diff --git a/computery_stuff/cloudwatch_event_rule_lambda_ansible.md b/computery_stuff/cloudwatch_event_rule_lambda_ansible.md new file mode 100755 index 0000000..18e52fe --- /dev/null +++ b/computery_stuff/cloudwatch_event_rule_lambda_ansible.md @@ -0,0 +1,81 @@ +--- +author: Akbar Rahman +date: \today +title: Eventbridge Rule (Cloudwatch Rule) Does Not Invoke Lambda When Configured Through Ansible +tags: + - ansible + - aws + - aws_eventbridge + - aws_lambda + - cloudwatch + - eventbridge + - lambda + - permissions +uuid: df3ca083-b6ae-4e35-bb1c-8b3978117c57 +--- + +# Eventbridge Rule (formerly Cloudwatch Rule) Does Not Invoke Lambda When Configured Through Ansible + +## Problem + +After creating an Eventbridge rule to run a Lambda function with the Ansible module +[`amazon.aws.cloudwatchevent_rule`](https://docs.ansible.com/ansible/latest/collections/amazon/aws/cloudwatchevent_rule_module.html), +the rule does not run Lambda function when it should: + +```yaml +- name: "Create lambda function" + register: create_lambda + amazon.aws.lambda: + region: "{{ aws_ec2_region }}" + description: "My Lambda function" + name: "{{ lambda_name }}" + role: "{{ iam_role.iam_role.arn }}" + state: "present" + timeout: 120 + vpc_security_group_ids: "{{ sec_group.group_id }}" + vpc_subnet_ids: "{{ subnet_ids }}" + image_uri: "{{ ecr.repository.repositoryUri }}:latest" +- name: "Schedule my Lambda function" + register: lambda_schedule_rule + amazon.aws.cloudwatchevent_rule: + name: "a_unique_rule_name" + region: "{{ aws_ec2_region }}" + schedule_expression: "rate(1 minute)" + state: "present" + targets: + - arn: "{{ create_lambda.configuration.function_arn }}" + id: "a_unique_id" + input: "{{ eventbridge_rule_lambda_event_input }}" +``` + +Even though creating a seemingly identical setup through the AWS console works fine. + +## Cause + +The Eventbridge rule is not allowed to invoke this Lambda, as it is not in the Lambda's policy. + +## Solution + +Use the +[`amazon.aws.lambda_policy`](https://docs.ansible.com/ansible/latest/collections/amazon/aws/lambda_policy_module.html) +module to allow the Eventbridge rule to invoke the Lambda. +Note that, if specifying the Lambda function name to `function_name` (as opposed to the ARN of the +Lambda function), you must specify `version` or otherwise the Lambda function still won't be run! + + +```yaml +- name: "Allow Eventbridge (Cloudwatch) Rules to invoke lambda" + amazon.aws.lambda_policy: + action: "lambda:InvokeFunction" + function_name: "{{ lambda_name }}" + state: "present" + statement_id: "a_unique_statement_id" + region: "{{ aws_ec2_region }}" + principal: "events.amazonaws.com" + source_arn: "{{ lambda_schedule_rule.rule.arn }}" + version: "{{ create_lambda.configuration.version }}" +``` + + +Solution found thanks to @david-kretch's answer to the same question at +.