Interface VPC Endpoint to Lambda

CloudFormation template: yaml

AWSTemplateFormatVersion: 2010-09-09
Description: An interface VPC Endpoint to Lambda
Transform: AWS::Serverless-2016-10-31

Overview

A VPC Endpoint that can be used to invoke a lambda function from inside of a VPC without talking to the internet.

Parameters

Parameters:

DeploymentName

  DeploymentName:
    Type: String
    Description: A name for this deployment

A deployment is a deployed application, potentially comprised of many CloudFormation stacks. This is sometimes called an "environment", but that is an overloaded and confusing term. Use the DeploymentName to indicate which logical deployment a stack belongs to.

If a deployment is completely specified by exactly one CloudFormation template, the DeploymentName and the AWS::StackName refer to the same things. In that case, consider not using a DeploymentName parameter.

VPC Endpoint for Lambda

  VpcEndpointSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Allow HTTP on port 80
      VpcId: {Fn::ImportValue: !Sub "${DeploymentName}-VpcId"}
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          SourceSecurityGroupId: !Ref AlbSecurityGroup
      Tags:
        - Key: Name
          Value: !Ref AWS::StackName

  VpcEndpointLambda:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal: "*"
            Action:
              - "lambda:*"
            Resource:
              - !GetAtt HelloWorldFunction.Arn
      SecurityGroupIds:
        - !Ref VpcEndpointSecurityGroup
      ServiceName: !Sub "com.amazonaws.${AWS::Region}.lambda"
      SubnetIds:
        - Fn::ImportValue: !Sub "${DeploymentName}-PrivateSubnet1"
        - Fn::ImportValue: !Sub "${DeploymentName}-PrivateSubnet2"
      VpcEndpointType: Interface
      VpcId: {Fn::ImportValue: !Sub "${DeploymentName}-VpcId"}