Managing Custom Lambda Container Images with AWS Amplify
This repository provides a solution for managing custom Lambda container images as part of an AWS Amplify project. It addresses the limitation of the Amplify CLI, which currently doesn't support creating Lambda functions with custom container images out of the box.
Custom Lambda containers are useful in scenarios where you need more control over the runtime environment of your Lambda functions. This could be due to various reasons such as:
- When the Lambda function has many dependent libraries that may exceed the file size limitation of Lambda Layers.
- When the installation of other executable binaries is needed for the project.
- When there is a need to build and test the Lambda function code on a local machine and then deploy the exact same environment to the AWS Lambda service.
In such scenarios, you can package your code and dependencies in a Docker image, and then use this image to create a Lambda function. This repository provides a blueprint for managing such custom Lambda container images as part of an AWS Amplify project.
Onboarding a Custom Lambda
To include a new custom Lambda, adhere to these steps:
-
Create a new custom resource by running
amplify add custom
. This command creates a new resource in your Amplify project. -
Modify the created CloudFormation template similar to mybiglambda-cloudformation-template.json provided in this repository. The key changes are in the
Resources
section where we define our Lambda function and its properties. This includes the function name, which is generated based on theAmplify App ID
and thefunction name
, and theimage URI
, which is generated based on theECR repository name
andimage tag
. -
Create a new subfolder in the
containers
folder with the name of your Lambda function similar tocontainers/mybiglambda
. This folder will contain your "Lambda-compatible"Dockerfile
and any other dependencies needed for your function. -
Add secrets to a file named
containers/container-secrets.yml
. This file is used to automate the upload of secrets to the AWS SSM Parameter Store during the Amplify pre-push hook. The secrets are defined in a specific format, with placeholders for the Amplify App ID, Amplify environment name, and Lambda function name.
amplify:
<AmplifyAppID>:
<AmplifyEnvName>:
<LambdaFunctionName>:
DUMMY_SECRET: !secure 'Hello World'
- Execute
amplify push
that kicks-off the custom lambda image build and deployment process, handled by thecontainers/deploy.sh
script. This script performs several tasks:
- It creates an ECR repository for your Lambda function if it doesn't already exist.
- It builds and pushes a Docker image to the ECR repository.
- It increments a value called "next_tag" for each deployment. This ensures that each deployment uses a new Docker image.
- It updates the CloudFormation template with the correct values for the Amplify App ID, image tag, and repository name.
Secrets Management
The repository provides a solution for secrets management using a tool called ssm-diff. Secrets are defined in the container-secrets.yml
file and uploaded to the AWS SSM Parameter Store during the Amplify pre-push hook. The upload process replaces placeholders in the secrets file with the actual Amplify App ID
, uploads the secrets to the SSM Parameter Store, and then reverts the placeholders.
Conclusion
This repository provides an opitionated blueprint for managing custom Lambda container images and secrets as part of an AWS Amplify project. It demonstrates how to leverage Amplify Hooks and custom CloudFormation resources to overcome the limitations of the Amplify CLI.