How to trigger AWS Lambda function when creating ELB Security Group? - amazon-web-services

I've just created a Lambda function that updates inbound rules of my Security Group with an "AmazonIpSpaceChanged" SNS trigger that runs every time the AWS IP JSON file is updated.
I would like to know if it is possible to make this function also run when creating a Security Group? If so, do I have to go through a CloudWatch / CloudTrail event or it is possible to create an "SNS" type event in my clufdormation stack that would trigger this function (like a test event below) ?
Example of a test event that works to test the function :
{
"Records": [
{
"EventVersion": "1.0",
"EventSubscriptionArn": "arn:aws:sns:EXAMPLE",
"EventSource": "aws:sns",
"Sns": {
"SignatureVersion": "1",
"Timestamp": "1970-01-01T00:00:00.000Z",
"Signature": "EXAMPLE",
"SigningCertUrl": "EXAMPLE",
"MessageId": "95df01b4-ee98-5cb9-9903-4c221d41eb5e",
"Message": "{\"create-time\": \"yyyy-mm-ddThh:mm:ss+00:00\", \"synctoken\": \"0123456789\", \"md5\": \"98f21d3824c3b2a4553315bcb0209c69\", \"url\": \"https://ip-ranges.amazonaws.com/ip-ranges.json\"}",
"Type": "Notification",
"UnsubscribeUrl": "EXAMPLE",
"TopicArn": "arn:aws:sns:EXAMPLE",
"Subject": "TestInvoke"
}
}
]
}
Thanks !

Related

No further functionality after "eventType": "INITIATED" message while implementing Amazon Connect high-volume outbound communications

I have just created a Campaign in Connect with Contact flow, Then IAM policies, EventBridge and Pinpoint stuff with Creation of Segments & Journeys, and in return I got the first event as "eventType": "INITIATED" with Type "VOICE".
But then it stuck and nothing happen, it should dial a number using the outbound queue as mentioned in the Documentation as below:
{
"version": "0",
"id": "35af9eb2-5dda-fafc-48ce-78f223478a85",
"detail-type": "Amazon Connect Contact Event",
"source": "aws.connect",
"account": "XXX92XXX3XXX",
"time": "2022-05-31T08:21:52Z",
"region": "us-east-1",
"resources": [
"arn:aws:connect:us-east-1:XXX92XXX3XXX:instance/8XXXXXX9-1XXa-4XXf-bXXf-3XXXXXXXXX4",
"arn:aws:connect:us-east-1:XXX92XXX3XXX:instance/8XXXXXX9-1XXa-4XXf-bXXf-3XXXXXXXXX4/contact/7b552ed3-b276-42ea-9837-31f8622f4fde"
],
"detail": {
"initiationTimestamp": "2022-05-31T08:21:52.769Z",
"contactId": "7b552ed3-b276-42ea-9837-31f8622f4fde",
"channel": "VOICE",
"instanceArn": "arn:aws:connect:us-east-1:XXX92XXX3XXX:instance/8XXXXXX9-1XXa-4XXf-bXXf-3XXXXXXXXX4",
"initiationMethod": "API",
"eventType": "INITIATED",
"campaign": {
"campaignId": "8b00b16f-b083-4a00-ae86-58332f524b2b"
}
}
}
In the end, after the time ends it closed the journey with the message "Message Not Sent".
It should dial an outbound number at numbers added through the segment and then return the events but somehow it doesn't work.

How to configure AWS Amplify build notifications to include commit/PR message?

I am using AWS amplify to host my react app. The source code is on GitHub.
I have a lambda listening to AWS SNS and pushes a message to Slack to inform about the deployment status.
I want to achieve that the Slack notification includes PR name (or commit message if it was directly pushed to the branch instead of merging the PR).
I cannot find the commit message/PR name within SNS message. Is it possible to get this information retrieved?
The SNS event I get looks like
{
"Records": [
{
"EventSource": "aws:sns",
"EventVersion": "1.0",
"EventSubscriptionArn": "arn:aws:sns:xx-central-x:xxxxxxx:amplify-xxxxxx_main:aaaaaaaa-2189-bbbb-8ca3-cccccccccccc",
"Sns": {
"Type": "Notification",
"MessageId": "aaaaaaaa-107b-bbbb-a47b-cccccccccccc",
"TopicArn": "arn:aws:sns:xx-central-x:001700307000:amplify-xxxxxx_main",
"Subject": null,
"Message": "\"Build notification from the AWS Amplify Console for app: https://main.xxxxx.amplifyapp.com/. Your build status is STARTED. Go to https://link.com to view details on your build. \"",
"Timestamp": "2021-08-05T08:36:37.919Z",
"SignatureVersion": "1",
"Signature": "DaPEZM6+WumrAg==",
"SigningCertUrl": "https://sns.xx-central-x.amazonaws.com/SimpleNotificationService-xxxxx.pem",
"UnsubscribeUrl": "https://sns.xx-central-x.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:xx-central-x:xxxxx:amplify-xxxxxx_main:aaaaaaaa-2189-bbbb-8ca3-cccccccccccc",
"MessageAttributes": {}
}
}
]
}

How do I use an SQS queue in one CloudFormation stack as a trigger to a lambda function in another CloudFormation stack?

What I did so far: I exported the Arn of the Queue and the QueueName from the stack where the queue is created and used them in the Events under the lambda function which I want to trigger and also defined the QueuePolicy in that stack to get the permissions to ReceiveMessage from the queue.
This approach is working when I first build both the stacks but the next time when I build, it is disabling the trigger under the Lambda triggers in the SQS queue definition. I was never successful in seeing it as a trigger under the lambda function.
Let me know what I'm doing wrong.
You can call the cloudformation stack action (create/update/delete...) with the NotificationArns option.
This will send a message for each stack resources event. Then it gives the habilities to trigger lambda.
The message follows this kind of payload :
{
"Records": [
{
"EventSource": "aws:sns",
"EventVersion": "1.0",
"EventSubscriptionArn": "arn:aws:sns:eu-west-1:12345678912:my-sns-topic:00000000-0000-0000-0000-000000000000",
"Sns": {
"Type": "Notification",
"MessageId": "00000000-0000-0000-0000-000000000000",
"TopicArn": "arn:aws:sns:eu-west-0:000000000000:my-sns-topic",
"Subject": "AWS CloudFormation Notification",
"Message": "
StackId='${STACK_ID}'\n
Timestamp='2018-01-01T00:00:00.000Z'\n
EventId='00000000-0000-0000-0000-000000000000'\n
LogicalResourceId='${STACK_NAME}'\n
Namespace='000000000000'\n
PhysicalResourceId='${STACK_ID}'\n
PrincipalId='ABCDEFGHIJKLMNOPQRSTU:1234567890123456789'\n
ResourceProperties='null'\
ResourceStatus='${RESOURCE_STATUS}'\n
ResourceStatusReason=''\n
ResourceType='AWS::CloudFormation::Stack'\n
StackName='${STACK_NAME}'\n
ClientRequestToken='null'\n
",
"Timestamp": "2018-01-01T00:00:00.000Z",
"SignatureVersion": "1",
"Signature": "_",
"SigningCertUrl": "_",
"UnsubscribeUrl": "_",
"MessageAttributes": {}
}
}
]
}

Publish AWS SNS message to Pagerduty

I have integrated pagerduty with AWS cloudwatch and I am trying to publish a message manually to a SNS Topic that is subscribed by pagerduty and email. But I am not able to get incidents in pagerduty. However, cloudwatch alarms are triggering incidents in pagerduty using this same topic.
I referred some document for pagerduty message payload. But unable to make it work. My SNS message JSON is as follows,
{
"default":"test message",
"email":"test email message",
"https":{
"service_key":"XXXX",
"event_type":"trigger",
"description":"Example alert on host1.example.com"
}
}
Its not triggering an incident in pagerduty. I am not sure what I am missing in the request body. I am receiving email messages properly from this same message body. Could someone point out the mistake?
Thanks in advance.
To do so, you must choose the option Custom Event Transformer for the PagerDuty Integration. In the integration, you can write your own JavaScript code as follows:
var normalized_event = {
event_type: PD.Trigger,
description: "SNS Event",
details: PD.inputRequest
};
PD.emitGenericEvents([normalized_event]);
To parse the received payload from SNS, you can use:
var rawBody = PD.inputRequest.rawBody;
var obj = JSON.parse(unescape(rawBody));
And treat obj to treat your event according to your SNS message.
I believe PagerDuty's native AWS CloudWatch integration is opinionated. So a Custom SNS message won't trigger an incident.
But PagerDuty has an inbound integration type that allows you to create a script using JS (ES5) to parse any custom message sent to the this integration - which can then trigger an incident based on the logic of your script.
Docs on the Custom Event Transformer: https://v2.developer.pagerduty.com/docs/creating-an-integration-inline
I'm too late to answer this but still adding as #filipebarretto has suggested we need to use Custom Event Transformer for this type of integration.
Setup: ~ AWS Cloudwatch (RDS Metric) -> AWS SNS -> PagerDuty (CET)
I have successfully integrated AWS SNS to PagerDuty via Custom Event Transformer
var body = JSON.parse(PD.inputRequest.rawBody)
var message = body.NewStateReason
var normalized_event = {
event_type: PD.Trigger,
description: body.AlarmName,
details: message
};
PD.emitGenericEvents([normalized_event]);
The above code will send incident as AlarmName and details as NewStateReason.
I tested with below sample events as SNS message, it works fine.
{
"version": "0",
"id": "bba1bcef-5268-9967-8628-9a6d09e042e9",
"detail-type": "CloudWatch Alarm State Change",
"source": "aws.cloudwatch",
"account": "[Account ID]",
"time": "2020-11-17T06:25:42Z",
"region": "[region Id]",
"resources": [
"arn:aws:cloudwatch:[region Id]:[Account ID]:alarm:CPUUtilize"
],
"detail": {
"alarmName": "CPUUtilize",
"state": {
"value": "ALARM",
"reason": "Threshold Crossed: 1 out of the last 1 datapoints [4.314689265544354 (17/11/20 06:20:00)] was less than the threshold (70.0) (minimum 1 datapoint for OK -> ALARM transition).",
"reasonData": {
"version": "1.0",
"queryDate": "2020-11-17T06:25:42.491+0000",
"startDate": "2020-11-17T06:20:00.000+0000",
"statistic": "Average",
"period": 300,
"recentDatapoints": [
4.314689
],
"threshold": 70
},
"timestamp": "2020-11-17T06:25:42.493+0000"
},
"previousState": {
"value": "OK",
"reason": "Threshold Crossed: 1 out of the last 1 datapoints [4.484088172640544 (17/11/20 05:44:00)] was not greater than or equal to the threshold (70.0) (minimum 1 datapoint for ALARM -> OK transition).",
"reasonData": {
"version": "1.0",
"queryDate": "2020-11-17T05:49:53.688+0000",
"startDate": "2020-11-17T05:44:00.000+0000",
"statistic": "Average",
"period": 300,
"recentDatapoints": [
4.484088
],
"threshold": 70
},
"timestamp": "2020-11-17T05:49:53.691+0000"
},
"configuration": {
"description": "Alarm Notification in my local timezone",
"metrics": [
{
"id": "16baea70-421b-0a6e-f6f1-bc913d2bf647",
"metricStat": {
"metric": {
"namespace": "AWS/EC2",
"name": "CPUUtilization",
"dimensions": {
"InstanceId": "i-0e448XXXXXXXXXXXX"
}
},
"period": 300,
"stat": "Average"
},
"returnData": true
}
]
}
}
}
Took from https://aws.amazon.com/blogs/mt/customize-amazon-cloudwatch-alarm-notifications-to-your-local-time-zone-part-1/
I am even later to the game here, but ...
How are you 'manually' sending the events? Did you check that the Policy on the SNS topic allows publishing of notifications from whichever service you are using to publish the events?
I had a similar issue with publishing notifications/events from AWS Backup. I had to add something like this to the Access Policy:
{
"Sid": "My-statement-id",
"Effect": "Allow",
"Principal": {
"Service": "backup.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:region:account-id:myTopic"
}

How to correctly configure Route53 HealthCheck Alarm with CF (in Sydney)

I've configured a Route53 HealthCheck with an associated alarm with CloudFormation, but the resulting healthcheck shows as having No alarms configured, and the alarms in the CloudWatch console remain dead. If I manually create the alarm in HealthChecks, everything works.
Worse, if I switch from Sydney/ap-southeast-2 and create the same cloud formation stack in North Virginia/us-east-1, the alarm is correctly associated with the health check and everything works!
One more datapoint: when manually creating the alarm in Route53 HealthChecks, the alarm is created in us-east-1, despite Route53 being global and ap-southeast-1 being the default in all other consoles.
My simplified stack looks like this:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "healthcheck alarm test",
"Resources": {
"StatusHealthCheck": {
"Type": "AWS::Route53::HealthCheck",
"Properties": {
"HealthCheckConfig": {
"Port": "80",
"Type": "HTTP",
"ResourcePath": "/status",
"FullyQualifiedDomainName": "testdomain.com",
"RequestInterval": "30",
"FailureThreshold": "1"
},
"HealthCheckTags": [
{
"Key": "Name",
"Value": "status reachability check"
}
]
}
},
"StatusHealthCheckFailedAlarm": {
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"ActionsEnabled": "true",
"AlarmDescription": "alarmed when status doesn't respond",
"ComparisonOperator": "LessThanThreshold",
"EvaluationPeriods": "1",
"MetricName": "HealthCheckStatus",
"Namespace": "AWS/Route53",
"Period": "60",
"Statistic": "Minimum",
"Threshold": "1.0",
"Dimensions": [
{
"Name": "HealthCheckId",
"Value": {
"Ref": "StatusHealthCheck"
}
}
]
}
}
}
}
Is there any reason it should work in North Virginia but not in Sydney?
The CloudWatch metrics generated by the HealthCheck are only visible in the US-East region, as described at the bottom of this page http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/health-checks-monitor-view-status.html. This is why your stack works correctly when created in us-east-1.
The task can only be achieved using a lamba function because:
health check alarms can only be created in region: us-east-1 https://stackoverflow.com/a/32335539/1714171
resources managed by a CloudFormation stack can only reside in the same region as the stack itself https://stackoverflow.com/a/46165480/1714171
That means, it is not possible using only pure CloudFormation syntax.
You can create an alarm with a lambda function like this:
https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/cloudwatch-examples-creating-alarms.html#cloudwatch-examples-creating-alarms-putmetricalarm