Is there a way to get event information, specifically the ARN of the service causing the event, to a lambda function?
In my previous question, I asked for some help with using Cloudwatch and Cloudtrail to get the info. I think it was mostly just an misunderstanding of the rules, but now I'm concerned if there is anyway to make a generalized solution.
I know I could do it for a specific service successfully, but I wish to have a generalized rule to trigger the function. Cloudwatch logs or events seem to be the right answer for this, but I'm no longer confident about that with my trouble with my Cloudwatch Cloudtrail rule.
Just to fully lay out my goal, I wish to have a lambda function trigger at the creation of any service and get access to that new services' ARN, so that I may do verification of the process.
Yes, it is possible, however, each event has different event properties, and you need to check where to get this information.
For example, if your lambda is triggered by CloudFormation, you can get the Stack Id (ARN) with event['StackId'].
{
"StackId": stackidarn,
"ResponseURL": "http://pre-signed-S3-url-for-response",
"ResourceProperties": {
"StackName": "stack-name",
"List": [
"1",
"2",
"3"
]
},
"RequestType": "Create",
"ResourceType": "Custom::TestResource",
"RequestId": "unique id for this create request",
"LogicalResourceId": "MyTestResource"
}
You can see details about each event generated in http://docs.aws.amazon.com/lambda/latest/dg/eventsources.html.
If you want to debug in real time to check the event content, you can find some solution like lambda-toolkit
Related
I am trying to create a cloud formation stack using AWS Events to trigger an API call on a schedule. Most of the stack is working, however, the AWS::Events::ApiConnection is failing to create and I am not sure why.
This is the CF snippet that is failing: (Note, The API doesn't have any authentication yet, however, cloud formation requires the AuthParameters property)
"CronServerApiConnection": {
"Type": "AWS::Events::Connection",
"Properties": {
"Name": "api-connection",
"AuthorizationType": "API_KEY",
"AuthParameters": {
"ApiKeyAuthParameters": {
"ApiKeyName": "foo",
"ApiKeyValue": "bar"
}
}
}
},
In the cloud formation console this fails to create with the following error:
Resource handler returned message: "Error occurred during operation 'AWS::Events::Connection'." (RequestToken: xxxxxxxxxxxxxxxxx, HandlerErrorCode: GeneralServiceException)
I can't for the life of me figure this one out. from what I can see my CF snippet matches exactly what AWS specify in their docs here https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-events-connection.html
I ran into this issue myself a few weeks ago, and while looking for an answer I found this question unresolved so I thought I would share the answer. The events API is not descriptive at all with any of the errors, in my case the issues were permissions related. While is not clear in the documentation the AWS::Events::Connection not only needs permissions for the events API but also for the secretsmanager API since it will create some secrets for you under the hood. I solved this by adding full API permissions to the role creating the stack but of course I scoped the permissions by the resource to avoid security issues, something like:
effects: "Allow"
actions: [
"events:*",
"secretsmanager:*"
]
resources: [
"arn:aws:secretsmanager:<your region>:<your-account-id>:secret:events!connection/<yoursecretnameprefix>-*"
]
I will leave the addition of the event resource to you, but essentially is the same just scope by the arn of your resource. The above is just an example please replace the placeholders with the correct values.
So i wanted to create an eventbridge event pattern that would trigger my lambda for updating the ecs cluster LT ami's to the latest one when this param updates. I tried using something like this
{
"source": ["aws.ssm"],
"detail-type": ["Parameter Store Change"],
"detail": {
"operation": ["Update"],
"name": ["/aws/service/ecs/optimized-ami/amazon-linux-2/recommended"]
}
}
The problem is this never triggers.
Does know how the event looks like when this parameter get's updated.
Also would also like to know for events similiar like this where i could find the source events.
I had a haunch i could get it from aws cli with describing past changes but this doesn't work for public ssm params.
I expected the above event pattern to trigger my lambda when the /aws/service/ecs/optimized-ami/amazon-linux-2/recommended param get's changed.
Codebuild is used to build a project from a repository and deploy it to s3. I want to pass data/information that is processed in codebuild to cloudwatch event so that I can send the notification with that information for pass as well as failed build. Is there a way to send data ($variables) processed in codebuild in cloudwatch event rule or any other way?
I have the rule, topic, and email working.... but I see no way to pass any extra data than what is supplied by CodeBuild.
For example: I have some environment variables in code build and I need to send these as a part of my notification which will help me determine what value caused the failure of build.
You have to do this form with your CB as part of your buildspec.yml. If you are using SNS (I guess), then you can use aws sns publish AWS CLI as part of your CB procedure. This would also require you to add permissions to CB role for sns:publish action.
I'll start with saying that #Marcin answer is totally correct but it doesn't answer the "as well as failed build" part.
So for the first part where you want to send the responses from the processed data you either need to:
publish to SNS directly from your buildspec (as #Marcin pointed out)
or send an event to AWS EventBridge (aka Cloudwatch Events) from your buildspec
With regard to the second part of the question where you want to catch the CodeBuild execution status you can rely on the built-in notifications events from that are generated from CodeBuild itself:
{
"source": [
"aws.codebuild"
],
"detail-type": [
"CodeBuild Build State Change"
],
"detail": {
"build-status": [
"IN_PROGRESS",
"SUCCEEDED",
"FAILED",
"STOPPED"
],
"project-name": [
"my-demo-project-1",
"my-demo-project-2"
]
}
}
You can intercept the events for the whole build and for each phase separately if needed and act upon them (whether you are going to send to SNS, or trigger a Lambda or something else it's up to you).
I have lambda which is triggered by cloudwatch event when VPN tunnels are down or up. I searched online but can't find a way to trigger this cloudwatch event.
I see an option for test event but what can I enter in here for it to trigger an event that tunnel is up or down?
You can look into CloudWatchEventsandEventPatterns
Events in Amazon CloudWatch Events are represented as JSON objects.
For more information about JSON objects, see RFC 7159. The following
is an example event:
{
"version": "0",
"id": "6a7e8feb-b491-4cf7-a9f1-bf3703467718",
"detail-type": "EC2 Instance State-change Notification",
"source": "aws.ec2",
"account": "111122223333",
"time": "2017-12-22T18:43:48Z",
"region": "us-west-1",
"resources": [
"arn:aws:ec2:us-west-1:123456789012:instance/ i-1234567890abcdef0"
],
"detail": {
"instance-id": " i-1234567890abcdef0",
"state": "terminated"
}
}
Also log based on event, you can pick your required event from AWS CW EventTypes
I believe in your scenario, you don't need to pass any input data as you must have built the logic to test the VPN tunnels connectivity within the Lamda. You can remove that JSON from the test event and then run the test.
If you need to pass in some information as part of the input event then follow the approach mentioned by #Adiii.
EDIT
The question is more clear through the comment which says
But question is how will I trigger the lambda? Lets say I want to
trigger it when tunnel is down? How will let lambda know tunnel is in
down state? – NoviceMe
This can be achieved by setting up a rule in Cloudwatch to schedule the lambda trigger at a periodic interval. More details here:
Tutorial: Schedule AWS Lambda Functions Using CloudWatch Events
Lambda does not have an invocation trigger right now that can monitor a VPN tunnel, so the only workaround is to poll the status through lamda.
I am using cloudwatch scheduled event to trigger my lambda function after specific time interval. I would like to use cloud-formation template to add this rule in cloudwatch. I have gone through cloudformation templates documentation but I am not able to find out way to configure events using cloud formation template. Can anyone please suggest how to implement it using cloud formation template.
I am using below template.
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Provision environment specific",
"Resources": {
"lambdaScheduler": {
"Type": "AWS::CloudWatch::Event",
"Properties": {
"detail-type": "Scheduled Event",
"source": "aws.events",
"name": "TEST_EVENT_10_MINS_RULE",
"schedule-expression": "rate(5 minutes)"
}
}
}
}
I am getting A client error (ValidationError) occurred when calling the ValidateTemplate operation: Template format error: Unrecognized resource type: AWS::CloudWatch::Event error message when I validate it using aws cli.
Adding CloudWatch event rules and schedules in now available, see https://aws.amazon.com/about-aws/whats-new/2016/04/amazon-cloudwatch-events-now-supported-in-aws-cloudformation-templates/
I am pretty sure the CloudWatch Event is yet to be exposed via the CloudFormation API. There is normally some lag between new features in AWS and them being implemented/exposed by the CloudFormation team.
Here is the list of resources currently available via CloudFormation. http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html
As one can see there is only one resource in the Cloudwatch namespace.
Have you tried laying out your design in the CloudFormation designer? It only creates stub code for each element, but it validates the overall design. You then have to transfer the outline code to an editor to do the real work, but it should avoid the error you quoted.