terraform-plantuml icon indicating copy to clipboard operation
terraform-plantuml copied to clipboard

Published 20 hours ago verified publisher icon fmalk

Lambda appears in all possible subnets instead of only its own

Open Kkameleon opened this issue 6 months ago • 1 comments

I get

@startuml 

!define AWSPuml https://raw.githubusercontent.com/awslabs/aws-icons-for-plantuml/v14.0/dist
!include AWSPuml/AWSCommon.puml
!include AWSPuml/Groups/all.puml
!include AWSPuml/Containers/all.puml
!include AWSPuml/Database/all.puml
!include AWSPuml/Compute/all.puml
!include AWSPuml/General/all.puml
!include AWSPuml/SecurityIdentityCompliance/all.puml
!include AWSPuml/Storage/all.puml
!include AWSPuml/NetworkingContentDelivery/all.puml

' define custom group for Amazon S3 bucket
AWSGroupColoring(S3BucketGroup, #FFFFFF, AWS_COLOR_GREEN, plain)
!define S3BucketGroup(g_alias, g_label="S3 Buckets") AWSGroupEntity(g_alias, g_label, AWS_COLOR_GREEN, SimpleStorageService, S3BucketGroup)
' define custom group for IAM
AWSGroupColoring(IAMGroup, #FFFFFF, AWS_COLOR_RED, plain)
!define IAMGroup(g_alias, g_label="Identity Access Management (IAM)") AWSGroupEntity(g_alias, g_label, AWS_COLOR_RED, IdentityandAccessManagement, IAMGroup)

' Groups are rectangles with a custom style using stereotype - need to hide
hide stereotype
skinparam linetype ortho
skinparam rectangle {
    BackgroundColor transparent
    BorderColor transparent
}

AWSCloudGroup("aws", "AWS") {
  S3BucketGroup("s3", "S3") {
    rectangle "$SimpleStorageServiceBucketIMG()\nmy-bucket" as s3_0
  }
  RegionGroup("eu_west_2", "Region eu-west-2") {
    VPCGroup("vpc_0009be1c376538d6a", "VPC Main VPC") {
      rectangle "$VPCInternetGatewayIMG()\nInternet Gateway\nInternet Gateway" as igw_0dc67a37c3a5b229d
      AvailabilityZoneGroup("vpc_0009be1c376538d6a_eu_west_2a", "AZ eu-west-2a") {
        PrivateSubnetGroup("subnet_06bd6f307e56b7e29", "Pvt Subnet\nGlue Subnet zone 1\n10.20.31.0/24") {
          rectangle "$LambdaLambdaFunctionIMG()\nLambda data_exporter\npython3.9" as data_exporter
        }
        PrivateSubnetGroup("subnet_0bd563a3f51d19d05", "Pvt Subnet\nLambda Subnet zone 1\n10.20.21.0/24") {
          rectangle "$LambdaLambdaFunctionIMG()\nLambda data_exporter\npython3.9" as data_exporter
        }
        PrivateSubnetGroup("subnet_0e45d8608d385cdf1", "Pvt Subnet\nPrivate Subnet Application 1, zone 1\n10.20.11.0/24") {
          rectangle "$EC2T2InstanceIMG()\nFirst application ec2 zone 1\nt2.micro\n10.20.11.95" as i_01b5a0b8080caf5c4
          rectangle "$LambdaLambdaFunctionIMG()\nLambda data_exporter\npython3.9" as data_exporter
        }
        PrivateSubnetGroup("subnet_04481ddc904eafec9", "Pvt Subnet\nPublic subnet\n10.20.1.0/24") {
          rectangle "$VPCNATGatewayIMG()\nNAT Gateway\nNAT Gateway\n10.20.1.227\n18.135.89.194" as nat_01730e1fe51a5824d
          rectangle "$LambdaLambdaFunctionIMG()\nLambda data_exporter\npython3.9" as data_exporter
        }
      }
      AvailabilityZoneGroup("vpc_0009be1c376538d6a_eu_west_2b", "AZ eu-west-2b") {
        PrivateSubnetGroup("subnet_0eec7d1ef5ffb7710", "Pvt Subnet\nGlue Subnet zone 2\n10.20.32.0/24") {
          rectangle "$LambdaLambdaFunctionIMG()\nLambda data_exporter\npython3.9" as data_exporter
        }
        PrivateSubnetGroup("subnet_075cb18cf1a5c6bba", "Pvt Subnet\nPrivate Subnet Application 1, zone 2\n10.20.12.0/24") {
          rectangle "$LambdaLambdaFunctionIMG()\nLambda data_exporter\npython3.9" as data_exporter
        }
        PrivateSubnetGroup("subnet_03b0040d77b86090a", "Pvt Subnet\nPublic subnet\n10.20.2.0/24") {
          rectangle "$LambdaLambdaFunctionIMG()\nLambda data_exporter\npython3.9" as data_exporter
        }
      }
    }
  }
}
@enduml

instead of

`@startuml 

!define AWSPuml https://raw.githubusercontent.com/awslabs/aws-icons-for-plantuml/v14.0/dist
!include AWSPuml/AWSCommon.puml
!include AWSPuml/Groups/all.puml
!include AWSPuml/Containers/all.puml
!include AWSPuml/Database/all.puml
!include AWSPuml/Compute/all.puml
!include AWSPuml/General/all.puml
!include AWSPuml/SecurityIdentityCompliance/all.puml
!include AWSPuml/Storage/all.puml
!include AWSPuml/NetworkingContentDelivery/all.puml

' define custom group for Amazon S3 bucket
AWSGroupColoring(S3BucketGroup, #FFFFFF, AWS_COLOR_GREEN, plain)
!define S3BucketGroup(g_alias, g_label="S3 Buckets") AWSGroupEntity(g_alias, g_label, AWS_COLOR_GREEN, SimpleStorageService, S3BucketGroup)
' define custom group for IAM
AWSGroupColoring(IAMGroup, #FFFFFF, AWS_COLOR_RED, plain)
!define IAMGroup(g_alias, g_label="Identity Access Management (IAM)") AWSGroupEntity(g_alias, g_label, AWS_COLOR_RED, IdentityandAccessManagement, IAMGroup)

' Groups are rectangles with a custom style using stereotype - need to hide
hide stereotype
skinparam linetype ortho
skinparam rectangle {
    BackgroundColor transparent
    BorderColor transparent
}

AWSCloudGroup("aws", "AWS") {
  S3BucketGroup("s3", "S3") {
    rectangle "$SimpleStorageServiceBucketIMG()\nmy-bucket" as s3_0
  }
  RegionGroup("eu_west_2", "Region eu-west-2") {
    VPCGroup("vpc_0009be1c376538d6a", "VPC Main VPC") {
      rectangle "$VPCInternetGatewayIMG()\nInternet Gateway\nInternet Gateway" as igw_0dc67a37c3a5b229d
      AvailabilityZoneGroup("vpc_0009be1c376538d6a_eu_west_2a", "AZ eu-west-2a") {
        PrivateSubnetGroup("subnet_06bd6f307e56b7e29", "Pvt Subnet\nGlue Subnet zone 1\n10.20.31.0/24") {
        }
        PrivateSubnetGroup("subnet_0bd563a3f51d19d05", "Pvt Subnet\nLambda Subnet zone 1\n10.20.21.0/24") {
          rectangle "$LambdaLambdaFunctionIMG()\nLambda data_exporter\npython3.9" as data_exporter
        }
        PrivateSubnetGroup("subnet_0e45d8608d385cdf1", "Pvt Subnet\nPrivate Subnet Application 1, zone 1\n10.20.11.0/24") {
          rectangle "$EC2T2InstanceIMG()\nFirst application ec2 zone 1\nt2.micro\n10.20.11.95" as i_01b5a0b8080caf5c4
        }
        PrivateSubnetGroup("subnet_04481ddc904eafec9", "Pvt Subnet\nPublic subnet\n10.20.1.0/24") {
          rectangle "$VPCNATGatewayIMG()\nNAT Gateway\nNAT Gateway\n10.20.1.227\n18.135.89.194" as nat_01730e1fe51a5824d
        }
      }
      AvailabilityZoneGroup("vpc_0009be1c376538d6a_eu_west_2b", "AZ eu-west-2b") {
        PrivateSubnetGroup("subnet_0eec7d1ef5ffb7710", "Pvt Subnet\nGlue Subnet zone 2\n10.20.32.0/24") {
        }
        PrivateSubnetGroup("subnet_075cb18cf1a5c6bba", "Pvt Subnet\nPrivate Subnet Application 1, zone 2\n10.20.12.0/24") {
        }
        PrivateSubnetGroup("subnet_03b0040d77b86090a", "Pvt Subnet\nPublic subnet\n10.20.2.0/24") {
        }
      }
    }
  }
}
@enduml

My lambda is defined like this:

resource "aws_lambda_function" "data_exporter" {
  function_name = "data_exporter"
  role          = aws_iam_role.lambda_role.arn
  handler       = "${var.lf_exporter_name}.lambda_handler"
  runtime       = var.python_version

  filename         = data.archive_file.lambda_zip.output_path
  source_code_hash = filebase64sha256(data.archive_file.lambda_zip.output_path)

  layers = [var.arn_lambda_layer]

  vpc_config {
    subnet_ids         = [aws_subnet.lambda_zone_1.id]
    security_group_ids = [aws_security_group.lambda_sg.id]
  }

  tags = merge(
    var.tags,
    {
      Name = "Lambda ${var.lf_exporter_name} function"
    }
  )
}

In the terraform.tfstate, I see for the lambda function:

"vpc_config": [
  {
    "security_group_ids": [
      "sg-XXX"
    ],
    "subnet_ids": [
      "subnet-XXX"
    ],
    "vpc_id": "vpc-XXX"
  }
]

Kkameleon avatar Dec 21 '23 02:12 Kkameleon