add note on cloudwatch event rules via ansible

2025-02-12 14:09:35 +00:00 · 2025-02-12 14:09:35 +00:00 · 1b95f46544
commit 1b95f46544
parent a4b13fb71e
1 changed files with 81 additions and 0 deletions
--- a/computery_stuff/cloudwatch_event_rule_lambda_ansible.md
+++ b/computery_stuff/cloudwatch_event_rule_lambda_ansible.md
@ -0,0 +1,81 @@
+---
+author: Akbar Rahman
+date: \today
+title: Eventbridge Rule (Cloudwatch Rule) Does Not Invoke Lambda When Configured Through Ansible
+tags:
+  - ansible
+  - aws
+  - aws_eventbridge
+  - aws_lambda
+  - cloudwatch
+  - eventbridge
+  - lambda
+  - permissions
+uuid: df3ca083-b6ae-4e35-bb1c-8b3978117c57
+---
+
+# Eventbridge Rule (formerly Cloudwatch Rule) Does Not Invoke Lambda When Configured Through Ansible
+
+## Problem
+
+After creating an Eventbridge rule to run a Lambda function with the Ansible module
+[`amazon.aws.cloudwatchevent_rule`](https://docs.ansible.com/ansible/latest/collections/amazon/aws/cloudwatchevent_rule_module.html),
+the rule does not run Lambda function when it should:
+
+```yaml
+- name: "Create lambda function"
+  register: create_lambda
+  amazon.aws.lambda:
+    region: "{{ aws_ec2_region }}"
+    description: "My Lambda function"
+    name: "{{ lambda_name }}"
+    role: "{{ iam_role.iam_role.arn }}"
+    state: "present"
+    timeout: 120
+    vpc_security_group_ids: "{{ sec_group.group_id }}"
+    vpc_subnet_ids: "{{ subnet_ids }}"
+    image_uri: "{{ ecr.repository.repositoryUri }}:latest"
+- name: "Schedule my Lambda function"
+  register: lambda_schedule_rule
+  amazon.aws.cloudwatchevent_rule:
+    name: "a_unique_rule_name"
+    region: "{{ aws_ec2_region }}"
+    schedule_expression: "rate(1 minute)"
+    state: "present"
+    targets:
+      - arn: "{{ create_lambda.configuration.function_arn }}"
+        id: "a_unique_id"
+        input: "{{ eventbridge_rule_lambda_event_input }}"
+```
+
+Even though creating a seemingly identical setup through the AWS console works fine.
+
+## Cause
+
+The Eventbridge rule is not allowed to invoke this Lambda, as it is not in the Lambda's policy.
+
+## Solution
+
+Use the
+[`amazon.aws.lambda_policy`](https://docs.ansible.com/ansible/latest/collections/amazon/aws/lambda_policy_module.html)
+module to allow the Eventbridge rule to invoke the Lambda.
+Note that, if specifying the Lambda function name to `function_name` (as opposed to the ARN of the
+Lambda function), you must specify `version` or otherwise the Lambda function still won't be run!
+
+
+```yaml
+- name: "Allow Eventbridge (Cloudwatch) Rules to invoke lambda"
+  amazon.aws.lambda_policy:
+    action: "lambda:InvokeFunction"
+    function_name: "{{ lambda_name }}"
+    state: "present"
+    statement_id: "a_unique_statement_id"
+    region: "{{ aws_ec2_region }}"
+    principal: "events.amazonaws.com"
+    source_arn: "{{ lambda_schedule_rule.rule.arn }}"
+    version: "{{ create_lambda.configuration.version }}"
+```
+
+
+Solution found thanks to @david-kretch's answer to the same question at
+<https://stackoverflow.com/questions/45282939/cloudwatch-event-rule-creation-via-ansible-succeeds-but-not-invoked>.