尝试写入 SNS 时 Lambda 超时,如何在 Terraform 中修复此问题?
Lambda times-out when trying to write to SNS, how can I fix this in Terraform?
我在 VPC 中有一个 lambda 需要写入 SNS 主题。我知道我需要 aws_vpc_endpoint 才能完成这项工作。
但是,我的 lambda 在尝试写入 SNS 时仍然超时。
data "aws_vpc_endpoint_service" "sns" {
service = "sns"
}
resource "aws_security_group" "sns_endpoint" {
name = "sns-endpoint"
vpc_id = aws_default_vpc.default.id
}
resource "aws_vpc_endpoint" "sns_endpoint" {
vpc_id = aws_default_vpc.default.id
vpc_endpoint_type = "Interface"
service_name = data.aws_vpc_endpoint_service.sns.service_name
security_group_ids = [ aws_security_group.sns_endpoint.id ]
private_dns_enabled = true
subnet_ids = [
data.aws_subnet.selected.id,
aws_default_subnet.subnet_a.id,
aws_default_subnet.subnet_b.id
]
policy = <<EOF
{
"Statement": [
{
"Sid": "SNS-full-access",
"Principal": "*",
"Action": "sns:*",
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
resource "aws_security_group" "my_func" {
name = "my-func"
vpc_id = aws_default_vpc.default.id
egress {
from_port = 0
to_port = 65535
protocol = "tcp"
cidr_blocks = [ "0.0.0.0/0" ]
}
}
resource "aws_lambda_function" "my_func" {
function_name = "my-func"
role = aws_iam_role.my_func.arn
timeout = 900
memory_size = 512
vpc_config {
subnet_ids = [ data.aws_subnet.selected.id ]
security_group_ids = [ aws_security_group.my_func.id ]
}
}
已为 VPC 启用 DNS 主机名和 DNS 解析。
我在这里错过了什么?
默认情况下,空安全组将阻止所有访问。您需要更新端点的安全组以允许从 Lambda 函数访问:
resource "aws_security_group" "sns_endpoint" {
name = "sns-endpoint"
vpc_id = aws_default_vpc.default.id
ingress {
from_port = 0
to_port = 65535
protocol = "tcp"
security_groups = [aws_security_group.my_func.id]
}
}
我认为您也许可以将其锁定到端口 443,但请先尝试上面的操作,看看是否可以解决您的问题。
我在 VPC 中有一个 lambda 需要写入 SNS 主题。我知道我需要 aws_vpc_endpoint 才能完成这项工作。
但是,我的 lambda 在尝试写入 SNS 时仍然超时。
data "aws_vpc_endpoint_service" "sns" {
service = "sns"
}
resource "aws_security_group" "sns_endpoint" {
name = "sns-endpoint"
vpc_id = aws_default_vpc.default.id
}
resource "aws_vpc_endpoint" "sns_endpoint" {
vpc_id = aws_default_vpc.default.id
vpc_endpoint_type = "Interface"
service_name = data.aws_vpc_endpoint_service.sns.service_name
security_group_ids = [ aws_security_group.sns_endpoint.id ]
private_dns_enabled = true
subnet_ids = [
data.aws_subnet.selected.id,
aws_default_subnet.subnet_a.id,
aws_default_subnet.subnet_b.id
]
policy = <<EOF
{
"Statement": [
{
"Sid": "SNS-full-access",
"Principal": "*",
"Action": "sns:*",
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
resource "aws_security_group" "my_func" {
name = "my-func"
vpc_id = aws_default_vpc.default.id
egress {
from_port = 0
to_port = 65535
protocol = "tcp"
cidr_blocks = [ "0.0.0.0/0" ]
}
}
resource "aws_lambda_function" "my_func" {
function_name = "my-func"
role = aws_iam_role.my_func.arn
timeout = 900
memory_size = 512
vpc_config {
subnet_ids = [ data.aws_subnet.selected.id ]
security_group_ids = [ aws_security_group.my_func.id ]
}
}
已为 VPC 启用 DNS 主机名和 DNS 解析。
我在这里错过了什么?
默认情况下,空安全组将阻止所有访问。您需要更新端点的安全组以允许从 Lambda 函数访问:
resource "aws_security_group" "sns_endpoint" {
name = "sns-endpoint"
vpc_id = aws_default_vpc.default.id
ingress {
from_port = 0
to_port = 65535
protocol = "tcp"
security_groups = [aws_security_group.my_func.id]
}
}
我认为您也许可以将其锁定到端口 443,但请先尝试上面的操作,看看是否可以解决您的问题。