From 92f9a5a59e23a50284c4c9036c015f09dbb474d3 Mon Sep 17 00:00:00 2001 From: dmitchsplunk Date: Tue, 8 Jul 2025 16:56:26 -0700 Subject: [PATCH 1/2] updated iam role logic used by lambda workshop --- .../6-lambda-kinesis/1-setup.md | 19 +++++++ workshop/lambda/auto/main.tf | 40 +------------- workshop/lambda/iam_role/main.tf | 54 +++++++++++++++++++ workshop/lambda/iam_role/outputs.tf | 0 workshop/lambda/iam_role/terraform.tf | 15 ++++++ workshop/lambda/iam_role/variables.tf | 0 workshop/lambda/manual/main.tf | 40 +------------- 7 files changed, 90 insertions(+), 78 deletions(-) create mode 100644 workshop/lambda/iam_role/main.tf create mode 100644 workshop/lambda/iam_role/outputs.tf create mode 100644 workshop/lambda/iam_role/terraform.tf create mode 100644 workshop/lambda/iam_role/variables.tf diff --git a/content/en/ninja-workshops/6-lambda-kinesis/1-setup.md b/content/en/ninja-workshops/6-lambda-kinesis/1-setup.md index 7583722384..bafd4dc922 100644 --- a/content/en/ninja-workshops/6-lambda-kinesis/1-setup.md +++ b/content/en/ninja-workshops/6-lambda-kinesis/1-setup.md @@ -8,6 +8,25 @@ weight: 1 ## Prerequisites +### Note to Workshop Instructor + +This step only needs to be completed once, as the IAM role created +in this step will be shared by all workshop participants: + +``` bash +cd ~/workshop/lambda/iam_role +terraform init +terraform plan +terraform apply +``` + +After the workshop is complete, cleanup the role as follows: + +``` bash +cd ~/workshop/lambda/iam_role +terraform destroy +``` + ### Observability Workshop Instance The Observability Workshop uses the `Splunk4Ninjas - Observability` workshop template in Splunk Show, which provides a pre-configured EC2 instance running Ubuntu. diff --git a/workshop/lambda/auto/main.tf b/workshop/lambda/auto/main.tf index 0955806395..fde19af62f 100644 --- a/workshop/lambda/auto/main.tf +++ b/workshop/lambda/auto/main.tf @@ -10,48 +10,10 @@ provider "aws" { # Get IAM Role -data "aws_caller_identity" "current" {} -resource "aws_iam_role" "lambda_kinesis" { +data "aws_iam_role" "lambda_kinesis" { name = "lambda_kinesis" - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = "sts:AssumeRole" - Effect = "Allow" - Principal = { - Service = "lambda.amazonaws.com" - } - } - ] - }) -} -resource "aws_iam_role_policy_attachment" "lambda_kinesis_execution" { - role = aws_iam_role.lambda_kinesis.name - policy_arn = "arn:aws:iam::aws:policy/AmazonKinesisFullAccess" } -resource "aws_iam_policy" "lambda_cloudwatch_logs" { - name = "LambdaCloudWatchLogsCustomPolicy" - policy = jsonencode({ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Resource": "*" - } - ] - }) -} - -resource "aws_iam_role_policy_attachment" "lambda_cloudwatch_logs_attachment" { - role = aws_iam_role.lambda_kinesis.name - policy_arn = aws_iam_policy.lambda_cloudwatch_logs.arn -} # Create S3 Bucket, Ownership, ACL resource "aws_s3_bucket" "lambda_bucket" { diff --git a/workshop/lambda/iam_role/main.tf b/workshop/lambda/iam_role/main.tf new file mode 100644 index 0000000000..5832943873 --- /dev/null +++ b/workshop/lambda/iam_role/main.tf @@ -0,0 +1,54 @@ +provider "aws" { + region = "us-east-1" + + default_tags { + tags = { + o11y-workshop = "lambda-tracing" + } + } +} + + +# Create IAM Role +data "aws_caller_identity" "current" {} +resource "aws_iam_role" "lambda_kinesis" { + name = "lambda_kinesis" + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + Service = "lambda.amazonaws.com" + } + } + ] + }) +} +resource "aws_iam_role_policy_attachment" "lambda_kinesis_execution" { + role = aws_iam_role.lambda_kinesis.name + policy_arn = "arn:aws:iam::aws:policy/AmazonKinesisFullAccess" +} + +resource "aws_iam_policy" "lambda_cloudwatch_logs" { + name = "LambdaCloudWatchLogsCustomPolicy" + policy = jsonencode({ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Resource": "*" + } + ] + }) +} + +resource "aws_iam_role_policy_attachment" "lambda_cloudwatch_logs_attachment" { + role = aws_iam_role.lambda_kinesis.name + policy_arn = aws_iam_policy.lambda_cloudwatch_logs.arn +} \ No newline at end of file diff --git a/workshop/lambda/iam_role/outputs.tf b/workshop/lambda/iam_role/outputs.tf new file mode 100644 index 0000000000..e69de29bb2 diff --git a/workshop/lambda/iam_role/terraform.tf b/workshop/lambda/iam_role/terraform.tf new file mode 100644 index 0000000000..ac9c3e5ad5 --- /dev/null +++ b/workshop/lambda/iam_role/terraform.tf @@ -0,0 +1,15 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.38.0" + } + archive = { + source = "hashicorp/archive" + version = "~> 2.4.2" + } + } + + required_version = "~> 1.2" +} + diff --git a/workshop/lambda/iam_role/variables.tf b/workshop/lambda/iam_role/variables.tf new file mode 100644 index 0000000000..e69de29bb2 diff --git a/workshop/lambda/manual/main.tf b/workshop/lambda/manual/main.tf index 0955806395..fde19af62f 100644 --- a/workshop/lambda/manual/main.tf +++ b/workshop/lambda/manual/main.tf @@ -10,48 +10,10 @@ provider "aws" { # Get IAM Role -data "aws_caller_identity" "current" {} -resource "aws_iam_role" "lambda_kinesis" { +data "aws_iam_role" "lambda_kinesis" { name = "lambda_kinesis" - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = "sts:AssumeRole" - Effect = "Allow" - Principal = { - Service = "lambda.amazonaws.com" - } - } - ] - }) -} -resource "aws_iam_role_policy_attachment" "lambda_kinesis_execution" { - role = aws_iam_role.lambda_kinesis.name - policy_arn = "arn:aws:iam::aws:policy/AmazonKinesisFullAccess" } -resource "aws_iam_policy" "lambda_cloudwatch_logs" { - name = "LambdaCloudWatchLogsCustomPolicy" - policy = jsonencode({ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Resource": "*" - } - ] - }) -} - -resource "aws_iam_role_policy_attachment" "lambda_cloudwatch_logs_attachment" { - role = aws_iam_role.lambda_kinesis.name - policy_arn = aws_iam_policy.lambda_cloudwatch_logs.arn -} # Create S3 Bucket, Ownership, ACL resource "aws_s3_bucket" "lambda_bucket" { From 4509be50b3dd92e209d881c0bc7a36f027df2cca Mon Sep 17 00:00:00 2001 From: dmitchsplunk Date: Tue, 8 Jul 2025 17:34:44 -0700 Subject: [PATCH 2/2] fixed iam role issues with lambda workshop --- .../6-lambda-kinesis/1-setup.md | 47 ++++++++++--------- workshop/lambda/auto/main.tf | 4 +- workshop/lambda/manual/main.tf | 4 +- 3 files changed, 28 insertions(+), 27 deletions(-) diff --git a/content/en/ninja-workshops/6-lambda-kinesis/1-setup.md b/content/en/ninja-workshops/6-lambda-kinesis/1-setup.md index bafd4dc922..789889dbd0 100644 --- a/content/en/ninja-workshops/6-lambda-kinesis/1-setup.md +++ b/content/en/ninja-workshops/6-lambda-kinesis/1-setup.md @@ -8,25 +8,6 @@ weight: 1 ## Prerequisites -### Note to Workshop Instructor - -This step only needs to be completed once, as the IAM role created -in this step will be shared by all workshop participants: - -``` bash -cd ~/workshop/lambda/iam_role -terraform init -terraform plan -terraform apply -``` - -After the workshop is complete, cleanup the role as follows: - -``` bash -cd ~/workshop/lambda/iam_role -terraform destroy -``` - ### Observability Workshop Instance The Observability Workshop uses the `Splunk4Ninjas - Observability` workshop template in Splunk Show, which provides a pre-configured EC2 instance running Ubuntu. @@ -98,6 +79,12 @@ The Workshop Directory `lambda` is a repository that contains all the configurat ### AWS & Terraform Variables #### AWS + +> Note to the workshop instructor: create a new user in the target AWS account called `lambda-workshop-user`. +> Ensure it has full permissions to perform the required actions via Terraform. Create an access token for the `lambda-workshop-user` +> user and share the Access Key ID and Secret Access Key with the workshop participants. Delete the user +> when the workshop is complete. + The AWS CLI requires that you have credentials to be able to access and manage resources deployed by their services. Both Terraform and the Python scripts in this workshop require these variables to perform their tasks. - Configure the **awscli** with the _**access key ID**_, _**secret access key**_ and _**region**_ for this workshop: @@ -117,10 +104,24 @@ The AWS CLI requires that you have credentials to be able to access and manage r aws configure ``` -> Note to the workshop instructor: create a new user in the target AWS account called `lambda-workshop-user`. -> Ensure it has full permissions to perform the required actions via Terraform. Create an access token for the `lambda-workshop-user` -> user and share the Access Key ID and Secret Access Key with the workshop participants. Delete the user -> when the workshop is complete. +#### Create an IAM Role (Workshop Instructor Only) + +> Note to the workshop instructor: This step only needs to be completed once, as the IAM role created +> in this step will be shared by all workshop participants: + +``` bash +cd ~/workshop/lambda/iam_role +terraform init +terraform plan +terraform apply +``` + +> Note to the workshop instructor: After the workshop is complete, cleanup the role as follows: + +``` bash +cd ~/workshop/lambda/iam_role +terraform destroy +``` #### Terraform Terraform supports the passing of variables to ensure sensitive or dynamic data is not hard-coded in your .tf configuration files, as well as to make those values reusable throughout your resource definitions. diff --git a/workshop/lambda/auto/main.tf b/workshop/lambda/auto/main.tf index fde19af62f..b11d814a19 100644 --- a/workshop/lambda/auto/main.tf +++ b/workshop/lambda/auto/main.tf @@ -81,7 +81,7 @@ resource "aws_lambda_function" "lambda_producer" { source_code_hash = data.archive_file.producer_app.output_base64sha256 - role = aws_iam_role.lambda_kinesis.arn + role = data.aws_iam_role.lambda_kinesis.arn environment { variables = { @@ -110,7 +110,7 @@ resource "aws_lambda_function" "lambda_consumer" { source_code_hash = data.archive_file.consumer_app.output_base64sha256 - role = aws_iam_role.lambda_kinesis.arn + role = data.aws_iam_role.lambda_kinesis.arn environment { variables = { diff --git a/workshop/lambda/manual/main.tf b/workshop/lambda/manual/main.tf index fde19af62f..b11d814a19 100644 --- a/workshop/lambda/manual/main.tf +++ b/workshop/lambda/manual/main.tf @@ -81,7 +81,7 @@ resource "aws_lambda_function" "lambda_producer" { source_code_hash = data.archive_file.producer_app.output_base64sha256 - role = aws_iam_role.lambda_kinesis.arn + role = data.aws_iam_role.lambda_kinesis.arn environment { variables = { @@ -110,7 +110,7 @@ resource "aws_lambda_function" "lambda_consumer" { source_code_hash = data.archive_file.consumer_app.output_base64sha256 - role = aws_iam_role.lambda_kinesis.arn + role = data.aws_iam_role.lambda_kinesis.arn environment { variables = {