Lambda :

  WebAuthFunction:
    Properties:
      AutoPublishAlias: Live
      CodeUri: ./web/handlers/auth/index.zip
      Environment: !Ref AWS::NoValue
      FunctionName: !Sub ${AWS::StackName}-WebAuthFunction
      Handler: index.handler
      Role: !GetAtt WebAuthFunctionRole.Arn
      Runtime: nodejs6.10
    Type: AWS::Serverless::Function

  WebDistribution:
    Condition: WebDomainNameSpecified
    Properties:
      DistributionConfig:
        Aliases:
          - !Ref WebDomainName
        Comment: !Sub Distribution for ${WebBucket}
        DefaultCacheBehavior:
          AllowedMethods:
            - GET
            - HEAD
          Compress: true
          ForwardedValues:
            Cookies:
              Forward: none
            QueryString: true
          LambdaFunctionAssociations:
            - !If
              - OAuthClientIdSpecified
              - EventType: viewer-request
                LambdaFunctionARN: !Ref WebAuthFunction.Version
              - !Ref AWS::NoValue
          TargetOriginId: !Ref WebBucket
          ViewerProtocolPolicy: redirect-to-https
        DefaultRootObject: index.html
        Enabled: true
        HttpVersion: http2
        Origins:
          - DomainName: !Sub ${WebBucket}.s3.amazonaws.com
            Id: !Ref WebBucket
            S3OriginConfig:
              OriginAccessIdentity: !Sub origin-access-identity/cloudfront/${WebOriginAccessIdentity}
        PriceClass: PriceClass_All
        ViewerCertificate:
          AcmCertificateArn: !Ref WebCertificate
          SslSupportMethod: sni-only
    Type: AWS::CloudFront::Distribution
0

Source: https://habr.com/ru/post/1693832/

More articles:


All Articles