Reputation: 493
Send SNS message via Cloudformation/lambda for updating security group
I'm attempting to "populate" a SG that is attached to my ALB to allow traffic from Cloudfront in.
This ALB/CF dist are being created via Cloudformation. I currently have a Lambda function that processes SNS messages from AmazonIpSpaceChanged. However, when I create this CF stack that SNS message needs to be fired to populate the SG initially.
Is there a way to create an SNS message to trigger this Lambda function? I looked at SNS backed custom resources but that did not appear to work.
Upvotes: 2
Views: 1402
Answers (3)
Reputation: 8435
One option you could use is the notification feature the CloudFormation API offers: When calling UpdateStack you can provide a list of NotificationARNs, which is a list of SNS topics which get notified about every CloudFormation-related change to your stack. You could set the notification SNS topic to the SNS topic you subscribed your AWS Lambda function to. This of course only works if you don't create the SNS topic as part of your CloudFormation stack, you don't rely on the content on the SNS message and just need such a message as trigger and if you filter the SNS messages in your Lambda function to only react to messages which matter to you (like doing updates only on stack creation and not on stack deletion).
Using the AWS CLI and its deploy command, specifying a notification ARN would look like:
aws cloudformation deploy \
--template-file your-template.yaml \
--stack-name your-stack \
--notification-arns arn:aws:sns:us-east-1:1234567890123456:yourtopic
Upvotes: 0
Reputation: 34704
Why not add the rule to the security group directly from CloudFormation with AWS::EC2::SecurityGroupIngress?
InboundRule:
Type: AWS::EC2::SecurityGroupIngress
Properties:
IpProtocol: tcp
FromPort: 0
ToPort: 65535
SourceSecurityGroupId:
Fn::GetAtt:
- XX_NEW_SECURITY_GROUP_XX
- GroupId
GroupId: sg-XX_EXISTING_GROUP_XX
Upvotes: 0
Reputation: 542
I also personally faced this problem. I was unable to get my SNS topic working to trigger the lambda function. However, I was able to do it with custom resources.
Whenever a lambda function is associated with a custom resource in CloudFormation template, it is invoked during the creation of that custom resource. You will have to depend it on the cloudformation resource that has the code in it, because it wont work if it will fire before the lambda function has been created.
This is a link to the custom resource documentation
Upvotes: 3
Related Questions
- Create a Lambda notification in an S3 bucket with CloudFormation
- CloudFormation: Publish to SNS topic
- how to get notified through SNS when a user in AWS creates security group with ingress 0.0.0/0
- Trigger lambda from SNS Topic in cloudformation
- Triggering a lambda from SNS using cloud-formation?
- sns unable to trigger lambda when created using cloudformation
- How to send SNS notification after cloud formation is completed?
- How to send SNS email notifications for a Cloudformation stack while creating it without using lambda?
- Trigger Amazon SNS message via Amazon Lambda
- AWS Lambda S3 Bucket Notification via CloudFormation