Serverless Security Groups 需要在同一个 VPC 中

Serverless Security Groups are required to be in the same VPC

目前我在尝试将我的无服务器处理程序绑定到我的 vpc 时遇到问题。我的部署命令如下:

serverless deploy --aws-profile prod --stage prod --alias prod --verbose

我正在使用这个plugin

部署失败后,我收到以下错误消息:

Serverless: Operation failed!
Serverless: View the full error output: <error url>


 Serverless Error ----------------------------------------
 
  
An error occurred: OnAddObligationFileLambdaFunction - Resource handler returned message: "Security Groups are required to be in the same VPC. (Service: Lambda, Status Code: 400, Request ID: 2a4e05b8-6b7b-470a-ab06-fe1ba22ec3c3, Extended Request ID: null)" (RequestToken: 1417189a-154f-d638-6467-846b778c8850, HandlerErrorCode: InvalidRequest).

我想知道这是否是我的安全组配置有问题。我应该删除我的 lambda 吗?错误消息也让我烦恼:“安全组需要在同一 VPC 中”,安全组需要与什么一起在同一 VPC 中?与 lambda 相同的 vpc?与子网相同的 vpc?我不明白那条信息。这很奇怪,因为这些子网和安全组已经在同一个 vpc 中。

在无服务器部署期间,我在 cloudformation 中不断遇到以下故障:

CloudFormation - UPDATE_FAILED - AWS::Lambda::Function - OnAddObligationFileLambdaFunction
CloudFormation - UPDATE_FAILED - AWS::Lambda::Function - DownloadLambdaFunction
CloudFormation - UPDATE_FAILED - AWS::Lambda::Function - FindAndStoreAllLambdaFunction
CloudFormation - UPDATE_FAILED - AWS::Lambda::Function - DownloadByFOIdLambdaFunction
CloudFormation - CREATE_FAILED - AWS::EC2::RouteTable - DBRouteTable6
CloudFormation - CREATE_FAILED - AWS::EC2::RouteTable - AppRouteTable4
CloudFormation - CREATE_FAILED - AWS::EC2::RouteTable - DBRouteTable1
CloudFormation - CREATE_FAILED - AWS::EC2::RouteTable - AppRouteTable3
CloudFormation - CREATE_FAILED - AWS::EC2::RouteTable - AppRouteTable6
CloudFormation - CREATE_FAILED - AWS::EC2::RouteTable - DBRouteTable2
CloudFormation - CREATE_FAILED - AWS::EC2::RouteTable - DBRouteTable3
CloudFormation - CREATE_FAILED - AWS::EC2::RouteTable - PublicRouteTable1
CloudFormation - CREATE_FAILED - AWS::EC2::RouteTable - DBRouteTable5
CloudFormation - CREATE_FAILED - AWS::EC2::RouteTable - PublicRouteTable4
CloudFormation - CREATE_FAILED - AWS::EC2::RouteTable - PublicRouteTable5
CloudFormation - CREATE_FAILED - AWS::EC2::RouteTable - AppRouteTable2
CloudFormation - CREATE_FAILED - AWS::EC2::RouteTable - PublicRouteTable6
CloudFormation - CREATE_FAILED - AWS::EC2::RouteTable - PublicRouteTable2
CloudFormation - CREATE_FAILED - AWS::EC2::RouteTable - AppRouteTable1
CloudFormation - CREATE_FAILED - AWS::EC2::RouteTable - AppRouteTable5
CloudFormation - CREATE_FAILED - AWS::EC2::RouteTable - DBRouteTable4
CloudFormation - CREATE_FAILED - AWS::EC2::RouteTable - PublicRouteTable3

以下是我的serverless.yml

service: functions-dte

provider:
  name: aws
  vpc:
    subnetIds:
      - subnet-*****************
      - subnet-*****************
    securityGroupIds:
      - sg-***************
  runtime: nodejs12.x
  stage: ${env:ENV}
  region: us-east-1
  timeout: 899
  environment:
    NODE_ENV: prod
    ENV: prod
    DB_URI: <mongo_uri>
    BUCKET_NC: ${self:custom.${opt:stage, self:provider.stage}.ncBucket}
  iamRoleStatements:
    - Effect: Allow
      Action:
        - 's3:*'
      Resource: '*'

plugins:
  - serverless-plugin-typescript
  - serverless-offline
  - serverless-dotenv-plugin
  - serverless-vpc-plugin
package:
  exclude:
    - config/.env.stg
    - config/.env.pro
  include:
    - config/.env.dev

functions:
  download:
    handler: src/handlers/app.download

  downloadByFOId:
    handler: src/handlers/app.downloadByFOId
  findAndStoreAll:
    handler: src/handlers/app.findAndStoreAll
    events:
      - http:
          path: findAndStoreAll
          method: post
  onAddObligationFile:
    handler: src/handlers/app.onAddObligationFile
    events:
      - http:
          path: onAddObligationFile
          method: post
      - s3:
          existing: ${self:custom.${opt:stage, self:provider.stage}.ncExisting}
          bucket: ${self:custom.${opt:stage, self:provider.stage}.ncBucket}
          event: s3:ObjectCreated:*
          rules: 
            - suffix: .pdf
            - prefix: cloud/files/

custom:
  dev:
    ncBucket: gj-nextcloud-backend-dev
    ncExisting: false
  prod:
    ncBucket: gj-nextcloud-backend
    ncExisting: true

经过一些研究,我们能够使用无服务器将我们的 lambda 连接到我们的 vpc。解决方案是:停止使用 serverless-vpc-plugin.

原来 serverless-vpc-plugin 自动创建了一个 AWS VPC,这不是我们要找的。我们已经使用 terraform 创建了 VPC。

来自 serverless-vpc-plugin documentation

Automatically creates an AWS Virtual Private Cloud (VPC) using all available Availability Zones (AZ) in a region.

换句话说,当目标vpc已经存在时,serverless-vpc-plugin没有意义