https://pulumi.com logo
Title
f

few-analyst-47494

04/18/2023, 9:07 AM
Hi, I’m trying to understand why
securityGroupIds
is a required field in the `vpcConfig` for AWS Lambdas. In my architecture, I have a lambda defined in the private subnet of a VPC and already attached a security group to the VPC. So when I’m associating the lambda with the subnet using
subnetIds
in
vpcConfig
, why do I necessarily have to respecify the securityGroupId too?
f

fresh-spring-82225

04/18/2023, 3:42 PM
I was wondering about that too. I think the answer is that even though the security group belongs to the VPC, it has to be explicitly associated with a resource (lambda, or EC2 instance) to take effect.
The terminology “vpc config” for lambdas comes from aws, but it’s a little confusing because it implies that it just describes the vpc. It both identifies the subnets and the security groups to use. Different lambdas in the same subnet can use different security groups.
f

few-analyst-47494

04/19/2023, 2:23 AM
That makes sense. A VPC can have different security groups and a lambda in that VPC can have any one of those associated security groups. I wonder what would happen if a security group that is not associated with a VPC is associated with a lambda in that VPC?
p

polite-napkin-90098

04/19/2023, 2:29 PM
I think you'd get an error telling you that the sg was not in the right VPC, I've not played with lamdbas but have seen a similar error with other resources, i.e. ECS Fargate tasks.