Improve READMEs

Author: alistairjevans

README.md

@@ -1,16 +1,26 @@
 # Better Stack AWS Integration
 
-This repository contains all Better Stack CloudFormation stacks and Lambdas for the Better Stack AWS Integration.
+This repository contains CloudFormation stacks and Lambda functions for streaming AWS CloudWatch data to Better Stack.
+
+## Repository Structure
+
+| Directory | Description |
+|-----------|-------------|
+| [cloudformation/full/](cloudformation/full/README.md) | CloudFormation template and deployment guide |
+| [lambda/](lambda/README.md) | Firehose transformation Lambda functions |
 
 ## Getting Started
 
-To get started with Better Stack on AWS, [create a new AWS Source in Better Stack Telemetry](https://telemetry.betterstack.com/team/t0/sources/new?platform=aws).
+To get started with Better Stack on AWS, [create a new AWS Source in Better Stack](https://telemetry.betterstack.com/team/t0/sources/new?platform=aws).
+
+For deployment instructions, see the [CloudFormation deployment guide](cloudformation/full/README.md).
 
 ## Ingested Data
 
 When you deploy our CloudFormation stack you get:
 
 - Automatic ingestion of all CloudWatch metrics into Better Stack.
   - Support for RDS Enhanced Metrics (RDSOS)
-- Detection and per-log-group optional ingestion of all Cloudwatch log groups.
-- Automatic integration with AWS X-Ray, ingest traces into Better Stack Telemetry and view your traces.
+- Detection and per-log-group optional ingestion of all CloudWatch log groups.
+- Automatic integration with AWS X-Ray for trace ingestion.
+- Optional CloudTrail audit log forwarding.

cloudformation/full/README.md

@@ -2,6 +2,8 @@
 
 Stream AWS CloudWatch metrics, logs, and optionally X-Ray traces and CloudTrail audit logs to Better Stack via Kinesis Data Firehose.
 
+See the [main README](../../README.md) for an overview or the [Lambda documentation](../../lambda/README.md) for details on deployed lambdas.
+
 ## Prerequisites
 
 1. **Better Stack Account** - Sign up at [betterstack.com](https://betterstack.com)
@@ -111,7 +113,7 @@ After deployment, provide these values to Better Stack:
 
 ## Tag Enrichment
 
-When `EnableTagEnrichment=true`, Lambda functions enrich metrics and logs with AWS resource tags.
+When `EnableTagEnrichment=true`, [Lambda functions](../../lambda/README.md) enrich metrics and logs with AWS resource tags.
 
 **Metrics enrichment** adds tags from:
 - EC2 instances
@@ -130,7 +132,7 @@ When `EnableTagEnrichment=true`, Lambda functions enrich metrics and logs with A
 - `/ecs/{cluster}/...` -> ECS tags
 - `/aws/api-gateway/{api-id}` -> API Gateway tags
 
-Lambda code is loaded from regional S3 buckets (`better-stack-lambda-{region}`).
+See the [Lambda README](../../lambda/README.md) for implementation details. Lambda code is deployed from regional S3 buckets (`better-stack-lambda-{region}`).
 
 ## Stack Outputs
 

cloudformation/full/better-stack-full.yaml

@@ -98,7 +98,7 @@ Resources:
     Type: AWS::IAM::Role
     Condition: ShouldCreateGlobalResources
     Properties:
-      RoleName: !Sub 'better-stack-firehose-role'
+      RoleName: !Sub 'betterstack-firehose-role'
       AssumeRolePolicyDocument:
         Version: '2012-10-17'
         Statement:
@@ -121,8 +121,8 @@ Resources:
                   - s3:GetBucketLocation
                   - s3:ListBucket
                 Resource:
-                  - !Sub 'arn:aws:s3:::better-stack-firehose-${AWS::AccountId}-*'
-                  - !Sub 'arn:aws:s3:::better-stack-firehose-${AWS::AccountId}-*/*'
+                  - !Sub 'arn:aws:s3:::betterstack-firehose-${AWS::AccountId}-*'
+                  - !Sub 'arn:aws:s3:::betterstack-firehose-${AWS::AccountId}-*/*'
         - PolicyName: CloudWatchLogsPermissions
           PolicyDocument:
             Version: '2012-10-17'
@@ -134,7 +134,7 @@ Resources:
                   - logs:CreateLogStream
                   - logs:CreateLogGroup
                 Resource:
-                  - !Sub 'arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/kinesisfirehose/better-stack-*:*'
+                  - !Sub 'arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/kinesisfirehose/betterstack-*:*'
       Tags:
         - Key: Solution
           Value: BetterStack
@@ -144,7 +144,7 @@ Resources:
     Type: AWS::IAM::Role
     Condition: ShouldCreateGlobalResources
     Properties:
-      RoleName: !Sub 'better-stack-metric-stream-role'
+      RoleName: !Sub 'betterstack-metric-stream-role'
       AssumeRolePolicyDocument:
         Version: '2012-10-17'
         Statement:
@@ -162,7 +162,7 @@ Resources:
                 Action:
                   - firehose:PutRecord
                   - firehose:PutRecordBatch
-                Resource: !Sub 'arn:aws:firehose:*:${AWS::AccountId}:deliverystream/better-stack-metrics'
+                Resource: !Sub 'arn:aws:firehose:*:${AWS::AccountId}:deliverystream/betterstack-metrics'
       Tags:
         - Key: Solution
           Value: BetterStack
@@ -172,7 +172,7 @@ Resources:
     Type: AWS::IAM::Role
     Condition: ShouldCreateGlobalResources
     Properties:
-      RoleName: !Sub 'better-stack-logs-subscription-role'
+      RoleName: !Sub 'betterstack-logs-subscription-role'
       AssumeRolePolicyDocument:
         Version: '2012-10-17'
         Statement:
@@ -193,7 +193,7 @@ Resources:
                 Action:
                   - firehose:PutRecord
                   - firehose:PutRecordBatch
-                Resource: !Sub 'arn:aws:firehose:*:${AWS::AccountId}:deliverystream/better-stack-logs'
+                Resource: !Sub 'arn:aws:firehose:*:${AWS::AccountId}:deliverystream/betterstack-logs'
       Tags:
         - Key: Solution
           Value: BetterStack
@@ -203,7 +203,7 @@ Resources:
     Type: AWS::IAM::Role
     Condition: CreateTagEnrichmentLambdaRole
     Properties:
-      RoleName: !Sub 'better-stack-tag-enrichment-role'
+      RoleName: !Sub 'betterstack-tag-enrichment-role'
       AssumeRolePolicyDocument:
         Version: '2012-10-17'
         Statement:
@@ -252,7 +252,7 @@ Resources:
     Type: AWS::IAM::Role
     Condition: ShouldCreateGlobalResources
     Properties:
-      RoleName: !Sub 'better-stack-integration-role'
+      RoleName: !Sub 'betterstack-integration-role'
       AssumeRolePolicyDocument:
         Version: '2012-10-17'
         Statement:
@@ -385,7 +385,7 @@ Resources:
                 Effect: Allow
                 Action:
                   - iam:PassRole
-                Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/better-stack-logs-subscription-role'
+                Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/betterstack-logs-subscription-role'
       Tags:
         - Key: Solution
           Value: BetterStack

lambda/README.md

@@ -1,24 +1,98 @@
 # Lambda Functions
 
-This directory contains AWS Lambda functions for Kinesis Firehose data transformation.
+Firehose transformation Lambda functions that enrich CloudWatch data with AWS resource tags and properties before delivery to Better Stack.
+
+See the [main README](../README.md) for an overview or the [CloudFormation deployment guide](../cloudformation/full/README.md) for deployment instructions.
 
 ## Functions
 
-| Function | Description |
-|----------|-------------|
-| `firehose_logs_tag_enrichment.rb` | Enriches CloudWatch Logs with AWS resource tags before delivery |
-| `firehose_metrics_tag_enrichment.rb` | Enriches CloudWatch Metrics with AWS resource tags before delivery |
+### firehose_metrics_tag_enrichment.rb
 
-## Deployment
+Enriches CloudWatch Metric Stream data with resource tags and properties.
+
+**Input:** Base64-encoded NDJSON (newline-delimited JSON) from Firehose
+**Output:** Enriched NDJSON with `tags` and `properties` fields added
+
+**Supported Namespaces:**
+- `AWS/EC2` - Instance tags + properties (type, family, size, architecture, AZ, lifecycle)
+- `AWS/EBS` - Volume tags + properties (type, size, IOPS, throughput)
+- `AWS/RDS` - Database tags + properties (class, engine, version, storage type)
+- `AWS/Lambda` - Function tags + properties (runtime, memory, timeout, architecture)
+- `AWS/DynamoDB` - Table tags
+- `AWS/SQS` - Queue tags
+- `AWS/SNS` - Topic tags
+- `AWS/S3` - Bucket tags
+- `AWS/ELB`, `AWS/ApplicationELB`, `AWS/NetworkELB` - Load balancer tags
+
+### firehose_logs_tag_enrichment.rb
+
+Enriches CloudWatch Logs with resource tags extracted from log group/stream names.
+
+**Input:** Base64-encoded gzip-compressed CloudWatch Logs subscription data
+**Output:** Enriched logs with `tags`, `resource_name`, `environment`, and `team` fields
 
-These Lambda functions are automatically provisioned by the CloudFormation stack when `EnableTagEnrichment` is set to `true`. The stack handles packaging, deployment, and IAM permissions required for the Resource Groups Tagging API integration.
+**Supported Log Patterns:**
+- `/aws/lambda/{function-name}` - Lambda function tags
+- `/aws/rds/instance/{db-instance}/{type}` - RDS instance tags
+- `RDSOSMetrics` - RDS Enhanced Monitoring (extracts `instanceID` from message body)
+- `/ecs/{cluster}/...` - ECS cluster tags
+- `/aws/api-gateway/{api-id}` - API Gateway tags
+- Log streams containing `i-xxxxxxxxx` - EC2 instance tags
 
-Lambda packages are hosted in regional S3 buckets following the pattern:
+## Configuration
+
+Environment variables (set via CloudFormation):
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `CACHE_TTL_MINUTES` | `10` | How long to cache tags/properties before refreshing |
+| `ACCOUNT_ID` | (required) | AWS account ID for ARN construction |
+| `AWS_REGION` | `us-east-1` | AWS region (auto-set by Lambda runtime) |
+| `DEBUG` | `false` | Enable verbose logging |
+
+## Architecture
 
 ```
-s3://better-stack-lambda-${AWS::Region}/<function>.zip
+CloudWatch Metrics ─┐
+                    ├─> Firehose ─> Lambda (enrichment) ─> Firehose -> Better Stack
+CloudWatch Logs ────┘
 ```
 
-For example, in `us-east-1`:
-- `s3://better-stack-lambda-us-east-1/firehose_metrics_tag_enrichment.zip`
-- `s3://better-stack-lambda-us-east-1/firehose_logs_tag_enrichment.zip`
+Both functions:
+1. Receive batched records from Kinesis Firehose
+2. Extract resource identifiers (ARNs) from the data
+3. Batch-fetch tags via the Resource Groups Tagging API (max 100 ARNs per call)
+4. Cache tags in-memory to minimize API calls
+5. Return enriched records to Firehose for delivery
+
+## Local Development
+
+### Prerequisites
+
+```bash
+bundle install
+```
+
+### Running Tests
+
+```bash
+bundle exec rspec spec/lambda/
+```
+
+Or run specific tests:
+
+```bash
+bundle exec rspec spec/lambda/firehose_metrics_tag_enrichment_spec.rb
+bundle exec rspec spec/lambda/firehose_logs_tag_enrichment_spec.rb
+```
+
+### Dependencies
+
+- `aws-sdk-resourcegroupstaggingapi` - Tag lookups
+- `aws-sdk-ec2` - EC2/EBS property lookups
+- `aws-sdk-rds` - RDS property lookups
+- `aws-sdk-lambda` - Lambda property lookups
+
+## Deployment
+
+Lambda code is deployed via CloudFormation from regional S3 buckets (`better-stack-lambda-{region}`), referenced in the CloudFormation stack. See the [CloudFormation README](../cloudformation/full/README.md) for deployment commands.