Made changes after testing. Had to force all AWS services (SNS, SecretManager, S3, Lambda) to reside in the same region as the FSxN file system.

kcantrel · kcantrel · commit d55a06da0332 · 2024-08-20T18:19:12.000-05:00
diff --git a/Monitoring/monitor-ontap-services/README.md b/Monitoring/monitor-ontap-services/README.md
@@ -54,20 +54,18 @@ To install the program using the CloudFormation template, you will need to do th
 |Parameter Name | Notes|
 |---|---|
 |Stackname|The name you want to assign to the CloudFormation stack. Note that this name is used as a base name for the resources it creates, so please keep it under 25 characters.|
-|BucketRegion|The region where you want the S3 bucket, that is used to store event information and the matching conditions file, to reside.|
 |OntapAdminServer|The DNS name, or IP address, of the management endpoint of the FSxN file system you wish to monitor.|
-|VpcId|The VPC ID that the Lambda function will run in. Note that since the Lambda function has to communicate with the FSxN file server, it has to run in a VPC that can communicate with FSxN file server you want to monitor.|
-|SubnetIds|The subnet IDs that the Lambda function will be attached to. These must be in the VPC specified above.|
-|SecurityGroupIds|The security group IDs that the Lambda function will be attached to. These must be in the VPC specified above.|
+|SubnetIds|The subnet IDs that the Lambda function will be attached to. Must have connectivity to the FSxN file system you wish to monitor.|
+|SecurityGroupIds|The security group IDs that the Lambda function will be attached to.|
 |SnsTopicArn|The ARN of the SNS topic you want the program to publish alert messages to.|
-|SnsRegion|The region where the SNS topic resides.|
-|SecretArn|The ARN of the secret within the AWS Secrets Manager that holds the FSxN file system credentials.|
-|SecretRegion|The region where the secret is stored.|
+|SecretArn|The ARN of the secret within the AWS Secrets Manager that holds the FSxN file system credentials. **NOTE:** The secret must be in the same region as the FSxN file system.|
 |SecretUsernameKey|The key name within the secret that holds the username portion of the FSxN file system credentials.|
 |SecretPasswordKey|The key name within the secret that holds the password portion of the FSxN file system credentials.|
 |CreateSNSEndpoint|Set to "true" if you want to create an SNS endpoint. Since the Lambda function will be running within your VPC it will most likely not have access to the Internet, therefore a endpoint will need to be created if you don't already have one. Please read the [Endpoints for AWS services](#endpoints-for-aws-services) for more information.|
 |CreateSecretsManagerEndpoint|Set to "true" if you want create a Secrets Manager endpoint. Please read the [Endpoints for AWS services](#endpoints-for-aws-services) for more information.|
 |CreateS3Endpoint|Set to "true" if you want create an S3 endpoint. Note that this will be a "Gateway" type endpoint, since they are free to use. Please read the [Endpoints for AWS services](#endpoints-for-aws-services) for more information.|
+|RoutetableIds|The route table IDs to update to use the S3 endpoint. Since the S3 endpoint is of type 'Gateway' route tables have to be updated to use it. This parameter is only needed if createS3Endpoint is set to 'true'.|
+|VpcId|The VPC ID where the FSxN file system is located. This is only needed if you are creating an endpoint.|
 |CheckInterval|The interval, in minutes, that the EventBridge schedule will trigger the Lambda function. The default is 15 minutes.|
 
 The remaining parameters are used to create the matching conditions file, which specify when the program will send an SNS alert.
@@ -76,24 +74,24 @@ so you don't have to set them if you don't want to. Note that if you enable EMS
 send all EMS messages that have a severity of `Error`, `Alert` or `Emergency`. You can change the
 matching conditions at any time by updating the matching conditions file that is created in the S3 bucket.
 The name of the file will be \<OntapAdminServer\>-conditions where "\<OntapAdminServer\>" is the value you
-set for the OntapAdminServer parameter.
-
-To find the name of the bucket, or any of the resources that were created, you can go to the CloudFormation service
-in the AWS console, click on the stack you created (based on the name you provided as the first parameter above),
-and then click on the "Resources" tab.
+set for the OntapAdminServer parameter. To find the name of the S3 bucket, or any of the resources that were
+created, you can go to the CloudFormation service in the AWS console, click on the stack you created
+(based on the name you provided as the first parameter above), and then click on the "Resources" tab.
 
+### Post Installation Checks
 After the stack has been created, I would recommend checking the status of the Lambda function to make sure it is
-not in an error state. To find the Lambda function, as mentioned above, go to the Resources tab of the CloudFormation
+not in an error state. To find the Lambda function go to the Resources tab of the CloudFormation
 stack and click on the "Physical ID" of the Lambda function. This should bring you to the Lambda service in the AWS
 console. Once there, you can click on the "Monitoring" tab to see if the function has been invoked. Locate the
-"Error count and success rate(%)" chart, which is usually found at the top right corner of the dashboard. Within the "CheckInterval" number
-of minutes there should be at least one dot on that chart. Note that sometimes the chart is initially slow to reflect any
-status so you might have to be patient, and continue to press the "refresh" button (the icon with
-a circle on it) to see an status. Once you see a dot on the chart, when you hover you mouse over it, you should see the "success
-rate" and "number of errors." The success rate should be 100% and the number of errors should be 0. If it is not,
-then scroll down to the CloudWatch Logs section and click on the most recent log stream. This will show you the
-output of the Lambda function. If there are any errors, they will be displayed there. If you can't figure out
-what the error is, then please create an issue in this repository and someone will help you.
+"Error count and success rate(%)" chart, which is usually found at the top right corner of the monitoring dashboard.
+Within the "CheckInterval" number of minutes there should be at least one dot on that chart. Note that sometimes
+the chart is initially slow to reflect any status so you might have to be patient, and continue to press the "refresh"
+button (the icon with a circle on it) to see an status. Once you see a dot on the chart, when you hover you mouse
+over it, you should see the "success rate" and "number of errors." The success rate should be 100% and the number
+of errors should be 0. If it is not, then scroll down to the CloudWatch Logs section and click on the most recent
+log stream. This will show you the output of the Lambda function. If there are any errors, they will be displayed
+there. If you can't figure out what the error is, then please create an issue in this repository and someone will
+help you.
 
 ### Manual Installation
 If you want more control over the installation then you can install it manually by following the steps below. Note that these
@@ -133,10 +131,14 @@ overwrite the event files of another instance.
 
 This bucket is also used to store the Matching Condition file. You can read more about it in the [Matching Conditions File](#matching-conditions-file) below.
 
+**Note:** This bucket must be in the same region as the FSxN file system.
+
 #### Create an SNS Topic
 Since the way this program sends alerts is via an SNS topic, you need to either create SNS topic, or use an
 existing one.
 
+**Note:** This SNS topic must be in the same region as the FSxN file system.
+
 #### Endpoints for AWS Services
 If you deploy this as a Lambda function, you will have to attach it to the VPC that your FSx file system resides
 in so it can run ONTAP APIs against it. When you do that, it is likely that Lambda function will not have access the
@@ -163,8 +165,8 @@ them to the "local" DNS name of the respective endpoints.
 #### Lambda Function
 There are a few things you need to do to properly configure the Lambda function.
 - Give it the permissions listed above.
-- Put it in a VPC and subnet that has access to the FSxN file system management endpoint.
-- Increase the total run time to at least 10 seconds. You might have to raise that if you have a lot of components in your FSxN file system. However, if you have to raise it to more than a minute, it could be an issue with the endpoint causing the calls to the AWS services to hang. See the [Endpoints for AWS Services](#endpoints-for-aws-services) section above for more information.
+- Put it in a VPC and subnet that has access to the FSxN file system management endpoint. **NOTE:** It must be in the same region as the FSxN file system.
+- Increase the total run time to at least 20 seconds. You might have to raise that if you have a lot of components in your FSxN file system. However, if you have to raise it to more than a minute, it could be an issue with the endpoint causing the calls to the AWS services to hang. See the [Endpoints for AWS Services](#endpoints-for-aws-services) section above for more information.
 - Provide for the base configuration via environment variables and/or a configuration file. See the [Configuration Parameters](#configuration-parameters) section below for more information.
 - Create the "Matching Conditions" file, that specifies when the Lambda function should send alerts. See the [Matching Conditions File](#matching-conditions-file) section below for more information.
 - Set up an EventBridge Schedule rule to trigger the function on a regular basis.
diff --git a/Monitoring/monitor-ontap-services/cloudformation.yaml b/Monitoring/monitor-ontap-services/cloudformation.yaml
@@ -7,20 +7,18 @@ Metadata:
       - Label: 
           default: "Configuration Parameters"
         Parameters: 
-          - s3BucketRegion
           - OntapAdminSever
-          - vpcId
           - subNetIds
           - securityGroupIds
           - snsTopicArn
-          - snsTopicRegion
           - secretArn
-          - secretRegion
           - secretUsernameKey
           - secretPasswordKey
           - createSecretManagerEndpoint
           - createSNSEndpoint
           - createS3Endpoint
+          - routeTableIds
+          - vpcId
           - checkInterval
       - Label: 
           default: "Alert Parameters"
@@ -40,21 +38,11 @@ Metadata:
           - inodeQuotaUtilizationAlert
 
 Parameters:
-  s3BucketRegion:
-    Description: "The region where you want the S3 bucket to be created."
-    Type: String
-    Default: ""
-
   OntapAdminSever:
     Description: "The DNS name, or IP address, of the management endpoint of the FSxN file system to be monitored."
     Type: String
     Default: ""
 
-  vpcId:
-    Description: "The VPC ID where the FSxN file system is located."
-    Type: "AWS::EC2::VPC::Id"
-    Default: ""
-
   subNetIds:
     Description: "The subnet IDs where the FSxN file system is located."
     Type: "List<AWS::EC2::Subnet::Id>"
@@ -70,21 +58,11 @@ Parameters:
     Type: String
     Default: ""
 
-  snsTopicRegion:
-    Description: "The region where SNS topic resides."
-    Type: String
-    Default: ""
-
   secretArn:
     Description: "The ARN of the secret that holds the FSxN credentials to use."
     Type: String
     Default: ""
 
-  secretRegion:
-    Description: "The region where the secret resides."
-    Type: String
-    Default: ""
-
   secretUsernameKey:
     Description: "The key in the secret that holds the username."
     Type: String
@@ -113,6 +91,16 @@ Parameters:
     Default: "false"
     AllowedValues: ["true", "false"]
 
+  routeTableIds:
+    Description: "The route table IDs to update to use the S3 endpoint. Since the S3 endpoint is of type 'Gateway' route tables have to be updated to use it. This parameter is only needed if createS3Endpoint is set to 'true'."
+    Type: CommaDelimitedList
+    Default: ""
+
+  vpcId:
+    Description: "The VPC ID where the FSxN file system is located. This is only needed if you are creating an endpoint."
+    Type: "AWS::EC2::VPC::Id"
+    Default: ""
+
   checkInterval:
     Description: "The interval, in minutes, between checks."
     Type: Number
@@ -200,8 +188,8 @@ Resources:
     Condition: CreateSecretManagerEndpoint
     Properties:
       VpcId: !Ref vpcId
-      ServiceName: !Sub "com.amazonaws.${secretRegion}.secretsmanager"
-      VpcEndpointType: Interface
+      ServiceName: !Sub "com.amazonaws.${AWS::Region}.secretsmanager"
+      VpcEndpointType: 'Interface'
       PrivateDnsEnabled: true
       SubnetIds: !Ref subNetIds
 
@@ -210,8 +198,8 @@ Resources:
     Condition: CreateSNSEndpoint
     Properties:
       VpcId: !Ref vpcId
-      ServiceName: !Sub "com.amazonaws.${snsTopicRegion}.sns"
-      VpcEndpointType: Interface
+      ServiceName: !Sub "com.amazonaws.${AWS::Region}.sns"
+      VpcEndpointType: 'Interface'
       PrivateDnsEnabled: true
       SubnetIds: !Ref subNetIds
 
@@ -220,10 +208,9 @@ Resources:
     Condition: CreateS3Endpoint
     Properties:
       VpcId: !Ref vpcId
-      ServiceName: !Sub "com.amazonaws.${s3BucketRegion}.s3"
-      VpcEndpointType: Gateway
-      PrivateDnsEnabled: true
-      SubnetIds: !Ref subNetIds
+      ServiceName: !Sub "com.amazonaws.${AWS::Region}.s3"
+      VpcEndpointType: 'Gateway'
+      RouteTableIds: !Ref routeTableIds
 
   s3Bucket:
     Type: "AWS::S3::Bucket"
@@ -320,7 +307,7 @@ Resources:
       Timeout: 60
       Environment:
         Variables:
-          s3BucketRegion: !Ref s3BucketRegion
+          s3BucketRegion: !Ref AWS::Region
           s3BucketArn: !GetAtt s3Bucket.Arn
           OntapAdminServer: !Ref OntapAdminSever
           secretArn: !Ref secretArn
@@ -363,8 +350,8 @@ Resources:
           # "matching conditions."  It is intended to be run as a Lambda function, but
           # can be run as a standalone program.
           #
-          # Version: %%VERSION%%
-          # Date: %%DATE%%
+          # Version: v2.5
+          # Date: 2024-08-20-17:54:55
           ################################################################################
           
           import json
diff --git a/Monitoring/monitor-ontap-services/updateMonOntapServiceCFTemplate b/Monitoring/monitor-ontap-services/updateMonOntapServiceCFTemplate
@@ -1,12 +1,35 @@
 #!/bin/bash
+#
+# This script is used to update the CloudFormation template with the latest
+# version of the Lambda function. It will also update the version number in
+# the template as well as create a git tag for the version.
+#################################################################################
+
+majorVersionNum=2
+file="monitor_ontap_services.py"
+#
+# Get the number of commits in the git history for the file to calculate the minor version number.
+minorVersionNum="$(git log "$file" | egrep '^commit' | wc -l)"
+if [ -z "$minorVersionNum" ]; then
+  echo "Failed to calculate version number." 1>&2
+  exit 1
+fi
+
+version="v${majorVersionNum}.${minorVersionNum}"
 
 sed -e '/ZipFile/,$d' cloudformation.yaml > cloudformation.yaml.tmp
 echo "        ZipFile: |" >> cloudformation.yaml.tmp
-cat monitor_ontap_services.py | sed 's/^/          /' >> cloudformation.yaml.tmp
+cat "$file" | sed -e 's/^/          /' -e "s/%%VERSION%%/${version}/" -e "s/%%DATE%%/$(date +%Y-%m-%d-%H:%M:%S)/" >> cloudformation.yaml.tmp
 if diff cloudformation.yaml cloudformation.yaml.tmp; then
     rm -f cloudformation.yaml.tmp 
     echo "No changes detected"
     exit 0
 fi
+#
+# Create a tag in git.
+latestHash=$(git log $file | head -1 | awk '{print $2}')
+echo "Creating tag ${file}-${version} for commit $latestHash"
+git tag -a "${file}-${version}" -m "${file}-${version}" $latestHash
+
 echo "Updating cloudformation.yaml"
 mv cloudformation.yaml.tmp cloudformation.yaml
