feat(AWS Lambda): Allow overriding provider VPC with no VPC on function

serverless · Oct 11, 2021 · 44a81fc · 44a81fc
1 parent 40f574f
commit 44a81fc
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 15 deletions.
diff --git a/docs/providers/aws/guide/functions.md b/docs/providers/aws/guide/functions.md
@@ -357,6 +357,29 @@ functions:
 
 Then, when you run `serverless deploy`, VPC configuration will be deployed along with your lambda function.
 
+If you have a provider VPC set but wish to have specific functions with no VPC, you can set the `vpc` value for these functions to `~` (null). For example:
+
+```yml
+# serverless.yml
+service: service-name
+provider:
+  name: aws
+  vpc:
+    securityGroupIds:
+      - securityGroupId1
+      - securityGroupId2
+    subnetIds:
+      - subnetId1
+      - subnetId2
+
+functions:
+  hello: # this function will have no vpc configured
+    handler: handler.hello
+    vpc: ~
+  users: # this function will inherit the service level vpc config above
+    handler: handler.users
+```
+
 **VPC IAM permissions**
 
 The Lambda function execution role must have permissions to create, describe and delete [Elastic Network Interfaces](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ElasticNetworkInterfaces.html) (ENI). When VPC configuration is provided the default AWS `AWSLambdaVPCAccessExecutionRole` will be associated with your Lambda execution role. In case custom roles are provided be sure to include the proper [ManagedPolicyArns](http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-managepolicyarns). For more information please check [configuring a Lambda Function for Amazon VPC Access](http://docs.aws.amazon.com/lambda/latest/dg/vpc.html)

diff --git a/docs/providers/aws/guide/serverless.yml.md b/docs/providers/aws/guide/serverless.yml.md
@@ -325,7 +325,7 @@ functions:
       functionEnvVar: 12345678
     tags: # Function specific tags
       foo: bar
-    vpc: # Optional VPC. But if you use VPC then both subproperties (securityGroupIds and subnetIds) are required
+    vpc: # Optional VPC. If you use VPC then both subproperties (securityGroupIds and subnetIds) are required. Can be set to ~ to specify no VPC.
       securityGroupIds:
         - securityGroupId1
         - securityGroupId2

diff --git a/lib/plugins/aws/package/compile/functions.js b/lib/plugins/aws/package/compile/functions.js
@@ -375,21 +375,24 @@ class AwsCompileFunctions {
     const role = this.provider.getCustomExecutionRole(functionObject);
     this.compileRole(functionResource, role || 'IamRoleLambdaExecution');
 
-    if (!functionObject.vpc) functionObject.vpc = {};
-    if (!this.serverless.service.provider.vpc) this.serverless.service.provider.vpc = {};
-
-    functionResource.Properties.VpcConfig = {
-      SecurityGroupIds:
-        functionObject.vpc.securityGroupIds ||
-        this.serverless.service.provider.vpc.securityGroupIds,
-      SubnetIds: functionObject.vpc.subnetIds || this.serverless.service.provider.vpc.subnetIds,
-    };
+    // ensure provider VPC is not used if function VPC explicitly unset
+    if (functionObject.vpc !== null && functionObject.vpc !== false) {
+      if (!functionObject.vpc) functionObject.vpc = {};
+      if (!this.serverless.service.provider.vpc) this.serverless.service.provider.vpc = {};
+
+      functionResource.Properties.VpcConfig = {
+        SecurityGroupIds:
+          functionObject.vpc.securityGroupIds ||
+          this.serverless.service.provider.vpc.securityGroupIds,
+        SubnetIds: functionObject.vpc.subnetIds || this.serverless.service.provider.vpc.subnetIds,
+      };
 
-    if (
-      !functionResource.Properties.VpcConfig.SecurityGroupIds ||
-      !functionResource.Properties.VpcConfig.SubnetIds
-    ) {
-      delete functionResource.Properties.VpcConfig;
+      if (
+        !functionResource.Properties.VpcConfig.SecurityGroupIds ||
+        !functionResource.Properties.VpcConfig.SubnetIds
+      ) {
+        delete functionResource.Properties.VpcConfig;
+      }
     }
 
     const fileSystemConfig = functionObject.fileSystemConfig;

diff --git a/test/unit/lib/plugins/aws/package/compile/functions.test.js b/test/unit/lib/plugins/aws/package/compile/functions.test.js
@@ -1419,6 +1419,10 @@ describe('lib/plugins/aws/package/compile/functions/index.test.js', () => {
                 arn: 'arn:aws:elasticfilesystem:us-east-1:111111111111:access-point/fsap-a1a1a1a1a1a1a1a1a',
               },
             },
+            vpcNullify: {
+              vpc: null,
+              handler: 'index.handler',
+            },
           },
         },
       });
@@ -1464,6 +1468,12 @@ describe('lib/plugins/aws/package/compile/functions/index.test.js', () => {
       expect(VpcConfig.SubnetIds).to.deep.equal(fooFunctionConfig.vpc.subnetIds);
     });
 
+    it('should allow `functions[].vpc` to specify no vpc', () => {
+      const Properties = cfResources[naming.getLambdaLogicalId('vpcNullify')].Properties;
+
+      expect(Properties.VpcConfig).to.be.undefined;
+    });
+
     it('should support `provider.tags`', () => {
       const providerConfig = serviceConfig.provider;