Send SNS message via Cloudformation/lambda for updating security group

1
votes

I'm attempting to "populate" a SG that is attached to my ALB to allow traffic from Cloudfront in.

This ALB/CF dist are being created via Cloudformation. I currently have a Lambda function that processes SNS messages from AmazonIpSpaceChanged. However, when I create this CF stack that SNS message needs to be fired to populate the SG initially.

Is there a way to create an SNS message to trigger this Lambda function? I looked at SNS backed custom resources but that did not appear to work.

3
amazon-web-servicesaws-lambdaamazon-cloudformationamazon-sns

3 Answers

2
votes

I also personally faced this problem. I was unable to get my SNS topic working to trigger the lambda function. However, I was able to do it with custom resources.

Whenever a lambda function is associated with a custom resource in CloudFormation template, it is invoked during the creation of that custom resource. You will have to depend it on the cloudformation resource that has the code in it, because it wont work if it will fire before the lambda function has been created.

This is a link to the custom resource documentation

0
votes

Why not add the rule to the security group directly from CloudFormation with AWS::EC2::SecurityGroupIngress?

  InboundRule:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      IpProtocol: tcp
      FromPort: 0
      ToPort: 65535
      SourceSecurityGroupId:
        Fn::GetAtt:
        - XX_NEW_SECURITY_GROUP_XX
        - GroupId
      GroupId: sg-XX_EXISTING_GROUP_XX
0
votes

One option you could use is the notification feature the CloudFormation API offers: When calling UpdateStack you can provide a list of NotificationARNs, which is a list of SNS topics which get notified about every CloudFormation-related change to your stack. You could set the notification SNS topic to the SNS topic you subscribed your AWS Lambda function to. This of course only works if you don't create the SNS topic as part of your CloudFormation stack, you don't rely on the content on the SNS message and just need such a message as trigger and if you filter the SNS messages in your Lambda function to only react to messages which matter to you (like doing updates only on stack creation and not on stack deletion).

Using the AWS CLI and its deploy command, specifying a notification ARN would look like:

aws cloudformation deploy \
  --template-file your-template.yaml \
  --stack-name your-stack \
  --notification-arns arn:aws:sns:us-east-1:1234567890123456:yourtopic