aws-cfn-custom-resource-lambda-edge

This project provides a Custom::Resource for AWS CloudFormation that copies a provided Lambda to the us-east-1 standard region. This is specially useful to deploy Lambda@Edge from other regions than the standard one.

Motivation

• https://github.com/awslabs/serverless-application-model/issues/635
• https://twitter.com/prestomation/status/971256051516485632

Installation

Clone the repository.

Setup your AWS CLI credentials then run the install script that deploys the CloudFormation custom resource and it's dependencies.

Use the --region parameter to specify where you want your custom resource to be deployed:

./install.sh --region eu-west-1

The script deploys 3 CloudFormation stacks.

Note that the first stack is a prerequisite that deploys an S3 bucket required by CloudFormation to upload local artifacts. If you already have such bucket, you can skip installing it by providing the optional --package-bucket parameter:

./install.sh --region eu-west-1 --package-bucket my-package-bucket

Usage

With the default execution role

AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31
Resources:

  # CloudFront distribution
  Distribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        DefaultCacheBehavior:
          LambdaFunctionAssociations:
            - EventType: origin-request
              LambdaFunctionARN: !GetAtt EdgeOriginRequest.FunctionVersion

  # Unused Lambda function only to get `CodeUri` working
  EdgeOriginRequestSource:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: ./src
      AutoPublishAlias: live # Required to get `Version` parameter and force publication

  # Custom resource to "copy" the Lambda in the standard region (us-east-1)
  EdgeOriginRequest:
    Type: Custom::LambdaEdge
    Properties:
      ServiceToken: !ImportValue CustomResourceLambdaEdgeServiceToken
      Parameters:
        LambdaSourceArn: !Ref EdgeOriginRequestSource.Version

With a custom execution role

AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31
Resources:

  # CloudFront distribution
  Distribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        DefaultCacheBehavior:
          LambdaFunctionAssociations:
            - EventType: origin-request
              LambdaFunctionARN: !GetAtt EdgeOriginRequest.FunctionVersion

  # Unused Lambda function only to get `CodeUri` working
  EdgeOriginRequestSource:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: ./src
      AutoPublishAlias: live # Required to get `Version` parameter and force publication

  # Custom resource to "copy" the Lambda in the standard region (us-east-1)
  EdgeOriginRequest:
    Type: Custom::LambdaEdge
    Properties:
      ServiceToken: !ImportValue CustomResourceLambdaEdgeServiceToken
      Parameters:
        LambdaSourceArn: !Ref EdgeOriginRequestSource.Version
        LambdaRoleArn: !GetAtt EdgeOriginRequestRole.Arn

  # Custom execution role
  EdgeOriginRequestRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action: sts:AssumeRole
            Principal:
              Service:
                - lambda.amazonaws.com
                - edgelambda.amazonaws.com
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
        - arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess
      Policies:
        - PolicyName: CustomPolicy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Resource: "*"
                Action: lambda:InvokeFunction

License

Apache 2.0 © Yves Merlicco