82 lines
2.7 KiB
Markdown
Executable File
82 lines
2.7 KiB
Markdown
Executable File
---
|
|
author: Akbar Rahman
|
|
date: \today
|
|
title: Eventbridge Rule (Cloudwatch Rule) Does Not Invoke Lambda When Configured Through Ansible
|
|
tags:
|
|
- ansible
|
|
- aws
|
|
- aws_eventbridge
|
|
- aws_lambda
|
|
- cloudwatch
|
|
- eventbridge
|
|
- lambda
|
|
- permissions
|
|
uuid: df3ca083-b6ae-4e35-bb1c-8b3978117c57
|
|
---
|
|
|
|
# Eventbridge Rule (formerly Cloudwatch Rule) Does Not Invoke Lambda When Configured Through Ansible
|
|
|
|
## Problem
|
|
|
|
After creating an Eventbridge rule to run a Lambda function with the Ansible module
|
|
[`amazon.aws.cloudwatchevent_rule`](https://docs.ansible.com/ansible/latest/collections/amazon/aws/cloudwatchevent_rule_module.html),
|
|
the rule does not run Lambda function when it should:
|
|
|
|
```yaml
|
|
- name: "Create lambda function"
|
|
register: create_lambda
|
|
amazon.aws.lambda:
|
|
region: "{{ aws_ec2_region }}"
|
|
description: "My Lambda function"
|
|
name: "{{ lambda_name }}"
|
|
role: "{{ iam_role.iam_role.arn }}"
|
|
state: "present"
|
|
timeout: 120
|
|
vpc_security_group_ids: "{{ sec_group.group_id }}"
|
|
vpc_subnet_ids: "{{ subnet_ids }}"
|
|
image_uri: "{{ ecr.repository.repositoryUri }}:latest"
|
|
- name: "Schedule my Lambda function"
|
|
register: lambda_schedule_rule
|
|
amazon.aws.cloudwatchevent_rule:
|
|
name: "a_unique_rule_name"
|
|
region: "{{ aws_ec2_region }}"
|
|
schedule_expression: "rate(1 minute)"
|
|
state: "present"
|
|
targets:
|
|
- arn: "{{ create_lambda.configuration.function_arn }}"
|
|
id: "a_unique_id"
|
|
input: "{{ eventbridge_rule_lambda_event_input }}"
|
|
```
|
|
|
|
Even though creating a seemingly identical setup through the AWS console works fine.
|
|
|
|
## Cause
|
|
|
|
The Eventbridge rule is not allowed to invoke this Lambda, as it is not in the Lambda's policy.
|
|
|
|
## Solution
|
|
|
|
Use the
|
|
[`amazon.aws.lambda_policy`](https://docs.ansible.com/ansible/latest/collections/amazon/aws/lambda_policy_module.html)
|
|
module to allow the Eventbridge rule to invoke the Lambda.
|
|
Note that, if specifying the Lambda function name to `function_name` (as opposed to the ARN of the
|
|
Lambda function), you must specify `version` or otherwise the Lambda function still won't be run!
|
|
|
|
|
|
```yaml
|
|
- name: "Allow Eventbridge (Cloudwatch) Rules to invoke lambda"
|
|
amazon.aws.lambda_policy:
|
|
action: "lambda:InvokeFunction"
|
|
function_name: "{{ lambda_name }}"
|
|
state: "present"
|
|
statement_id: "a_unique_statement_id"
|
|
region: "{{ aws_ec2_region }}"
|
|
principal: "events.amazonaws.com"
|
|
source_arn: "{{ lambda_schedule_rule.rule.arn }}"
|
|
version: "{{ create_lambda.configuration.version }}"
|
|
```
|
|
|
|
|
|
Solution found thanks to @david-kretch's answer to the same question at
|
|
<https://stackoverflow.com/questions/45282939/cloudwatch-event-rule-creation-via-ansible-succeeds-but-not-invoked>.
|