Repository of lambda functions that process aws log streams and send data to datadog
This project contains lambda functions to be used to process aws log streams and send data to datadog, along with some small tools to easily update these lambda functions in a dev environment.
The development process is to have a lambda function based on a zip file hosted on amazon s3. To publish a new version of the function, one updates the zip file, pushes it to s3, and updates the lambda function.
Each lambda function will retrieve datadog api keys from KMS.
-
install awscli
pip install awscliYou'll need write access to a s3 bucket, and to be able to call
lambda:UpdateFunctionCode -
Generate
base.ziprake build-basebase.zipcontains datadogpy and it's dependencies.
- Create a KMS key for the datadog api key and app key
- Create a KMS key - http://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html
- Encrypt the token using the AWS CLI.
aws kms encrypt --key-id alias/<KMS key name> --plaintext '{"api_key":"<dd_api_key>", "app_key":"<dd_app_key>"}' - Copy the base-64 encoded, encrypted key (CiphertextBlob) to the KMS_ENCRYPTED_KEYS variable.
- Create and configure a lambda function
-
In the AWS Console, create a
lambda_executionpolicy, with the following policy:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:*" }, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": [ "<KMS ARN>" ] } ] } -
Create a
lambda_executionrole and attach this policy -
Create a lambda function named
functionname, withmain.send_metricas the handler, and thelambda_executionrole. -
Subscribe to the appropriate log stream
- Initialize the function folder
rake init[functionname]
-
Double check that the KMS secret in
main.pyis up to date -
Update the function
rake push[functionname,bucket]