Search code examples
aws-lambdaaws-sam-cli

AWS Lambda deploy using existing REST API Gateway & Authorizer

I created an AWS Lambda function using sam init.

Everything works just fine for local execution and testing.

My DevOps team created an API Gateway REST API and added a custom Authorizer within there. They did this via their "standardized tooling" (I assume it is Terraform, but it is closed off from view for the developers). They want us to deploy to this created API Gateway resource and associated Authorizer. They also are insisting on using the SAM CLI to deploy and not using the AWS CLI command such as (long story, but they reject use of the AWS CLI in CI/CD):

aws lambda create-function --function-name SomeFunction \
                           --runtime python3.10 \
                           --role arn:aws:iam::123456789012:role/ProvidedRole \
                           --handler index.handler \
                           --code S3Bucket=PreCreatedBucket,S3Key=PackagedFunction.zip

How in the template.yaml that gets generated from sam init can I reference the existing resources?

Based on what I'm reading it doesn't seem like that is possible and I will need to provide some pushback against them for this. Under those circumstances it seems like I'll have to get a little fancier and maybe deploy the function using Terraform, which they might accept. It'll be frustrating, but if I need a magic workaround I can do that.

Sample Template

This is a basic test I tossed together to make things simple for myself. This does not work, but it is what I've been trying to play with at the moment.

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Does this madness work?

Globals:
  Function:
    Timeout: 3
    MemorySize: 128
    Runtime: python3.10
    Handler: app.lambda_handler
    Architectures:
      - x86_64

Resources:
  BackendRestAPI:
    Type: AWS::Serverless::Api
    Properties:
      Name: designated-core
      StageName: prod

  PingFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: src/ping/
      Events:
        BackendRestAPI:
          Type: Api
          Properties:
            Path: /ping
            Method: GET
            RestApiId: !Ref BackendRestAPI

  ProtectedFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: src/protected/
      Events:
        BackendRestAPI:
          Type: Api
          Properties:
            Path: /protected
            Method: GET
            RestApiId: !Ref BackendRestAPI
            Auth:
              Authorizer: cognito
Solution

  • This isn't an "answer" per say.

    Basically I talked the company into a fundamental transformation of quite a few things. It took a few days and a lot of weekend work, but I was able to get it done. For those out there in the tech world: learn your business concepts, how to create cost analysis, how to do project planning, learn your Project Management skills (even snag yourself a PMP if you can), etc.

    Sometimes the effort pays off