amazon web services - how to launch lambda functions from AWS SAM and assign custom AWS IAM role to lambda

Question

Right now in our CloudFormation templates we are creating few lambda functions, which then used multiple Cloudformation templates to do the automation task in order to have single click deployment of our product stack. Below is the sample CF template for CF lambda resources.

HelmLambda:
  DependsOn: [ LambdaSGCleanup ]
  Type: AWS::Lambda::Function
  Properties:
    Handler: lambda_function.lambda_handler
    MemorySize: 512
    Role: !Ref EKSProvisionRoleArn
    Runtime: python3.7
    Timeout: 900
    Layers: [!Ref KubectlLayer, !Ref HelmLayer, !Ref CrhelperLayer]
    Code:
      S3Bucket: !Ref 'BucketName'
      S3Key: !Sub '${KeyPrefix}functions/packages/Helm/lambda.zip'
HelmLayer:
  Type: AWS::Lambda::LayerVersion
  Properties:
    Content:
      S3Bucket: !Ref 'BucketName'
      S3Key: !Sub '${KeyPrefix}functions/packages/helmLayer/lambda.zip'

In above lambda function we have two dependencies. One is IAM role and Layer ARN. IAM role and Layer ARN this create on run time.

Now we want to put our product on AWS-Marketplace and we came to know that creating lambda function as above is not supported by AWS-Marketplace guidelines.

We are thinking of converting our lambda functions to AWS SAM. but we are not able to figure out how to use IAM role and Layer Arn which are created at run time during the CF stack deployment with AWS SAM and create lambda functions.

Any help or guidance on this will be highly appreciated.

Answer 1

So if you want to reference the role and layer created by SAM as per the documentation you need to define them in the template, below is a working template :

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  sam-with-layers

  Sample SAM Template for sam-with-layers

Resources:
  LambdaRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub ${AWS::StackName}-lambda-role
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action: 'sts:AssumeRole'
            Principal:
              Service: lambda.amazonaws.com
      Policies:
        - PolicyName: WriteCloudWatchLogs
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - 'logs:CreateLogGroup'
                  - 'logs:CreateLogStream'
                  - 'logs:PutLogEvents'
                Resource: 'arn:aws:logs:*:*:*'
  HelloWorldFunction:
    Type: AWS::Serverless::Functionn
    Properties:
      CodeUri: hello_world/
      Handler: app.lambda_handler
      Runtime: python3.8
      Role: !GetAtt LambdaRole.Arn
      Layers:
        - !Ref MyLambdaLayer

  MyLambdaLayer:
        Type: AWS::Serverless::LayerVersion
        Properties:
            LayerName: MyLambdaLayer
            ContentUri: lambda-layer/
            CompatibleRuntimes:
              - python3.8
            RetentionPolicy: Retain

and below is my dir structure:

.
├── README.md
├── hello_world
│?? ├── app.py
│?? └── requirements.txt
├── lambda-layer
│?? └── python
│??     └── lib
│??         └── python3.8
│??             └── site-packages
│??                 └── hello.py
├── samconfig.toml
└── template.yaml