Skip to content

Commit

Permalink
update custom lambda to fix cds-1690
Browse files Browse the repository at this point in the history
  • Loading branch information
guyrenny committed Nov 19, 2024
1 parent 290c204 commit e2fcf4f
Show file tree
Hide file tree
Showing 3 changed files with 55 additions and 24 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

## v1.0.16 / 2024-11-09
### 🧰 Bug fixes 🧰
- cds-1690 - Fixed a bug that when you update cloudwatch log group for an existing integraiotn from the CF the stack will fail.
- cds-1670 - Fixed a bug where Kinesis Integration was not correctly checking for Cloudwatch Formatted Logs in payload.

## v1.0.15 / 2024-11-09
Expand Down
76 changes: 52 additions & 24 deletions custom-resource/index.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
import json
import boto3
import os
import json, time, boto3, time
from urllib import request, parse, error
import functools
Expand Down Expand Up @@ -402,11 +403,13 @@ def __init__(self, event, context, cfn):
@handle_exceptions
def create(self):
lambda_arn = self.event['ResourceProperties']['LambdaArn']
custom_lambda_arn = os.environ['AWS_LAMBDA_FUNCTION_NAME']
region = self.context.invoked_function_arn.split(":")[3]
account_id = self.context.invoked_function_arn.split(":")[4]
logGroupNames = self.params.CloudWatchLogGroupName.split(',')
LambdaPremissionPrefix = self.params.CloudWatchLogGroupPrefix.split(',')

environment_variables = {'log_groups': self.params.CloudWatchLogGroupName}
self.update_custom_lambda_environment_variables(custom_lambda_arn, environment_variables)
if LambdaPremissionPrefix and LambdaPremissionPrefix != [""]:
for prefix in LambdaPremissionPrefix:
replaced_prefix = self.check_statmentid_length(prefix)
Expand All @@ -429,13 +432,16 @@ def create(self):
if not LambdaPremissionPrefix or LambdaPremissionPrefix == [""]:
if not response.get("subscriptionFilters") or response.get("subscriptionFilters")[0].get("destinationArn") != lambda_arn:
replaced_prefix = self.check_statmentid_length(log_group)
response = self.aws_lambda.add_permission(
FunctionName=lambda_arn,
StatementId=f'allow-trigger-from-{replaced_prefix.replace("/", "-")}',
Action='lambda:InvokeFunction',
Principal='logs.amazonaws.com',
SourceArn=f'arn:aws:logs:{region}:{account_id}:log-group:{log_group}:*',
)
try:
response = self.aws_lambda.add_permission(
FunctionName=lambda_arn,
StatementId=f'allow-trigger-from-{replaced_prefix.replace("/", "-")}',
Action='lambda:InvokeFunction',
Principal='logs.amazonaws.com',
SourceArn=f'arn:aws:logs:{region}:{account_id}:log-group:{log_group}:*',
)
except Exception as e:
print("assuming permission already exists: ", str(e))
time.sleep(1)
self.cloudwatch_logs.put_subscription_filter(
destinationArn=self.event['ResourceProperties']['LambdaArn'],
Expand All @@ -450,8 +456,45 @@ def check_statmentid_length(self, statmentid_prefix):
updated_prefix = statmentid_prefix[:65] + statmentid_prefix[-5:]
return updated_prefix

def update_custom_lambda_environment_variables(self, function_name, new_environment_variables):
self.aws_lambda.update_function_configuration(
FunctionName=function_name,
Environment={
'Variables': new_environment_variables
}
)

def remove_subscription_filter(self, log_group, lambda_arn):
response = self.cloudwatch_logs.describe_subscription_filters(logGroupName=log_group)
lambda_arn = self.event['ResourceProperties']['LambdaArn']
LambdaPremissionPrefix = self.params.CloudWatchLogGroupPrefix.split(',')
for filter in response['subscriptionFilters']:
if filter['filterName'] == f'coralogix-aws-shipper-cloudwatch-trigger-{lambda_arn[-4:]}':
self.cloudwatch_logs.delete_subscription_filter(
filterName=f'coralogix-aws-shipper-cloudwatch-trigger-{lambda_arn[-4:]}',
logGroupName=log_group
)
if not LambdaPremissionPrefix:
replaced_prefix = self.check_statmentid_length(log_group)
response = self.aws_lambda.remove_permission(
FunctionName=lambda_arn,
StatementId=f'allow-trigger-from-{replaced_prefix.replace("/", "-")}'
)

@handle_exceptions
def update(self):
custom_lambda_name = os.environ['AWS_LAMBDA_FUNCTION_NAME']
new_log_group_names = self.params.CloudWatchLogGroupName.split(',')
new_environment_variables = {'log_groups': self.params.CloudWatchLogGroupName}

old_log_group_names = os.environ.get('log_groups').split(',')
for old_log_group in old_log_group_names:
if old_log_group not in new_log_group_names:
self.remove_subscription_filter(old_log_group, custom_lambda_name)

self.update_custom_lambda_environment_variables(custom_lambda_name, new_environment_variables)
self.create()

err = self.delete()
if err:
raise Exception(err)
Expand All @@ -461,24 +504,9 @@ def update(self):
@handle_exceptions
def delete(self):
lambda_arn = self.event['ResourceProperties']['LambdaArn']
region = self.context.invoked_function_arn.split(":")[3]
account_id = self.context.invoked_function_arn.split(":")[4]
logGroupNames = self.params.CloudWatchLogGroupName.split(',')
LambdaPremissionPrefix = self.params.CloudWatchLogGroupPrefix.split(',')
for log_group in logGroupNames:
response = self.cloudwatch_logs.describe_subscription_filters(logGroupName=log_group)
for filter in response['subscriptionFilters']:
if filter['filterName'] == f'coralogix-aws-shipper-cloudwatch-trigger-{lambda_arn[-4:]}':
self.cloudwatch_logs.delete_subscription_filter(
filterName=f'coralogix-aws-shipper-cloudwatch-trigger-{lambda_arn[-4:]}',
logGroupName=log_group
)
if not LambdaPremissionPrefix:
replaced_prefix = self.check_statmentid_length(log_group)
response = self.aws_lambda.remove_permission(
FunctionName=lambda_arn,
StatementId=f'allow-trigger-from-{replaced_prefix.replace("/", "-")}'
)
self.remove_subscription_filter(log_group, lambda_arn)

def handle(self):
responseStatus = self.cfn.SUCCESS
Expand Down
2 changes: 2 additions & 0 deletions template.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1197,6 +1197,8 @@ Resources:
- lambda:CreateEventSourceMapping
- lambda:DeleteEventSourceMapping
- lambda:UpdateEventSourceMapping
- lambda:GetFunctionConfiguration
- lambda:UpdateFunctionConfiguration
Resource: '*'
- Statement:
- Sid: S3NotificationPolicy
Expand Down

0 comments on commit e2fcf4f

Please sign in to comment.