AWS Compute Blog
Using container image support for AWS Lambda with AWS SAM
At AWS re:Invent 2020, AWS Lambda released Container Image Support for Lambda functions. This new feature allows developers to package and deploy Lambda functions as container images of up to 10 GB in size. With this release, AWS SAM also added support to manage, build, and deploy Lambda functions using container images.
In this blog post, I walk through building a simple serverless application that uses Lambda functions packaged as container images with AWS SAM. I demonstrate creating a new application and highlight changes to the AWS SAM template specific to container image support. I then cover building the image locally for debugging in addition to eventual deployment. Finally, I show using AWS SAM to handle packaging and deploying Lambda functions from a developer’s machine or a CI/CD pipeline.
The process for creating a Lambda function packaged as a container requires only a few steps. A developer first creates the container image and tags that image with the appropriate label. The image is then uploaded to an Amazon Elastic Container Registry (ECR) repository using docker push.
During the Lambda create or update process, the Lambda service pulls the image from ECR, optimizes the image for use, and deploys the image to the Lambda service. Once this, and any other configuration processes are complete, the Lambda function is then in Active status and ready to be invoked. The AWS SAM CLI manages most of these steps for you.
Prerequisites
The following tools are required in this walkthrough:
Create the application
Use the terminal and follow these steps to create a serverless application:
- Enter
sam init
. - For Template source, select option one for AWS Quick Start Templates.
- For Package type, choose option two for Image.
- For Base image, select option one for amazon/nodejs12.x-base.
- Name the application demo-app.
Exploring the application
Open the template.yaml file in the root of the project to see the new options available for container image support. The AWS SAM template has two new values that are required when working with container images. PackageType: Image tells AWS SAM that this function is using container images for packaging.
The second set of required data is in the Metadata section that helps AWS SAM manage the container images. When a container is created, a new tag is added to help identify that image. By default, Docker uses the tag, latest. However, AWS SAM passes an explicit tag name to help differentiate between functions. That tag name is a combination of the Lambda function resource name, and the DockerTag value found in the Metadata. Additionally, the DockerContext points to the folder containing the function code and Dockerfile identifies the name of the Dockerfile used in building the container image.
In addition to changes in the template.yaml file, AWS SAM also uses the Docker CLI to build container images. Each Lambda function has a Dockerfile that instructs Docker how to construct the container image for that function. The Dockerfile for the HelloWorldFunction is at hello-world/Dockerfile.
Local development of the application
AWS SAM provides local development support for zip-based and container-based Lambda functions. When using container-based images, as you modify your code, update the local container image using sam build
. AWS SAM then calls docker build using the Dockerfile for instructions.
In the case of the HelloWorldFunction that uses Node.js, the Docker command:
- Pulls the latest container base image for nodejs12.x from the Amazon Elastic Container Registry Public.
- Copies the app.js code and package.json files to the container image.
- Installs the dependencies inside the container image.
- Sets the invocation handler.
- Creates and tags new version of the local container image.
To build your application locally on your machine, enter:
sam build
The results are:
Now test the code by locally invoking the HelloWorldFunction using the following command:
sam local invoke HelloWorldFunction
The results are:
You can also combine these commands and add flags for cached and parallel builds:
sam build --cached --parallel && sam local invoke HelloWorldFunction
Deploying the application
There are two ways to deploy container-based Lambda functions with AWS SAM. The first option is to deploy from AWS SAM using the sam deploy
command. The deploy command tags the local container image, uploads it to ECR, and then creates or updates your Lambda function. The second method is the sam package
command used in continuous integration and continuous delivery or deployment (CI/CD) pipelines, where the deployment process is separate from the artifact creation process.
AWS SAM package tags and uploads the container image to ECR but does not deploy the application. Instead, it creates a modified version of the template.yaml file with the newly created container image location. This modified template is later used to deploy the serverless application using AWS CloudFormation.
Deploying from AWS SAM with the guided flag
Before you can deploy the application, use the AWS CLI to create a new ECR repository to store the container image for the HelloWorldFunction.
Run the following command from a terminal:
aws ecr create-repository --repository-name demo-app-hello-world \
--image-tag-mutability IMMUTABLE --image-scanning-configuration scanOnPush=true
This command creates a new ECR repository called demo-app-hello-world. The –image-tag-mutability IMMUTABLE option prevents overwriting tags. The –image-scanning-configuration scanOnPush=true enables automated vulnerability scanning whenever a new image is pushed to the repository. The output is:
Make a note of the repositoryUri as you need it in the next step.
Before you can push your images to this new repository, ensure that you have logged in to the managed Docker service that ECR provides. Update the bracketed tokens with your information and run the following command in the terminal:
aws ecr get-login-password --region <region> | docker login --username AWS \
--password-stdin <account id>.dkr.ecr.<region>.amazonaws.com
You can also install the Amazon ECR credentials helper to help facilitate Docker authentication with Amazon ECR.
After building the application locally and creating a repository for the container image, you can deploy the application. The first time you deploy an application, use the guided version of the sam deploy
command and follow these steps:
- Type
sam deploy --guided
, orsam deploy -g
. - For Stack Name, enter demo-app.
- Choose the same Region that you created the ECR repository in.
- Enter the Image Repository for the HelloWorldFunction (this is the repositoryUri of the ECR repository).
- For Confirm changes before deploy and Allow SAM CLI IAM role creation, keep the defaults.
- For HelloWorldFunction may not have authorization defined, Is this okay? Select Y.
- Keep the defaults for the remaining prompts.
AWS SAM uploads the container images to the ECR repo and deploys the application. During this process, you see a changeset along with the status of the deployment. When the deployment is complete, the stack outputs are then displayed. Use the HelloWorldApi endpoint to test your application in production.
When you use the guided version, AWS SAM saves the entered data to the samconfig.toml file. For subsequent deployments with the same parameters, use sam deploy
. If you want to make a change, use the guided deployment again.
This example demonstrates deploying a serverless application with a single, container-based Lambda function in it. However, most serverless applications contain more than one Lambda function. To work with an application that has more than one Lambda function, follow these steps to add a second Lambda function to your application:
- Copy the hello-world directory using the terminal command
cp -R hello-world hola-world
- Replace the contents of the template.yaml file with the following
AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: demo app Globals: Function: Timeout: 3 Resources: HelloWorldFunction: Type: AWS::Serverless::Function Properties: PackageType: Image Events: HelloWorld: Type: Api Properties: Path: /hello Method: get Metadata: DockerTag: nodejs12.x-v1 DockerContext: ./hello-world Dockerfile: Dockerfile HolaWorldFunction: Type: AWS::Serverless::Function Properties: PackageType: Image Events: HolaWorld: Type: Api Properties: Path: /hola Method: get Metadata: DockerTag: nodejs12.x-v1 DockerContext: ./hola-world Dockerfile: Dockerfile Outputs: HelloWorldApi: Description: "API Gateway endpoint URL for Prod stage for Hello World function" Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/hello/" HolaWorldApi: Description: "API Gateway endpoint URL for Prod stage for Hola World function" Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/hola/"
- Replace the contents of hola-world/app.js with the following
let response; exports.lambdaHandler = async(event, context) => { try { response = { 'statusCode': 200, 'body': JSON.stringify({ message: 'hola world', }) } } catch (err) { console.log(err); return err; } return response };
- Create an ECR repository for the HolaWorldFunction
aws ecr create-repository --repository-name demo-app-hola-world \ --image-tag-mutability IMMUTABLE --image-scanning-configuration scanOnPush=true
- Run the guided deploy to add the second repository:
sam deploy -g
The AWS SAM guided deploy process allows you to provide the information again but prepopulates the defaults with previous values. Update the following:
- Keep the same stack name, Region, and Image Repository for HelloWorldFunction.
- Use the new repository for HolaWorldFunction.
- For the remaining steps, use the same values from before. For Lambda functions not to have authorization defined, enter Y.
Deploying in a CI/CD pipeline
Companies use continuous integration and continuous delivery (CI/CD) pipelines to automate application deployment. Because the process is automated, using an interactive process like a guided AWS SAM deployment is not possible.
Developers can use the packaging process in AWS SAM to prepare the artifacts for deployment and produce a separate template usable by AWS CloudFormation. The package command is:
sam package --output-template-file packaged-template.yaml \
--image-repository 5555555555.dkr.ecr.us-west-2.amazonaws.com/demo-app
For multiple repositories:
sam package --output-template-file packaged-template.yaml \
--image-repositories HelloWorldFunction=5555555555.dkr.ecr.us-west-2.amazonaws.com/demo-app-hello-world \
--image-repositories HolaWorldFunction=5555555555.dkr.ecr.us-west-2.amazonaws.com/demo-app-hola-world
Both cases create a file called packaged-template.yaml. The Lambda functions in this template have an added tag called ImageUri that points to the ECR repository and a tag for the Lambda function.
Using sam package
to generate a separate CloudFormation template enables developers to separate artifact creation from application deployment. The deployment process can then be placed in an isolated stage allowing for greater customization and observability of the pipeline.
Conclusion
Container image support for Lambda enables larger application artifacts and the ability to use container tooling to manage Lambda images. AWS SAM simplifies application management by bringing these tools into the serverless development workflow.
In this post, you create a container-based serverless application in using command lines in the terminal. You create ECR repositories and associate them with functions in the application. You deploy the application from your local machine and package the artifacts for separate deployment in a CI/CD pipeline.
To learn more about serverless and AWS SAM, visit the Sessions with SAM series at s12d.com/sws and find more resources at serverlessland.com.
#ServerlessForEveryone