Search code examples
aws-lambdaaws-sam-cli

Lambda template fails for SubnetIds and SecurityGroupIds

I have the following template in my sam function:

Resources:
  TagChangedFunction:
    Type: AWS::Serverless::Function
      Properties:
        CodeUri: tag_changed_function
        Handler: tag_changed/app.lambda_handler
        Runtime: python3.8
        Policies:
        - VPCAccessPolicy: {}
        - Statement:
          - Sid: EC2DescribeInstancesPolicy
            Effect: "Allow"
            Action:
            - ec2:DescribeInstances
            Resource: '*'
        VpcConfig:
          SubnetIds:
            - sg-061328bxxxxx
          SecurityGroupIds:
            - subnet-03afd77xxxxx
        Events:
          TagChanged:
            Type: CloudWatchEvent
            Properties:
              Pattern:
                source:
                  - aws.tag
                detail-type:
                  - Tag Change on Resource

(I masked the SubnetIds and SecurityGroupIds in the template with xxxxx).

But when I build and try to upload my code to aws, I get the following error message:

2 validation errors detected: Value
'[subnet-061328bxxxxx]' at
'vpcConfig.securityGroupIds' failed to satisfy
constraint: Member must satisfy constraint: [Member must
have length less than or equal to 1024, Member must have
length greater than or equal to 0, Member must satisfy
regular expression pattern: ^sg-[0-9a-z]*$]; Value
'[sg-03afd77xxxxx]' at 'vpcConfig.subnetIds' failed
to satisfy constraint: Member must satisfy constraint:
[Member must have length less than or equal to 1024,
Member must have length greater than or equal to 0,
Member must satisfy regular expression pattern:
^subnet-[0-9a-z]*$] (Service: AWSLambdaInternal; Status
Code: 400; Error Code: ValidationException; Request ID:
641be279-a48f-4249-b0a1-3e221f8bbdf

(again masking with xxxxxx)

As far as I can see, the regex constraints are satisfied. Do anyone see what is wrong in the template?

If I remove the VpcConfig section, it uploads fine.

Solution

  • You're giving sg ID in subnet section and Subnet ID in SG section. Kindly try the below

    Resources:
  TagChangedFunction:
    Type: AWS::Serverless::Function
      Properties:
        CodeUri: tag_changed_function
        Handler: tag_changed/app.lambda_handler
        Runtime: python3.8
        Policies:
        - VPCAccessPolicy: {}
        - Statement:
          - Sid: EC2DescribeInstancesPolicy
            Effect: "Allow"
            Action:
            - ec2:DescribeInstances
            Resource: '*'
        VpcConfig:
          SubnetIds:
            - subnet-03afd77xxxxx
          SecurityGroupIds:
            - sg-061328bxxxxx
        Events:
          TagChanged:
            Type: CloudWatchEvent
            Properties:
              Pattern:
                source:
                  - aws.tag
                detail-type:
                  - Tag Change on Resource