From b4e96dc1a53f5f02528ba64968a55eb6994eeb40 Mon Sep 17 00:00:00 2001 From: Austin Byers Date: Tue, 13 Feb 2018 19:11:09 -0800 Subject: [PATCH 1/4] Create new Lambda Terraform module --- terraform/modules/tf_lambda/README.md | 57 ++++++++++ terraform/modules/tf_lambda/iam.tf | 43 ++++++++ terraform/modules/tf_lambda/main.tf | 47 ++++++++ terraform/modules/tf_lambda/metrics.tf | 57 ++++++++++ terraform/modules/tf_lambda/output.tf | 11 ++ terraform/modules/tf_lambda/variables.tf | 132 +++++++++++++++++++++++ 6 files changed, 347 insertions(+) create mode 100644 terraform/modules/tf_lambda/README.md create mode 100644 terraform/modules/tf_lambda/iam.tf create mode 100644 terraform/modules/tf_lambda/main.tf create mode 100644 terraform/modules/tf_lambda/metrics.tf create mode 100644 terraform/modules/tf_lambda/output.tf create mode 100644 terraform/modules/tf_lambda/variables.tf diff --git a/terraform/modules/tf_lambda/README.md b/terraform/modules/tf_lambda/README.md new file mode 100644 index 000000000..72c3b750a --- /dev/null +++ b/terraform/modules/tf_lambda/README.md @@ -0,0 +1,57 @@ +# Lambda Module +This Terraform module creates a single AWS Lambda function and its related components: + +* IAM execution role with basic permissions +* Lambda function +* Production alias +* CloudWatch log group +* CloudWatch metric alarms related to Lambda + +All StreamAlert Lambda functions will eventually leverage this module. + +The created IAM role has permission to publish CloudWatch logs and metrics. To add function-specific +permissions, attach/inline them to the created IAM role. + +## Example +```hcl +module "alert_processor" { + function_name = "alert_processor" + handler = "stream_alert.alert_processor.main.handler" + source_bucket = "SOURCE_BUCKET" + source_object_key = "SOURCE_OBJECT_KEY" + + environment_variables = { + LOGGER_LEVEL = "info" + } + + // Commonly used optional variables + enabled = true + description = "Function Description" + memory_size_mb = 128 + timeout_sec = 60 + vpc_subnet_ids = ["abc"] + vpc_security_group_ids = ["id0"] + aliased_version = 1 + log_retention_days = 14 + alarm_actions = ["SNS_ARN"] + errors_alarm_threshold = 1 + enable_iterator_age_alarm = true +} + +// Add additional permissions +resource "aws_iam_role_policy" "policy" { + name = "CustomPolicy" + role = "${module.alert_processor.role_id}" + policy = "${data.aws_iam_policy_document.policy.json}" +} + +data "aws_iam_policy_document" "policy" { + statement { + effect = "Allow" + actions = ["s3:PutObject"] + resources = ["arn:aws:s3:::..."] + } +} +``` + +For a complete list of available options and their descriptions, see [`variables.tf`](variables.tf). \ No newline at end of file diff --git a/terraform/modules/tf_lambda/iam.tf b/terraform/modules/tf_lambda/iam.tf new file mode 100644 index 000000000..19e656dc2 --- /dev/null +++ b/terraform/modules/tf_lambda/iam.tf @@ -0,0 +1,43 @@ +data "aws_iam_policy_document" "lambda_execution_policy" { + count = "${var.enabled}" + + statement { + effect = "Allow" + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = ["lambda.amazonaws.com"] + } + } +} + +// Create the execution role for the Lambda function. +resource "aws_iam_role" "role" { + count = "${var.enabled}" + name = "${var.function_name}_role" + assume_role_policy = "${data.aws_iam_policy_document.lambda_execution_policy.json}" +} + +// Base permissions - Allow creating logs and publishing metrics +data "aws_iam_policy_document" "logs_metrics_policy" { + statement { + effect = "Allow" + + actions = [ + "cloudwatch:PutMetricData", + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + ] + + resources = ["*"] + } +} + +resource "aws_iam_role_policy" "logs_metrics_policy" { + count = "${var.enabled}" + name = "LogsAndMetrics" + role = "${aws_iam_role.role.id}" + policy = "${data.aws_iam_policy_document.logs_metrics_policy.json}" +} diff --git a/terraform/modules/tf_lambda/main.tf b/terraform/modules/tf_lambda/main.tf new file mode 100644 index 000000000..c940c6d76 --- /dev/null +++ b/terraform/modules/tf_lambda/main.tf @@ -0,0 +1,47 @@ +// Generic module for any StreamAlert Lambda function. +// TODO - migrate all Lambda functions and Lambda metric alarms to use this module + +resource "aws_lambda_function" "function" { + count = "${var.enabled}" + function_name = "${var.function_name}" + description = "${var.description}" + runtime = "${var.runtime}" + role = "${aws_iam_role.role.arn}" + handler = "${var.handler}" + memory_size = "${var.memory_size_mb}" + timeout = "${var.timeout_sec}" + s3_bucket = "${var.source_bucket}" + s3_key = "${var.source_object_key}" + + environment { + variables = "${var.environment_variables}" + } + + // Note: If both of these lists are empty, VPC will not be enabled + vpc_config { + security_group_ids = "${var.vpc_subnet_ids}" + subnet_ids = "${var.vpc_security_group_ids}" + } + + tags { + Name = "${var.name_tag}" + } +} + +resource "aws_lambda_alias" "production_alias" { + count = "${var.enabled}" + name = "production" + description = "Production alias for ${aws_lambda_function.function.function_name}" + function_name = "${aws_lambda_function.function.function_name}" + function_version = "${var.aliased_version == "" ? aws_lambda_function.function.version : var.aliased_version}" +} + +resource "aws_cloudwatch_log_group" "lambda_log_group" { + count = "${var.enabled}" + name = "/aws/lambda/${var.function_name}" + retention_in_days = "${var.log_retention_days}" + + tags { + Name = "${var.name_tag}" + } +} diff --git a/terraform/modules/tf_lambda/metrics.tf b/terraform/modules/tf_lambda/metrics.tf new file mode 100644 index 000000000..6603a8e5f --- /dev/null +++ b/terraform/modules/tf_lambda/metrics.tf @@ -0,0 +1,57 @@ +resource "aws_cloudwatch_metric_alarm" "lambda_invocation_errors" { + count = "${var.enabled}" + alarm_name = "${var.function_name}_invocation_errors" + namespace = "AWS/Lambda" + metric_name = "Errors" + statistic = "Sum" + comparison_operator = "GreaterThanThreshold" + threshold = "${var.errors_alarm_threshold}" + evaluation_periods = "${var.errors_alarm_evaluation_periods}" + period = "${var.errors_alarm_period_secs}" + alarm_description = "StreamAlert Lambda Invocation Errors: ${var.function_name}" + alarm_actions = "${var.alarm_actions}" + + dimensions { + FunctionName = "${var.function_name}" + Resource = "${var.function_name}:production" + } +} + +resource "aws_cloudwatch_metric_alarm" "lambda_throttles" { + count = "${var.enabled}" + alarm_name = "${var.function_name}_throttles" + namespace = "AWS/Lambda" + metric_name = "Throttles" + statistic = "Sum" + comparison_operator = "GreaterThanThreshold" + threshold = "${var.throttles_alarm_threshold}" + evaluation_periods = "${var.throttles_alarm_evaluation_periods}" + period = "${var.throttles_alarm_period_secs}" + alarm_description = "StreamAlert Lambda Throttles: ${var.function_name}" + alarm_actions = "${var.alarm_actions}" + + dimensions { + FunctionName = "${var.function_name}" + Resource = "${var.function_name}:production" + } +} + +// Lambda: IteratorAge +resource "aws_cloudwatch_metric_alarm" "streamalert_lambda_iterator_age" { + count = "${min(var.enabled, var.enable_iterator_age_alarm)}" + alarm_name = "${var.function_name}_iterator_age" + namespace = "AWS/Lambda" + metric_name = "IteratorAge" + statistic = "Maximum" + comparison_operator = "GreaterThanThreshold" + threshold = "${var.iterator_age_alarm_threshold}" + evaluation_periods = "${var.iterator_age_alarm_evaluation_periods}" + period = "${var.iterator_age_alarm_period_secs}" + alarm_description = "StreamAlert Lambda High Iterator Age: ${var.function_name}" + alarm_actions = "${var.alarm_actions}" + + dimensions { + FunctionName = "${var.function_name}" + Resource = "${var.function_name}:production" + } +} diff --git a/terraform/modules/tf_lambda/output.tf b/terraform/modules/tf_lambda/output.tf new file mode 100644 index 000000000..18cfa7c1f --- /dev/null +++ b/terraform/modules/tf_lambda/output.tf @@ -0,0 +1,11 @@ +output "function_arn" { + value = "${aws_lambda_function.function.arn}" +} + +output "role_arn" { + value = "${aws_iam_role.role.arn}" +} + +output "role_id" { + value = "${aws_iam_role.role.id}" +} diff --git a/terraform/modules/tf_lambda/variables.tf b/terraform/modules/tf_lambda/variables.tf new file mode 100644 index 000000000..2529838d2 --- /dev/null +++ b/terraform/modules/tf_lambda/variables.tf @@ -0,0 +1,132 @@ +// Note: We use this variable because terraform does not support "count" for module resources +// https://github.com/hashicorp/terraform/issues/953 +variable "enabled" { + default = true + description = "If true, the Lambda function and all associated components will be created" +} + +variable "function_name" { + description = "Name of the Lambda function" +} + +variable "description" { + default = "" + description = "Description of the Lambda function" +} + +variable "runtime" { + default = "python2.7" + description = "Function runtime environment" +} + +variable "handler" { + description = "Entry point for the function" +} + +variable "memory_size_mb" { + default = 128 + description = "Memory allocated to the function. CPU and network are allocated proportionally." +} + +variable "timeout_sec" { + default = 30 + description = "Maximum duration before execution is terminated" +} + +variable "source_bucket" { + description = "S3 bucket containing function source code" +} + +variable "source_object_key" { + description = "S3 object key pointing to the function source code" +} + +variable "environment_variables" { + type = "map" + description = "Map of environment variables available to the running Lambda function" +} + +variable "vpc_subnet_ids" { + type = "list" + default = [] + description = "Optional list of VPC subnet IDs" +} + +variable "vpc_security_group_ids" { + type = "list" + default = [] + description = "Optional list of security group IDs (for VPC)" +} + +variable "name_tag" { + default = "StreamAlert" + description = "The value for the Name cost tag associated with all applicable components" +} + +variable "aliased_version" { + default = "" + description = "Alias points to this version (or the latest published version if not specified)" +} + +variable "log_retention_days" { + default = 14 + description = "CloudWatch logs for the Lambda function will be retained for this many days" +} + +// CloudWatch metric alarms + +variable "alarm_actions" { + type = "list" + default = [] + description = "Optional list of CloudWatch alarm actions (e.g. SNS topic ARNs)" +} + +variable "errors_alarm_threshold" { + default = 0 + description = "Alarm if Lambda invocation errors exceed this value in the specified period(s)" +} + +variable "errors_alarm_evaluation_periods" { + default = 1 + description = "Number of periods over which to evaluate the number invocation errors" +} + +variable "errors_alarm_period_secs" { + default = 60 + description = "Period over which to count the number of invocation errors" +} + +variable "throttles_alarm_threshold" { + default = 0 + description = "Alarm if Lambda throttles exceed this value in the specified period(s)" +} + +variable "throttles_alarm_evaluation_periods" { + default = 1 + description = "Number of periods over which to evaluate the number of throttles" +} + +variable "throttles_alarm_period_secs" { + default = 60 + description = "Period over which to count the number of throttles" +} + +variable "enable_iterator_age_alarm" { + default = false + description = "Enable IteratorAge alarm (applicable only for stream-based invocations like Kinesis)" +} + +variable "iterator_age_alarm_threshold" { + default = 0 + description = "Alarm if the Lambda IteratorAge exceeds this value in the specified period(s)" +} + +variable "iterator_age_alarm_evaluation_periods" { + default = 1 + description = "Number of periods over which to evaluate the IteratorAge" +} + +variable "iterator_age_alarm_period_secs" { + default = 60 + description = "Period over which to evaluate the maximum IteratorAge" +} From ef07dfc78b94e256814e1166f7b1956e0d0ee99e Mon Sep 17 00:00:00 2001 From: Austin Byers Date: Tue, 13 Feb 2018 19:12:04 -0800 Subject: [PATCH 2/4] Terraform format - fix newline issues in unrelated files --- terraform/modules/tf_stream_alert_globals/output.tf | 1 + terraform/modules/tf_stream_alert_kinesis_streams/iam.tf | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/modules/tf_stream_alert_globals/output.tf b/terraform/modules/tf_stream_alert_globals/output.tf index e69de29bb..8b1378917 100644 --- a/terraform/modules/tf_stream_alert_globals/output.tf +++ b/terraform/modules/tf_stream_alert_globals/output.tf @@ -0,0 +1 @@ + diff --git a/terraform/modules/tf_stream_alert_kinesis_streams/iam.tf b/terraform/modules/tf_stream_alert_kinesis_streams/iam.tf index d4904f2db..0802e9495 100644 --- a/terraform/modules/tf_stream_alert_kinesis_streams/iam.tf +++ b/terraform/modules/tf_stream_alert_kinesis_streams/iam.tf @@ -80,4 +80,4 @@ resource "aws_iam_role_policy" "stream_alert_kinesis_put_records" { name = "KinesisPutRecords" role = "${aws_iam_role.stream_alert_write_role.id}" policy = "${data.aws_iam_policy_document.stream_alert_writeonly.json}" -} \ No newline at end of file +} From c45634363dfd0b6571defe6fd3911eddbb26a06b Mon Sep 17 00:00:00 2001 From: Austin Byers Date: Tue, 13 Feb 2018 19:12:27 -0800 Subject: [PATCH 3/4] Fix S3 permissions for alert processor S3 output --- terraform/modules/tf_stream_alert/iam.tf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/terraform/modules/tf_stream_alert/iam.tf b/terraform/modules/tf_stream_alert/iam.tf index cdc8b208d..92e458eb6 100644 --- a/terraform/modules/tf_stream_alert/iam.tf +++ b/terraform/modules/tf_stream_alert/iam.tf @@ -233,7 +233,10 @@ resource "aws_iam_role_policy" "streamalert_alert_processor_s3_outputs" { "s3:ListBucket" ], "Effect": "Allow", - "Resource": "arn:aws:s3:::${element(var.output_s3_buckets, count.index)}" + "Resource": [ + "arn:aws:s3:::${element(var.output_s3_buckets, count.index)}", + "arn:aws:s3:::${element(var.output_s3_buckets, count.index)}/*" + ] } ] } From c44a44644b2026e9bf633cc4967cccddb9eba6d3 Mon Sep 17 00:00:00 2001 From: Austin Byers Date: Wed, 14 Feb 2018 10:56:34 -0800 Subject: [PATCH 4/4] Use different VPC resources, other minor cleanup --- terraform/modules/tf_lambda/README.md | 9 +++- terraform/modules/tf_lambda/iam.tf | 9 +++- terraform/modules/tf_lambda/main.tf | 62 ++++++++++++++++++++---- terraform/modules/tf_lambda/metrics.tf | 9 ++-- terraform/modules/tf_lambda/output.tf | 10 +++- terraform/modules/tf_lambda/variables.tf | 30 ++++++++---- 6 files changed, 99 insertions(+), 30 deletions(-) diff --git a/terraform/modules/tf_lambda/README.md b/terraform/modules/tf_lambda/README.md index 72c3b750a..9ca4722f1 100644 --- a/terraform/modules/tf_lambda/README.md +++ b/terraform/modules/tf_lambda/README.md @@ -54,4 +54,11 @@ data "aws_iam_policy_document" "policy" { } ``` -For a complete list of available options and their descriptions, see [`variables.tf`](variables.tf). \ No newline at end of file +For a complete list of available options and their descriptions, see [`variables.tf`](variables.tf). + +## Outputs +If your Lambda function is in a VPC, `function_vpc_arn` is the ARN of the generated Lambda +function. Otherwise, it will be `function_no_vpc_arn`. (This split is a workaround for a +[Terraform bug](https://github.com/terraform-providers/terraform-provider-aws/issues/443)). + +This module also exports the `role_arn` and `role_id` for the Lambda execution role. \ No newline at end of file diff --git a/terraform/modules/tf_lambda/iam.tf b/terraform/modules/tf_lambda/iam.tf index 19e656dc2..a53aab2d3 100644 --- a/terraform/modules/tf_lambda/iam.tf +++ b/terraform/modules/tf_lambda/iam.tf @@ -1,6 +1,4 @@ data "aws_iam_policy_document" "lambda_execution_policy" { - count = "${var.enabled}" - statement { effect = "Allow" actions = ["sts:AssumeRole"] @@ -41,3 +39,10 @@ resource "aws_iam_role_policy" "logs_metrics_policy" { role = "${aws_iam_role.role.id}" policy = "${data.aws_iam_policy_document.logs_metrics_policy.json}" } + +// Attach VPC policy (if applicable) +resource "aws_iam_role_policy_attachment" "vpc_access" { + count = "${var.enabled && local.vpc_enabled ? 1 : 0}" + role = "${aws_iam_role.role.id}" + policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole" +} diff --git a/terraform/modules/tf_lambda/main.tf b/terraform/modules/tf_lambda/main.tf index c940c6d76..60f24ec48 100644 --- a/terraform/modules/tf_lambda/main.tf +++ b/terraform/modules/tf_lambda/main.tf @@ -1,14 +1,20 @@ // Generic module for any StreamAlert Lambda function. // TODO - migrate all Lambda functions and Lambda metric alarms to use this module -resource "aws_lambda_function" "function" { - count = "${var.enabled}" +locals { + vpc_enabled = "${length(var.vpc_subnet_ids) > 0}" +} + +// Either the function_vpc or the function_no_vpc resource will be used +resource "aws_lambda_function" "function_vpc" { + count = "${var.enabled && local.vpc_enabled ? 1 : 0}" function_name = "${var.function_name}" description = "${var.description}" runtime = "${var.runtime}" role = "${aws_iam_role.role.arn}" handler = "${var.handler}" memory_size = "${var.memory_size_mb}" + publish = "${var.auto_publish_versions}" timeout = "${var.timeout_sec}" s3_bucket = "${var.source_bucket}" s3_key = "${var.source_object_key}" @@ -17,10 +23,45 @@ resource "aws_lambda_function" "function" { variables = "${var.environment_variables}" } - // Note: If both of these lists are empty, VPC will not be enabled + // Empty vpc_config lists are theoretically supported, but it actually breaks subsequent deploys: + // https://github.com/terraform-providers/terraform-provider-aws/issues/443 vpc_config { - security_group_ids = "${var.vpc_subnet_ids}" - subnet_ids = "${var.vpc_security_group_ids}" + security_group_ids = "${var.vpc_security_group_ids}" + subnet_ids = "${var.vpc_subnet_ids}" + } + + tags { + Name = "${var.name_tag}" + } + + // We need VPC access before the function can be created + depends_on = ["aws_iam_role_policy_attachment.vpc_access"] +} + +resource "aws_lambda_alias" "production_alias_vpc" { + count = "${var.enabled && local.vpc_enabled ? 1 : 0}" + name = "production" + description = "Production alias for ${var.function_name}" + function_name = "${var.function_name}" + function_version = "${var.aliased_version == "" ? aws_lambda_function.function_vpc.version : var.aliased_version}" + depends_on = ["aws_lambda_function.function_vpc"] +} + +resource "aws_lambda_function" "function_no_vpc" { + count = "${var.enabled && !(local.vpc_enabled) ? 1 : 0}" + function_name = "${var.function_name}" + description = "${var.description}" + runtime = "${var.runtime}" + role = "${aws_iam_role.role.arn}" + handler = "${var.handler}" + memory_size = "${var.memory_size_mb}" + publish = "${var.auto_publish_versions}" + timeout = "${var.timeout_sec}" + s3_bucket = "${var.source_bucket}" + s3_key = "${var.source_object_key}" + + environment { + variables = "${var.environment_variables}" } tags { @@ -28,12 +69,13 @@ resource "aws_lambda_function" "function" { } } -resource "aws_lambda_alias" "production_alias" { - count = "${var.enabled}" +resource "aws_lambda_alias" "production_alias_no_vpc" { + count = "${var.enabled && !(local.vpc_enabled) ? 1 : 0}" name = "production" - description = "Production alias for ${aws_lambda_function.function.function_name}" - function_name = "${aws_lambda_function.function.function_name}" - function_version = "${var.aliased_version == "" ? aws_lambda_function.function.version : var.aliased_version}" + description = "Production alias for ${var.function_name}" + function_name = "${var.function_name}" + function_version = "${var.aliased_version == "" ? aws_lambda_function.function_no_vpc.version : var.aliased_version}" + depends_on = ["aws_lambda_function.function_no_vpc"] } resource "aws_cloudwatch_log_group" "lambda_log_group" { diff --git a/terraform/modules/tf_lambda/metrics.tf b/terraform/modules/tf_lambda/metrics.tf index 6603a8e5f..b302d4e88 100644 --- a/terraform/modules/tf_lambda/metrics.tf +++ b/terraform/modules/tf_lambda/metrics.tf @@ -1,5 +1,5 @@ resource "aws_cloudwatch_metric_alarm" "lambda_invocation_errors" { - count = "${var.enabled}" + count = "${var.enabled && var.enable_metric_alarms ? 1 : 0}" alarm_name = "${var.function_name}_invocation_errors" namespace = "AWS/Lambda" metric_name = "Errors" @@ -18,7 +18,7 @@ resource "aws_cloudwatch_metric_alarm" "lambda_invocation_errors" { } resource "aws_cloudwatch_metric_alarm" "lambda_throttles" { - count = "${var.enabled}" + count = "${var.enabled && var.enable_metric_alarms ? 1 : 0}" alarm_name = "${var.function_name}_throttles" namespace = "AWS/Lambda" metric_name = "Throttles" @@ -36,15 +36,14 @@ resource "aws_cloudwatch_metric_alarm" "lambda_throttles" { } } -// Lambda: IteratorAge resource "aws_cloudwatch_metric_alarm" "streamalert_lambda_iterator_age" { - count = "${min(var.enabled, var.enable_iterator_age_alarm)}" + count = "${var.enabled && var.enable_metric_alarms && var.enable_iterator_age_alarm ? 1 : 0}" alarm_name = "${var.function_name}_iterator_age" namespace = "AWS/Lambda" metric_name = "IteratorAge" statistic = "Maximum" comparison_operator = "GreaterThanThreshold" - threshold = "${var.iterator_age_alarm_threshold}" + threshold = "${var.iterator_age_alarm_threshold_ms}" evaluation_periods = "${var.iterator_age_alarm_evaluation_periods}" period = "${var.iterator_age_alarm_period_secs}" alarm_description = "StreamAlert Lambda High Iterator Age: ${var.function_name}" diff --git a/terraform/modules/tf_lambda/output.tf b/terraform/modules/tf_lambda/output.tf index 18cfa7c1f..25927d3e6 100644 --- a/terraform/modules/tf_lambda/output.tf +++ b/terraform/modules/tf_lambda/output.tf @@ -1,5 +1,11 @@ -output "function_arn" { - value = "${aws_lambda_function.function.arn}" +// Defined only if the Lambda is in a VPC +output "function_vpc_arn" { + value = "${aws_lambda_function.function_vpc.arn}" +} + +// Defined only if the Lambda is NOT in a VPC +output "function_no_vpc_arn" { + value = "${aws_lambda_function.function_no_vpc.arn}" } output "role_arn" { diff --git a/terraform/modules/tf_lambda/variables.tf b/terraform/modules/tf_lambda/variables.tf index 2529838d2..382f13649 100644 --- a/terraform/modules/tf_lambda/variables.tf +++ b/terraform/modules/tf_lambda/variables.tf @@ -63,6 +63,11 @@ variable "name_tag" { description = "The value for the Name cost tag associated with all applicable components" } +variable "auto_publish_versions" { + default = false + description = "Whether Terraform should automatically publish new versions of the function" +} + variable "aliased_version" { default = "" description = "Alias points to this version (or the latest published version if not specified)" @@ -73,7 +78,12 @@ variable "log_retention_days" { description = "CloudWatch logs for the Lambda function will be retained for this many days" } -// CloudWatch metric alarms +// ***** CloudWatch metric alarms ***** + +variable "enable_metric_alarms" { + default = true + description = "Enable metric alarms for errors, throttles, and optionally IteratorAge." +} variable "alarm_actions" { type = "list" @@ -88,11 +98,11 @@ variable "errors_alarm_threshold" { variable "errors_alarm_evaluation_periods" { default = 1 - description = "Number of periods over which to evaluate the number invocation errors" + description = "Consecutive periods the errors threshold must be breached before triggering an alarm" } variable "errors_alarm_period_secs" { - default = 60 + default = 120 description = "Period over which to count the number of invocation errors" } @@ -103,11 +113,11 @@ variable "throttles_alarm_threshold" { variable "throttles_alarm_evaluation_periods" { default = 1 - description = "Number of periods over which to evaluate the number of throttles" + description = "Consecutive periods the throttles threshold must be breached before triggering an alarm" } variable "throttles_alarm_period_secs" { - default = 60 + default = 120 description = "Period over which to count the number of throttles" } @@ -116,17 +126,17 @@ variable "enable_iterator_age_alarm" { description = "Enable IteratorAge alarm (applicable only for stream-based invocations like Kinesis)" } -variable "iterator_age_alarm_threshold" { - default = 0 - description = "Alarm if the Lambda IteratorAge exceeds this value in the specified period(s)" +variable "iterator_age_alarm_threshold_ms" { + default = 3600000 + description = "Alarm if the Lambda IteratorAge (ms) exceeds this value in the specified period(s)" } variable "iterator_age_alarm_evaluation_periods" { default = 1 - description = "Number of periods over which to evaluate the IteratorAge" + description = "Consecutive periods the IteratorAge threshold must be breached before triggering an alarm" } variable "iterator_age_alarm_period_secs" { - default = 60 + default = 120 description = "Period over which to evaluate the maximum IteratorAge" }