Merge pull request #398 from dmitchsplunk/main

additional fixes for the lambda workshop

Author: dmitchsplunk

content/en/ninja-workshops/6-lambda-kinesis/1-setup.md

@@ -79,6 +79,12 @@ The Workshop Directory `lambda` is a repository that contains all the configurat
 ### AWS & Terraform Variables
 
 #### AWS
+
+> Note to the workshop instructor:  create a new user in the target AWS account called `lambda-workshop-user`.
+> Ensure it has full permissions to perform the required actions via Terraform.  Create an access token for the `lambda-workshop-user`
+> user and share the Access Key ID and Secret Access Key with the workshop participants.  Delete the user
+> when the workshop is complete.
+
 The AWS CLI requires that you have credentials to be able to access and manage resources deployed by their services. Both Terraform and the Python scripts in this workshop require these variables to perform their tasks.
 
 - Configure the **awscli** with the _**access key ID**_, _**secret access key**_ and _**region**_ for this workshop:
@@ -98,10 +104,24 @@ The AWS CLI requires that you have credentials to be able to access and manage r
   aws configure
   ```
 
-> Note to the workshop instructor:  create a new user in the target AWS account called `lambda-workshop-user`. 
-> Ensure it has full permissions to perform the required actions via Terraform.  Create an access token for the `lambda-workshop-user`
-> user and share the Access Key ID and Secret Access Key with the workshop participants.  Delete the user 
-> when the workshop is complete. 
+#### Create an IAM Role (Workshop Instructor Only)
+
+> Note to the workshop instructor:  This step only needs to be completed once, as the IAM role created 
+> in this step will be shared by all workshop participants:
+
+``` bash
+cd ~/workshop/lambda/iam_role
+terraform init
+terraform plan
+terraform apply 
+```
+
+> Note to the workshop instructor:  After the workshop is complete, cleanup the role as follows:
+
+``` bash
+cd ~/workshop/lambda/iam_role
+terraform destroy
+```
 
 #### Terraform
 Terraform supports the passing of variables to ensure sensitive or dynamic data is not hard-coded in your .tf configuration files, as well as to make those values reusable throughout your resource definitions.

workshop/lambda/auto/main.tf

@@ -10,48 +10,10 @@ provider "aws" {
 
 
 # Get IAM Role
-data "aws_caller_identity" "current" {}
-resource "aws_iam_role" "lambda_kinesis" {
+data "aws_iam_role" "lambda_kinesis" {
   name = "lambda_kinesis"
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Action = "sts:AssumeRole"
-        Effect = "Allow"
-        Principal = {
-          Service = "lambda.amazonaws.com"
-        }
-      }
-    ]
-  })
-}
-resource "aws_iam_role_policy_attachment" "lambda_kinesis_execution" {
-  role       = aws_iam_role.lambda_kinesis.name
-  policy_arn = "arn:aws:iam::aws:policy/AmazonKinesisFullAccess"
 }
 
-resource "aws_iam_policy" "lambda_cloudwatch_logs" {
-  name = "LambdaCloudWatchLogsCustomPolicy"
-  policy = jsonencode({
-      "Version": "2012-10-17",
-      "Statement": [
-          {
-              "Effect": "Allow",
-              "Action": [
-                  "logs:CreateLogStream",
-                  "logs:PutLogEvents"
-              ],
-              "Resource": "*"
-          }
-      ]
-  })
-}
-
-resource "aws_iam_role_policy_attachment" "lambda_cloudwatch_logs_attachment" {
-  role       = aws_iam_role.lambda_kinesis.name
-  policy_arn = aws_iam_policy.lambda_cloudwatch_logs.arn
-}
 
 # Create S3 Bucket, Ownership, ACL
 resource "aws_s3_bucket" "lambda_bucket" {
@@ -119,7 +81,7 @@ resource "aws_lambda_function" "lambda_producer" {
 
   source_code_hash = data.archive_file.producer_app.output_base64sha256
 
-  role = aws_iam_role.lambda_kinesis.arn
+  role = data.aws_iam_role.lambda_kinesis.arn
 
   environment {
     variables = {
@@ -148,7 +110,7 @@ resource "aws_lambda_function" "lambda_consumer" {
 
   source_code_hash = data.archive_file.consumer_app.output_base64sha256
 
-  role = aws_iam_role.lambda_kinesis.arn
+  role = data.aws_iam_role.lambda_kinesis.arn
 
   environment {
     variables = {

workshop/lambda/iam_role/main.tf

@@ -0,0 +1,54 @@
+provider "aws" {
+  region = "us-east-1"
+
+  default_tags {
+    tags = {
+      o11y-workshop = "lambda-tracing"
+    }
+  }
+}
+
+
+# Create IAM Role
+data "aws_caller_identity" "current" {}
+resource "aws_iam_role" "lambda_kinesis" {
+  name = "lambda_kinesis"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+resource "aws_iam_role_policy_attachment" "lambda_kinesis_execution" {
+  role       = aws_iam_role.lambda_kinesis.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonKinesisFullAccess"
+}
+
+resource "aws_iam_policy" "lambda_cloudwatch_logs" {
+  name = "LambdaCloudWatchLogsCustomPolicy"
+  policy = jsonencode({
+      "Version": "2012-10-17",
+      "Statement": [
+          {
+              "Effect": "Allow",
+              "Action": [
+                  "logs:CreateLogStream",
+                  "logs:PutLogEvents"
+              ],
+              "Resource": "*"
+          }
+      ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_cloudwatch_logs_attachment" {
+  role       = aws_iam_role.lambda_kinesis.name
+  policy_arn = aws_iam_policy.lambda_cloudwatch_logs.arn
+}

workshop/lambda/iam_role/outputs.tf

@@ -0,0 +1,15 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.38.0"
+    }
+    archive = {
+      source  = "hashicorp/archive"
+      version = "~> 2.4.2"
+    }
+  }
+
+  required_version = "~> 1.2"
+}
+

workshop/lambda/iam_role/terraform.tf

@@ -10,48 +10,10 @@ provider "aws" {
 
 
 # Get IAM Role
-data "aws_caller_identity" "current" {}
-resource "aws_iam_role" "lambda_kinesis" {
+data "aws_iam_role" "lambda_kinesis" {
   name = "lambda_kinesis"
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Action = "sts:AssumeRole"
-        Effect = "Allow"
-        Principal = {
-          Service = "lambda.amazonaws.com"
-        }
-      }
-    ]
-  })
-}
-resource "aws_iam_role_policy_attachment" "lambda_kinesis_execution" {
-  role       = aws_iam_role.lambda_kinesis.name
-  policy_arn = "arn:aws:iam::aws:policy/AmazonKinesisFullAccess"
 }
 
-resource "aws_iam_policy" "lambda_cloudwatch_logs" {
-  name = "LambdaCloudWatchLogsCustomPolicy"
-  policy = jsonencode({
-      "Version": "2012-10-17",
-      "Statement": [
-          {
-              "Effect": "Allow",
-              "Action": [
-                  "logs:CreateLogStream",
-                  "logs:PutLogEvents"
-              ],
-              "Resource": "*"
-          }
-      ]
-  })
-}
-
-resource "aws_iam_role_policy_attachment" "lambda_cloudwatch_logs_attachment" {
-  role       = aws_iam_role.lambda_kinesis.name
-  policy_arn = aws_iam_policy.lambda_cloudwatch_logs.arn
-}
 
 # Create S3 Bucket, Ownership, ACL
 resource "aws_s3_bucket" "lambda_bucket" {
@@ -119,7 +81,7 @@ resource "aws_lambda_function" "lambda_producer" {
 
   source_code_hash = data.archive_file.producer_app.output_base64sha256
 
-  role = aws_iam_role.lambda_kinesis.arn
+  role = data.aws_iam_role.lambda_kinesis.arn
 
   environment {
     variables = {
@@ -148,7 +110,7 @@ resource "aws_lambda_function" "lambda_consumer" {
 
   source_code_hash = data.archive_file.consumer_app.output_base64sha256
 
-  role = aws_iam_role.lambda_kinesis.arn
+  role = data.aws_iam_role.lambda_kinesis.arn
 
   environment {
     variables = {