18

I need to enable "CloudWatch Lambda Insights" for a lambda using Terraform, but could not find the documentation. How I can do it in Terraform?

Note: This question How to add CloudWatch Lambda Insights to serverless config? may be relevant.

Jens
  • 20,533
  • 11
  • 60
  • 86
onkami
  • 8,791
  • 17
  • 90
  • 176

3 Answers3

20

There is no "boolean switch" in the aws_lambda_function resource of the AWS Terraform provider that you can set to true, that would enable Cloudwatch Lambda Insights.

Fortunately, it is possible to do this yourself. The following Terraform definitions are based on this AWS documentation: Using the AWS CLI to enable Lambda Insights on an existing Lambda function

The process involves two steps:

  1. Add a layer to your Lambda
  2. Attach a AWS policy to your Lambdas role.

The Terraform definitions would look like this:

resource "aws_lambda_function" "insights_example" {
  [...]

  layers = [
    "arn:aws:lambda:us-east-1:580247275435:layer:LambdaInsightsExtension:14"
  ]
}

resource "aws_iam_role_policy_attachment" "insights_policy" {
  role       = aws_iam_role.insights_example.id
  policy_arn = "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"
}

Important: The arn of the layer is different for each region. The documentation I linked above has a link to a list of them. Furthermore, there is an additional step required if your Lambda is in a VPC, which you can read about in the documentation. The described "VPC step" can be put into Terraform as well.

For future readers: The version of that layer in my example is 14. This will change over time. So please do not just copy & paste that part. Follow the provided links and look for the current version of that layer.

Minimal, Complete, and Verifiable example

Tested with:

Terraform v0.14.4
+ provider registry.terraform.io/hashicorp/archive v2.0.0
+ provider registry.terraform.io/hashicorp/aws v3.24.0

Create the following two files (handler.py and main.tf) in a folder. Then run the following commands:

  1. terraform init
  2. terraform plan
  3. terraform apply

Besides deploying the required resources, it will also create a zip archive containing the handler.py which is the deployment artifact used by the aws_lambda_function resource. So this is an all-in-one example without the need of further zipping etc.

handler.py

def lambda_handler(event, context):
    return { 
        'message' : 'CloudWatch Lambda Insights Example'
    }

main.tf

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

resource "aws_lambda_function" "insights_example" {
  function_name = "insights-example"
  runtime       = "python3.8"
  handler       = "handler.lambda_handler"
  role          = aws_iam_role.insights_example.arn
  filename      = "${path.module}/lambda.zip"

  layers = [
    "arn:aws:lambda:us-east-1:580247275435:layer:LambdaInsightsExtension:14"
  ]

  depends_on = [
    data.archive_file.insights_example
  ]
}

resource "aws_iam_role" "insights_example" {
  name               = "InsightsExampleLambdaRole"
  assume_role_policy = data.aws_iam_policy_document.lambda_assume.json
}

resource "aws_iam_role_policy_attachment" "insights_example" {
  role       = aws_iam_role.insights_example.id
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}

resource "aws_iam_role_policy_attachment" "insights_policy" {
  role       = aws_iam_role.insights_example.id
  policy_arn = "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"
}

data "aws_iam_policy_document" "lambda_assume" {
  statement {
    effect  = "Allow"
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["lambda.amazonaws.com"]
    }
  }
}

data "archive_file" "insights_example" {
  type        = "zip"
  source_file = "${path.module}/handler.py"
  output_path = "${path.module}/lambda.zip"
}
Jens
  • 20,533
  • 11
  • 60
  • 86
  • 1
    You could replace the hard-coding of the ARN of the layer with the [`aws_lambda_layer_version` data source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/lambda_layer_version). – ydaetskcoR Jan 15 '21 at 15:11
  • 1
    @ydaetskcoR I checked the documentation and I don't know if that is possible. Although, the documentation is very thin. But the version data source does not allow to specify a `arn` to use etc. It only appears to make sense with the `resource` with the same name. But that requires _you_ to provide the layer. So as far as I can tell, you can not create a `aws_lambda_layer_version` data source from an existing arn. Can you provide an example? – Jens Jan 15 '21 at 15:34
  • 1
    I haven't actually used it but I expect you'd call it with `layer_name = LambdaInsightsExtension` and then potentially also set `compatible_runtime = "python3.8"` to match the runtime of the Lambda function. If you didn't set `compatible_runtime` then eventually you might end up with the latest `LambdaInsightsExtension` layer no longer supporting the `python3.8` runtime at some point in the future. I'd probably extract that to a local or a variable though and use it in both places. – ydaetskcoR Jan 15 '21 at 15:41
  • 1
    @ydaetskcoR If you just set `LambdaInsightsExtension` as `layer_name`, where is the information about region and account id coming from? I tried a few things with my example above, but did not get it to work. I was never able to point to that specific `arn`. – Jens Jan 15 '21 at 15:49
  • 2
    Ah yeah I just tried using the AWS CLI to list it but it doesn't return anything even though you can see it with `aws lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-2:580247275435:layer:LambdaInsightsExtension:14 --region us-east-2`. Unfortunately it doesn't look like the API accepts any way of taking the account ID either so there's not a current way to do this. Looks like I was wrong there, sorry :/ – ydaetskcoR Jan 15 '21 at 16:15
2

In case you are using container images as the deployment package for your Lambda function, the required steps to enable CloudWatch Lambda Insights are slightly different (since Lambda layers can't be used here):

  1. attach the arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy to your functions role as described by Jens
  2. Add the Lambda Insights extension to your container image
FROM public.ecr.aws/lambda/nodejs:12

RUN curl -O https://lambda-insights-extension.s3-ap-northeast-1.amazonaws.com/amazon_linux/lambda-insights-extension.rpm && \
    rpm -U lambda-insights-extension.rpm && \
    rm -f lambda-insights-extension.rpm

COPY app.js /var/task/

see documentation for details

Moritz Zimmer
  • 21
  • 4
2

Based off @jens' answer, here's a snippet that will automatically supply the correct LambdaInsightsExtension layer based on the current region:

data "aws_region" "current" {}

locals {
  aws_region = data.aws_region.current.name
  # List taken from https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights-extension-versionsx86-64.html
  lambdaInsightsLayers = {
    "us-east-1" : "arn:aws:lambda:us-east-1:580247275435:layer:LambdaInsightsExtension:18",
    "us-east-2" : "arn:aws:lambda:us-east-2:580247275435:layer:LambdaInsightsExtension:18",
    "us-west-1" : "arn:aws:lambda:us-west-1:580247275435:layer:LambdaInsightsExtension:18",
    "us-west-2" : "arn:aws:lambda:us-west-2:580247275435:layer:LambdaInsightsExtension:18",
    "af-south-1" : "arn:aws:lambda:af-south-1:012438385374:layer:LambdaInsightsExtension:11",
    "ap-east-1" : "arn:aws:lambda:ap-east-1:519774774795:layer:LambdaInsightsExtension:11",
    "ap-south-1" : "arn:aws:lambda:ap-south-1:580247275435:layer:LambdaInsightsExtension:18",
    "ap-northeast-3" : "arn:aws:lambda:ap-northeast-3:194566237122:layer:LambdaInsightsExtension:1",
    "ap-northeast-2" : "arn:aws:lambda:ap-northeast-2:580247275435:layer:LambdaInsightsExtension:18",
    "ap-southeast-1" : "arn:aws:lambda:ap-southeast-1:580247275435:layer:LambdaInsightsExtension:18",
    "ap-southeast-2" : "arn:aws:lambda:ap-southeast-2:580247275435:layer:LambdaInsightsExtension:18",
    "ap-northeast-1" : "arn:aws:lambda:ap-northeast-1:580247275435:layer:LambdaInsightsExtension:25",
    "ca-central-1" : "arn:aws:lambda:ca-central-1:580247275435:layer:LambdaInsightsExtension:18",
    "eu-central-1" : "arn:aws:lambda:eu-central-1:580247275435:layer:LambdaInsightsExtension:18",
    "eu-west-1" : "arn:aws:lambda:eu-west-1:580247275435:layer:LambdaInsightsExtension:18",
    "eu-west-2" : "arn:aws:lambda:eu-west-2:580247275435:layer:LambdaInsightsExtension:18",
    "eu-south-1" : "arn:aws:lambda:eu-south-1:339249233099:layer:LambdaInsightsExtension:11",
    "eu-west-3" : "arn:aws:lambda:eu-west-3:580247275435:layer:LambdaInsightsExtension:18",
    "eu-north-1" : "arn:aws:lambda:eu-north-1:580247275435:layer:LambdaInsightsExtension:18",
    "me-south-1" : "arn:aws:lambda:me-south-1:285320876703:layer:LambdaInsightsExtension:11",
    "sa-east-1" : "arn:aws:lambda:sa-east-1:580247275435:layer:LambdaInsightsExtension:18"
  }
}

resource "aws_lambda_function" "my_lambda" {
  ...

  layers = [
    local.lambdaInsightsLayers[local.aws_region]
  ]
}

resource "aws_iam_role_policy_attachment" "insights_policy" {
  role       = aws_iam_role.my_lambda.id
  policy_arn = "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"
}
Etienne Martin
  • 10,018
  • 3
  • 35
  • 47