serverless-operations / serverless-lambda-edge-pre-existing-cloudfront Goto Github PK

I tried following the documentation for the simple case of adding a trigger to an existing CF distribution. During deployment I'm getting this message:

The function ARN must reference a specific function version. (The ARN must end with the version number.)

The ARN that is being set ends with $LATEST which is an alias, and seems to be unsupported by CloudFront:

arn:aws:lambda:eu-central-1:XXXX:function:XXXX-generateSitemap:$LATEST

What am I doing wrong here?
Btw, I get the exact same message if I manually try to set this ARN by editing the CloudFront distribution in the CF console.

We have one Lambda@edge and one Cloudfront function on the same distribution. Using this plugin removes the associated CloudFront function.

Not sure whats happening but when I deploy CloudFront trigger is not attached. It appears the after:aws:deploy:finalize:cleanup hook is not triggering. Here's my yaml if that helps:

---
service: my-lambda-edge

provider:
  name: aws
  region: us-east-1
  stage: ${opt:stage, 'staging'}
  runtime: nodejs12.x
  timeout: 120
  stackName: ${self:service}-${self:provider.stage}
  logRetentionInDays: 90
  deploymentBucket:
    name: my-lambda-edge-bucket
  role: my-iam-role
  environment:
    NODE_ENV: ${self:provider.stage}

custom:
  distributions:
    staging: -------------
    production: -------------
  lambdaEdgePreExistingCloudFront:
    validStages:
      - staging
      - production

package:
  exclude:
    - ./**
  include:
    - functions/*.js

functions:

  request:
    handler: functions/request.handler
    events:
      - preExistingCloudFront:
          distributionId: ${self:custom.distributions.${opt:stage, self:provider.stage}}
          eventType: origin-request
          pathPattern: '*'
          includeBody: false


  response:
    handler: functions/response.handler
    events:
      - preExistingCloudFront:
          distributionId: ${self:custom.distributions.${opt:stage, self:provider.stage}}
          eventType: origin-response
          pathPattern: '*'
          includeBody: false


plugins:
  - serverless-lambda-edge-pre-existing-cloudfront

sls --version
Framework Core: 1.76.1
Plugin: 3.6.17
SDK: 2.3.1
Components: 2.32.0

Hello I hope I can find help on this here I'm using this plugin but I'm getting this error:
The function memory size is larger than the maximum allowed size for functions that are triggered by a CloudFront event: 1024 Max allowed: 128 Function: arn:aws:lambda:us-east-1:987558555805:function:test-develop-appointment:18
and I couldn't find a reason, not sure if is related to the way - serverless-bundle is packaging the function, this is my serverless.yml overview if this helps:

service: test
package:
  individually: true

plugins:
  - serverless-bundle
  - serverless-offline
  - serverless-dotenv-plugin
  - serverless-lambda-edge-pre-existing-cloudfront

custom:
  stage: ${opt:stage, env:STAGE}
  profile: ${env:PROFILE, default}
  tableName: ${self:custom.stage}-journeys
  distributionId: ${env:DISTRIBUTION_ID}
  
provider:
  name: aws
  runtime: nodejs12.x
  stage: ${self:custom.stage}
  region: us-east-1
  profile: ${self:custom.profile}
  environment:
    tableName: ${self:custom.tableName}
  iamRoleStatements:
    - Effect: Allow
      Action:
        - dynamodb:DescribeTable
        - dynamodb:Query
        - dynamodb:Scan
        - dynamodb:GetItem
        - dynamodb:PutItem
        - dynamodb:UpdateItem
        - dynamodb:DeleteItem
      Resource:
        - { "Fn::GetAtt": [JourneysTable, Arn ] }
        - Fn::Join:
          - "/"
          -
            - { "Fn::GetAtt": [JourneysTable, Arn ] }
            - "index/*"

functions:
  appointment:
    handler: appointment.main
    events:
      - preExistingCloudFront:
          distributionId: ${self:custom.distributionId} 
          eventType: viewer-request 
          pathPattern: '*' 
          includeBody: false


resources:
  - ${file(resources/api-gateway-errors.yml)}
  - ${file(resources/dynamodb-table.yml)}

while deploying in serverless , the error says as :
Serverless plugin "serverless-lambda-edge-pre-existing-cloudfront" initialization errored: Cannot read property 'defineCustomProperties' of undefined

Hi Team,

I am getting below error while deploying my edge lambda

ServerlessError: The function ARN must reference a specific function version. (The ARN must end with the version number.) ARN: arn:aws:lambda:us-east-1:{AccountID}:function:pim-integration-service-dev-orginRequestEdge:$LATEST
at /usr/local/lib/node_modules/serverless/lib/plugins/aws/provider/awsProvider.js:343:27
at processTicksAndRejections (internal/process/task_queues.js:97:5)

As the title says, I'm trying to deploy a Lambda@Edge, and I'm getting the following error:

ServerlessError: Lambda@Edge cannot enable replication for the specified Lambda function.
Update the IAM policy to add permission: lambda:EnableReplication* for 
resource: arn:aws:lambda:us-east-1:xxxxxxxxxx:function:XXXZZZZYYYYY:2 and try again.

There's little documentation about this error in internet, but the little I've found pointed to add a permission to the lambda function:

EdgeAuthEnableReplicationPermission:
      Type: 'AWS::Lambda::Permission'
      Properties:
        Action: "lambda:EnableReplication"
        FunctionName: "XXXZZZZYYYYY"
        Principal: "*"

This is my serverless.yml file:

service: lambda-test
  useDotenv: true
  provider:
    name: aws
    region: 'us-east-1'
    stage: 'sbx'
    versionFunctions: true

  plugins:
    - serverless-lambda-edge-pre-existing-cloudfront

  functions:
    countryResolver:
      name: 'XXXZZZZYYYYY'
      handler: src/index.js
      events:
      - preExistingCloudFront:
          distributionId: 'zzzzzzzz'
          eventType: 'origin-request'
          pathPattern: '*'
          includeBody: false
          stage: sbx
  resources:
    Resources:
      IamRoleLambdaExecution:
        Type: "AWS::IAM::Role"
        Properties:
          AssumeRolePolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Principal:
                  Service:
                    - lambda.amazonaws.com
                    - edgelambda.amazonaws.com
                Action: sts:AssumeRole
      EdgeAuthEnableReplicationPermission:
        Type: 'AWS::Lambda::Permission'
        Properties:
          Action: "lambda:EnableReplication"
          FunctionName: "XXXZZZZYYYYY"
          Principal: "*"

Hi guys,

First of all, thank you for the work done with this. It's unfortunate that serverless doesn't handle this automatically and this library is really helpful.

When my serverless.yml only contained 1 lambda@edge (eventType: origin-request) everything went smoothly.
However when I added a second function (eventType: viewer-request) CloudFormation started returning 412 (precondition failed).

Initially I thought I had something wrong with my function and I did several attempts including making the changes manually... All of them worked.

Then I tried switching the order of the functions (moving the Viewer-Request one to be created first). Still got a 412, but on the second one (which was now the Origin-Request one).

With that said, it seems that the solution would be to add a delay, a retry, or a wait until updateDistribution is done and changes are made so that you can run the second updateDistribution.

Otherwise this becomes a limitation for updating a CF Distribution.

Let me know if you need more info, or what am I missing :)

Thank you for your time! 👍 Keep up the good work and stay safe!

Hi!

We have one stack for all our resources (db/cognito/cloudfront/s3 etc) and another stack for all our lambdas and API gateway.

If I first add a cloudfront distro in the resources stack and then add a lambda@edge in the API stack, all works as expected (nice!). But if I go back and update the cloudfront in the resources stack, ex. enable compression, then the lambda@edge is no longer associated with the cloudfront.

Any thoughts / workarounds?

All the best.

Is it possible to use !Ref to satisfy the distributionId parameter? If so, why isn't it in the README? If not, why not?

I hope to deploy to different existing CloudFront distributions based on different stages. However, this plugin does not seem to provide me with that extra layer of functionality. The validStages property that we can configure at the custom section does not do the work since we are not able to set the validStages property for each preExistingCloudFront object.

custom:
  lambdaEdgePreExistingCloudFront: # this configuration applies to every preExistingCloudFront distribution
    validStages:
      - staging
      - production

Therefore, I was thinking that I could open a pull request to add that extra feature. I hope that we could have a stage property for each preExistingCloudFront object under the event array like this:

functions:
  viewerRequest:
    handler: lambdaEdge/viewerRequest.handler
    events:
      - preExistingCloudFront:
          distributionId: xxxxxxx
          eventType: viewer-request
          pathPattern: '*' 
          includeBody: false
          stage: dev # specify the stage when the lambda function is deployed to this cloudfront distribution

See detailed implementation in PR #15

Attempting to deploy a very minimal setup, I've gotten this error:

  Serverless Error ---------------------------------------

  ServerlessError: The function execution role must be assumable with edgelambda.amazonaws.com as well as lambda.amazonaws.com principals. Update the IAM role and try again. Role: arn:aws:iam::822757335928:role/imgiz-2-dev-us-east-1-lambdaRole
      at /usr/lib/node_modules/serverless/lib/plugins/aws/provider/awsProvider.js:1178:27
      at processTicksAndRejections (node:internal/process/task_queues:93:5)

It makes sense. However, trying to add Principal/Service parameters to normal IAM definition on serverless.yml didn't work. I had to resort to this workaround I found here.

Resources:
  IamRoleLambdaExecution:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Statement: 
          - Effect: Allow
            Principal: 
              Service:
                - lambda.amazonaws.com
                - edgelambda.amazonaws.com

Wouldn't it make sense for this to be the default roles assigned by this plugin? Or is that something that serverless handles?

In any case, maybe adding this to the README might help others?