AWS 为 Lambda 创建 Cloudformation 日志警报
Posted
技术标签:
【中文标题】AWS 为 Lambda 创建 Cloudformation 日志警报【英文标题】:AWS Create Cloudformation log alert for Lambda 【发布时间】:2018-01-24 02:15:17 【问题描述】:如果 Lambda 函数出现问题,尤其是当 lambda 抛出异常时,我想创建一个警报。我计划配置 SNS 主题以在触发警报时发送消息。
所有 lambdas 都是使用 CloudFormation 脚本创建的,因此我正在搜索 CloudFormation 模板来配置 CloudWatch 日志上的警报。我无法找到一个好的/工作的样本。示例代码如下。
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "AWS CloudTrail API Activity Alarm Template for CloudWatch Logs",
"Parameters" :
"LogGroupName" :
"Type" : "String",
"Default" : "CloudTrail/DefaultLogGroup",
"Description" : "Enter CloudWatch Logs log group name. Default is CloudTrail/DefaultLogGroup"
,
"Email" :
"Type" : "String",
"Description" : "Email address to notify when an API activity has triggered an alarm"
,
"Resources" :
"SecurityGroupChangesAlarm":
"Type": "AWS::CloudWatch::Alarm",
"Properties":
"AlarmName" : "CloudTrailSecurityGroupChanges",
"AlarmDescription" : "Alarms when an API call is made to create, update or delete a Security Group.",
"AlarmActions" : [ "Ref" : "AlarmNotificationTopic" ],
"MetricName" : "SecurityGroupEventCount",
"Namespace" : "CloudTrailMetrics",
"ComparisonOperator" : "GreaterThanOrEqualToThreshold",
"EvaluationPeriods" : "1",
"Period" : "300",
"Statistic" : "Sum",
"Threshold" : "1"
,
"AlarmNotificationTopic":
"Type": "AWS::SNS::Topic",
"Properties":
"Subscription": [
"Endpoint": "Ref": "Email" ,
"Protocol": "email"
]
【问题讨论】:
【参考方案1】:为此,我们需要使用 FilterPattern: "Exception" 在日志组上为该 lambda 创建订阅过滤器
因此,每当日志消息中出现异常词时,它都会触发监视器 lambda。
以下是我写的YAML中的cloudformation模板
Resources:
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
Policies:
- PolicyName: 'AllowLambdaAccess'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Effect: "Allow"
Resource:
Fn::Join:
- ''
- - 'arn:aws:logs:'
- Ref: AWS::Region
- ':'
- Ref: AWS::AccountId
- ':log-group:/aws/lambda/*'
- Action:
- ec2:DescribeNetworkInterfaces
- ec2:CreateNetworkInterface
- ec2:DeleteNetworkInterface
Effect: "Allow"
Resource: "*"
RoleName: !Sub "$AWS::StackName-LambdaExecutionRole"
SubscriptionFilter:
Type: "AWS::Logs::SubscriptionFilter"
DependsOn: "LambdaInvokePermission"
Properties:
LogGroupName: !Sub "/aws/lambda/$LogGroupName"
FilterPattern: "Exception"
DestinationArn:
Fn::GetAtt:
- "LambdaFunction"
- "Arn"
LambdaFunction:
Type: 'AWS::Lambda::Function'
Properties:
Code:
S3Bucket: !Ref S3BucketName
S3Key: !Ref ZipFile
Description: Monitor Lambda Function
Handler: 'index.handler'
MemorySize: 1536
Role: !GetAtt
- LambdaExecutionRole
- Arn
Runtime: nodejs6.10
Environment:
Variables:
SMTP_SERVER: !Ref SMTPServer
SMTP_PORT: !Ref SMTPPort
EMAIL_FROM: !Ref FromEmail
EMAIL_TO: !Ref ToEmail
Timeout: 300
FunctionName: !Sub "$AWS::StackName-LambdaFunction"
VpcConfig:
SecurityGroupIds: !Split [ ",", !Ref SecurityGroupId ]
SubnetIds: !Split [ ",", !Ref SubnetIds ]
DependsOn:
- LambdaExecutionRole
LambdaInvokePermission:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !Ref "LambdaFunction"
Action: "lambda:InvokeFunction"
Principal: !Sub "logs.$AWS::Region.amazonaws.com"
SourceArn:
Fn::Join:
- ''
- - 'arn:aws:logs:'
- Ref: AWS::Region
- ':'
- Ref: AWS::AccountId
- !Sub ':log-group:/aws/lambda/$LogGroupName*'
【讨论】:
以上是关于AWS 为 Lambda 创建 Cloudformation 日志警报的主要内容,如果未能解决你的问题,请参考以下文章
AWS CloudFormation:如何从另一个AWS账户为Lambda代码指定存储桶?
是否可以使用 AWS API 为 Lambda 函数设置 AWS API Gateway 端点?