# S3 Lambda Lab

### Introduction

In this lesson, we'll practice creating buckets and objects, and then reading data from those buckets and objects.  Let's get started.

### Migrate to lambda

The first thing we should do is look at the code that we will be moving to s3.  

* Notice that in the `index.py` file we wrapped our code in a function called `lambda_handler`.  This is the function that will ultimately be executed when we move this to lambda.  
* Remember that the way that this code worked is that we created requested some json from the api, then stored this data in a file, and then saved this file on a directory in our computer.  When we copy this code into our lambda function on AWS, we will have to create file on the computer that is running our lambda function.  AWS allows us to do this, but we have to store that file in a directory called `/tmp`.  So to accomplish this, we pass the variable of `"/tmp"` to our `build_files_dir_names` function (see the middle of the `index.py` file).  

You can see the result of this by just running the `build_files_dir_names` function:

<img src="./files-dirs.png" width="100%">


So you can see above the directory where the file will be stored with `full_dir_path`, and the full file path to the local file with `path_prefix_file_name`.

Ok, now before moving this code over to our lambda function, let's make sure that our code works locally.  To do this, set the `bucket_name` to the correct variable, and we can uncomment the last line of the `index.py` file:

```python
# bucket_data = lambda_handler({}, {})
```

And then just run `python3 index.py`.

From there, confirm that the file is in your s3 bucket.

> So above, it's in the proper folder.

<img src="./receipts-file.png" width="70%">

### Migrating to lambda

Ok, so now it's time for you to create a new lambda function, and move the code over there.

<img src="./migrated-code.png" width="70%">

> Notice that we created files for `s3_client.py` and `drinks_api_client.py`, and copied the respective code into there.

Then create a `Test` event and confirm that calling the lambda function results in a new json file being uploaded to the s3 bucket.  (Unfortunately, it won't).

<img src="./access-denied.png" width="100%">

Take a look at the error message, it says that when trying to upload the file, `when calling the PutObject operation: Access Denied`.

Ok, sounds like a permission problem.  So the issue is that our lambda function needs permission to access s3.  Let's take care of that.

### Setting our S3 permissions

Ok, so the best way to set the permissions is to consult [the documentation](https://docs.aws.amazon.com/lambda/latest/dg/with-s3-example.html).

Skip down the permissions policy section.  Move through the steps of opening the policies page, and creating a policy, and then pasting the policy into inline json.  (To do this click on the Json tab on the top right).

Then paste in the following.

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents",
                "logs:CreateLogGroup",
                "logs:CreateLogStream"
            ],
            "Resource": "arn:aws:logs:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::*/*"
        }
    ]
}
```

> We updated this from the documentation to not only grant the `s3:GetObject` permission, but also the `s3:PutObject` permission.

Before moving on, make sure we understand the permissions.  There is a separate dictionary for each policy we are granting access to -- the first is cloudwatch logs -- and the second is s3.  Then we are allowing the `Action`s of `GetObject` and `PutObect`.  For the resource, we are specifying access to any s3 bucket, but could be more specific.  

From there, after clicking `next`, we can confirm that we have both `Read` and `Write` permissions on s3, and write permissions to cloudwatch.

<img src="./confirm-permissions.png" width="70%">

Then move through the steps of `creating an execution role` that you see in the documentation.

So here, you should see that the Principal -- which is what is given the permissions -- is Lambda, and below that these permissions are specified in the attached Policy that we just created.

<img src="./select-trusted.png" width="70%">

So then we can click on create role.

Now that we have created a role, with a policy that has the proper permissions, the next step is to attach this role to our lambda function.

So go to the lambda function, and click on the `configuration` tab, go to the `Execution role` at the top.  

<img src="./edit-execution-role.png" width="100%">

And click on `Edit`, make sure `Use an existing role` is set, and then select the role you just created.

<img src="./use-existing-role.png">

Click save and confirm that the execution role has been updated.

Ok, so now it's time to check if we can upload a json file to s3.  Test your lambda function again.  This time, we should see the file that was created outputted.  And we should also be able to go to our s3 bucket where the file was uploaded to.  

> If there is an error, see if the error occurs locally to identify if it is a problem with your code, or with something realted to working in your lambda function.

### Setting up eventbridge

Ok, now that we have our lamba function working by calling it with a test event.  Let's use the eventbridge scheduler so that we make a request to the API every minute, and also write a new file to our s3 bucket every minute.  

Remember that to accomplish this, we'll need to move through a few different steps.

First we need to create our cloudwatch rule:

```bash
aws events put-rule --name run-each-minute --schedule-expression 'rate(1 minute)'
```
And then added a lambda permission to accept events created by the rule.
```bash
aws lambda add-permission \
--function-name testfunction \
--action 'lambda:InvokeFunction' \
--statement-id scheduled-event \
--principal events.amazonaws.com \
--source-arn arn:aws:events:us-east-1:086729879076:rule/run-each-minute
```

Finally, we create a `targets.json` file:
```json
[
  {
    "Id": "1", 
    "Arn": "arn:aws:lambda:us-east-1:086729879076:function:testfunction",
    "Input": "{\"key\":\"value\"}"
  }
]
```

And then used it to set our lambda function as a target of the rule:

```bash
aws events put-targets --rule run-each-minute --targets file://targets.json
```

From here, we can confirm that our eventbridge rule is targetting our lambda function, and our lambda is receiving events from the rule, which is leading it to call the api and save a new file to s3 each minute.

### Summary

Ok, that's it.  After taking a break, review the steps that you went through above to setting up this pipeline.