Lambdas Are Not Deployed in VPCs

[anish-kunduru]

Aws Connected Device Framework Affected Module(s):

greengrass2-provisioning installer commands device-patcher

I'm submitting a ...

• [x] bug report
• [ ] feature request

Description:

CDF provides the option to configure that lambdas are deployed into a VPC, but this option doesn't work reliably.

Current behavior:

Several lambdas are not correctly deployed into a VPC, even when a VPC is specified via the config.

Expected behavior:

All lambdas are deployed into a VPC, when that option is selected.

Steps to reproduce:

Additional Information: This is likely not an exhaustive list of the impacted modules, but finding all the modules would involve searching the IaC for all lambdas that are defined without an optional VPC config.

[anish-kunduru]

I think I better understand why this is happening.

CDF is capable of creating its own subnets and automatically deploying resources into them, but some customers have a separate team that handles that.

I experience this issue when deploying the framework with the following settings:

 "vpc": {
    "useExisting": true,
    "id": "${VpcId}",
    "securityGroupId": "${SecurityGroupId}",
    "privateSubnetIds": "${PrivateSubnet1},${PrivateSubnet2}"
  }

The primary issue here is that CDF deploys some resources into a private subnet, and others into a public one. When a public subnet is not specified, it just drops it into the normal lambda environment. While this is a perfectly secure thing to do, some customers insist on deploying all lambda into a VPC. A secondary issue would be some of those resources really shouldn't be in a public subnet anyways, and could be using VPC endpoints.