diff --git a/content/en/ninja-workshops/6-lambda-kinesis/1-setup.md b/content/en/ninja-workshops/6-lambda-kinesis/1-setup.md index 7583722384..789889dbd0 100644 --- a/content/en/ninja-workshops/6-lambda-kinesis/1-setup.md +++ b/content/en/ninja-workshops/6-lambda-kinesis/1-setup.md @@ -79,6 +79,12 @@ The Workshop Directory `lambda` is a repository that contains all the configurat ### AWS & Terraform Variables #### AWS + +> Note to the workshop instructor: create a new user in the target AWS account called `lambda-workshop-user`. +> Ensure it has full permissions to perform the required actions via Terraform. Create an access token for the `lambda-workshop-user` +> user and share the Access Key ID and Secret Access Key with the workshop participants. Delete the user +> when the workshop is complete. + The AWS CLI requires that you have credentials to be able to access and manage resources deployed by their services. Both Terraform and the Python scripts in this workshop require these variables to perform their tasks. - Configure the **awscli** with the _**access key ID**_, _**secret access key**_ and _**region**_ for this workshop: @@ -98,10 +104,24 @@ The AWS CLI requires that you have credentials to be able to access and manage r aws configure ``` -> Note to the workshop instructor: create a new user in the target AWS account called `lambda-workshop-user`. -> Ensure it has full permissions to perform the required actions via Terraform. Create an access token for the `lambda-workshop-user` -> user and share the Access Key ID and Secret Access Key with the workshop participants. Delete the user -> when the workshop is complete. +#### Create an IAM Role (Workshop Instructor Only) + +> Note to the workshop instructor: This step only needs to be completed once, as the IAM role created +> in this step will be shared by all workshop participants: + +``` bash +cd ~/workshop/lambda/iam_role +terraform init +terraform plan +terraform apply +``` + +> Note to the workshop instructor: After the workshop is complete, cleanup the role as follows: + +``` bash +cd ~/workshop/lambda/iam_role +terraform destroy +``` #### Terraform Terraform supports the passing of variables to ensure sensitive or dynamic data is not hard-coded in your .tf configuration files, as well as to make those values reusable throughout your resource definitions. diff --git a/workshop/lambda/auto/main.tf b/workshop/lambda/auto/main.tf index 0955806395..b11d814a19 100644 --- a/workshop/lambda/auto/main.tf +++ b/workshop/lambda/auto/main.tf @@ -10,48 +10,10 @@ provider "aws" { # Get IAM Role -data "aws_caller_identity" "current" {} -resource "aws_iam_role" "lambda_kinesis" { +data "aws_iam_role" "lambda_kinesis" { name = "lambda_kinesis" - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = "sts:AssumeRole" - Effect = "Allow" - Principal = { - Service = "lambda.amazonaws.com" - } - } - ] - }) -} -resource "aws_iam_role_policy_attachment" "lambda_kinesis_execution" { - role = aws_iam_role.lambda_kinesis.name - policy_arn = "arn:aws:iam::aws:policy/AmazonKinesisFullAccess" } -resource "aws_iam_policy" "lambda_cloudwatch_logs" { - name = "LambdaCloudWatchLogsCustomPolicy" - policy = jsonencode({ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Resource": "*" - } - ] - }) -} - -resource "aws_iam_role_policy_attachment" "lambda_cloudwatch_logs_attachment" { - role = aws_iam_role.lambda_kinesis.name - policy_arn = aws_iam_policy.lambda_cloudwatch_logs.arn -} # Create S3 Bucket, Ownership, ACL resource "aws_s3_bucket" "lambda_bucket" { @@ -119,7 +81,7 @@ resource "aws_lambda_function" "lambda_producer" { source_code_hash = data.archive_file.producer_app.output_base64sha256 - role = aws_iam_role.lambda_kinesis.arn + role = data.aws_iam_role.lambda_kinesis.arn environment { variables = { @@ -148,7 +110,7 @@ resource "aws_lambda_function" "lambda_consumer" { source_code_hash = data.archive_file.consumer_app.output_base64sha256 - role = aws_iam_role.lambda_kinesis.arn + role = data.aws_iam_role.lambda_kinesis.arn environment { variables = { diff --git a/workshop/lambda/iam_role/main.tf b/workshop/lambda/iam_role/main.tf new file mode 100644 index 0000000000..5832943873 --- /dev/null +++ b/workshop/lambda/iam_role/main.tf @@ -0,0 +1,54 @@ +provider "aws" { + region = "us-east-1" + + default_tags { + tags = { + o11y-workshop = "lambda-tracing" + } + } +} + + +# Create IAM Role +data "aws_caller_identity" "current" {} +resource "aws_iam_role" "lambda_kinesis" { + name = "lambda_kinesis" + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + Service = "lambda.amazonaws.com" + } + } + ] + }) +} +resource "aws_iam_role_policy_attachment" "lambda_kinesis_execution" { + role = aws_iam_role.lambda_kinesis.name + policy_arn = "arn:aws:iam::aws:policy/AmazonKinesisFullAccess" +} + +resource "aws_iam_policy" "lambda_cloudwatch_logs" { + name = "LambdaCloudWatchLogsCustomPolicy" + policy = jsonencode({ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Resource": "*" + } + ] + }) +} + +resource "aws_iam_role_policy_attachment" "lambda_cloudwatch_logs_attachment" { + role = aws_iam_role.lambda_kinesis.name + policy_arn = aws_iam_policy.lambda_cloudwatch_logs.arn +} \ No newline at end of file diff --git a/workshop/lambda/iam_role/outputs.tf b/workshop/lambda/iam_role/outputs.tf new file mode 100644 index 0000000000..e69de29bb2 diff --git a/workshop/lambda/iam_role/terraform.tf b/workshop/lambda/iam_role/terraform.tf new file mode 100644 index 0000000000..ac9c3e5ad5 --- /dev/null +++ b/workshop/lambda/iam_role/terraform.tf @@ -0,0 +1,15 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.38.0" + } + archive = { + source = "hashicorp/archive" + version = "~> 2.4.2" + } + } + + required_version = "~> 1.2" +} + diff --git a/workshop/lambda/iam_role/variables.tf b/workshop/lambda/iam_role/variables.tf new file mode 100644 index 0000000000..e69de29bb2 diff --git a/workshop/lambda/manual/main.tf b/workshop/lambda/manual/main.tf index 0955806395..b11d814a19 100644 --- a/workshop/lambda/manual/main.tf +++ b/workshop/lambda/manual/main.tf @@ -10,48 +10,10 @@ provider "aws" { # Get IAM Role -data "aws_caller_identity" "current" {} -resource "aws_iam_role" "lambda_kinesis" { +data "aws_iam_role" "lambda_kinesis" { name = "lambda_kinesis" - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = "sts:AssumeRole" - Effect = "Allow" - Principal = { - Service = "lambda.amazonaws.com" - } - } - ] - }) -} -resource "aws_iam_role_policy_attachment" "lambda_kinesis_execution" { - role = aws_iam_role.lambda_kinesis.name - policy_arn = "arn:aws:iam::aws:policy/AmazonKinesisFullAccess" } -resource "aws_iam_policy" "lambda_cloudwatch_logs" { - name = "LambdaCloudWatchLogsCustomPolicy" - policy = jsonencode({ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Resource": "*" - } - ] - }) -} - -resource "aws_iam_role_policy_attachment" "lambda_cloudwatch_logs_attachment" { - role = aws_iam_role.lambda_kinesis.name - policy_arn = aws_iam_policy.lambda_cloudwatch_logs.arn -} # Create S3 Bucket, Ownership, ACL resource "aws_s3_bucket" "lambda_bucket" { @@ -119,7 +81,7 @@ resource "aws_lambda_function" "lambda_producer" { source_code_hash = data.archive_file.producer_app.output_base64sha256 - role = aws_iam_role.lambda_kinesis.arn + role = data.aws_iam_role.lambda_kinesis.arn environment { variables = { @@ -148,7 +110,7 @@ resource "aws_lambda_function" "lambda_consumer" { source_code_hash = data.archive_file.consumer_app.output_base64sha256 - role = aws_iam_role.lambda_kinesis.arn + role = data.aws_iam_role.lambda_kinesis.arn environment { variables = {