mirror of https://github.com/hashicorp/consul
Apply suggestions from code review
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>pull/14779/head
parent
70865aa0d6
commit
6a7cda41a6
|
@ -8,7 +8,7 @@ description: >-
|
||||||
|
|
||||||
# AWS Lambda Overview
|
# AWS Lambda Overview
|
||||||
|
|
||||||
You can configure Consul to allow services in your mesh to invoke Lambda functions, as well as allow Lambda functions to invoke services in your mesh. Lambda functions are programs or scripts that run in AWS Lambda. Refer to the AWS [Lambda website](https://aws.amazon.com/lambda/) for additional information.
|
You can configure Consul to allow services in your mesh to invoke Lambda functions, as well as allow Lambda functions to invoke services in your mesh. Lambda functions are programs or scripts that run in AWS Lambda. Refer to the [AWS Lambda website](https://aws.amazon.com/lambda/) for additional information.
|
||||||
|
|
||||||
## Register Lambda functions into Consul
|
## Register Lambda functions into Consul
|
||||||
|
|
||||||
|
@ -18,7 +18,7 @@ Refer to [Lambda Function Registration Requirements](/docs/lambda/registration/i
|
||||||
|
|
||||||
## Invoke Lambda functions from Consul service mesh
|
## Invoke Lambda functions from Consul service mesh
|
||||||
|
|
||||||
After registering AWS Lambda functions, you can invoke Lambda functions from the Consul service mesh through terminating gateways (recommended) or directly from connect proxies.
|
After registering AWS Lambda functions, you can invoke Lambda functions from the Consul service mesh through terminating gateways (recommended) or directly from connected proxies.
|
||||||
|
|
||||||
Refer to [Invoke Lambda Functions from Services](/docs/lambda/invocation) for details.
|
Refer to [Invoke Lambda Functions from Services](/docs/lambda/invocation) for details.
|
||||||
|
|
||||||
|
|
|
@ -16,7 +16,7 @@ This topic describes how to invoke services in the mesh from Lambda functions re
|
||||||
The following steps describe the process:
|
The following steps describe the process:
|
||||||
|
|
||||||
1. Deploy the destination service and mesh gateway.
|
1. Deploy the destination service and mesh gateway.
|
||||||
1. Deploy the Lambda extension layer
|
1. Deploy the Lambda extension layer.
|
||||||
1. Deploy the Lambda registrator.
|
1. Deploy the Lambda registrator.
|
||||||
1. Write the Lambda function code.
|
1. Write the Lambda function code.
|
||||||
1. Deploy the Lambda function.
|
1. Deploy the Lambda function.
|
||||||
|
@ -86,7 +86,7 @@ spec:
|
||||||
|
|
||||||
The mesh gateway must be running and registered to the Lambda function’s Consul datacenter. Refer to the following documentation and tutorials for instructions:
|
The mesh gateway must be running and registered to the Lambda function’s Consul datacenter. Refer to the following documentation and tutorials for instructions:
|
||||||
|
|
||||||
- (Mesh Gateways between Datacenters)(/docs/connect/gateways/mesh-gateway/service-to-service-traffic-datacenters)
|
- [Mesh Gateways between Datacenters](/docs/connect/gateways/mesh-gateway/service-to-service-traffic-datacenters)
|
||||||
- [Mesh Gateways between Admin Partitions](/docs/connect/gateways/mesh-gateway/service-to-service-traffic-partitions)
|
- [Mesh Gateways between Admin Partitions](/docs/connect/gateways/mesh-gateway/service-to-service-traffic-partitions)
|
||||||
- [Mesh Gateways between Peered Clusters](/docs/connect/gateways/mesh-gateway/service-to-service-traffic-peers)
|
- [Mesh Gateways between Peered Clusters](/docs/connect/gateways/mesh-gateway/service-to-service-traffic-peers)
|
||||||
- [Connect Services Across Datacenters with Mesh Gateways](https://developer.hashicorp.com/consul/tutorials/developer-mesh/service-mesh-gateways)
|
- [Connect Services Across Datacenters with Mesh Gateways](https://developer.hashicorp.com/consul/tutorials/developer-mesh/service-mesh-gateways)
|
||||||
|
@ -97,7 +97,7 @@ The `consul-lambda-extension` extension runs during the `Init` phase of the Lamb
|
||||||
|
|
||||||
The extension periodically retrieves the data from the AWS Parameter Store so that the function can process requests. When the Lambda function receives a shutdown event, the extension also stops.
|
The extension periodically retrieves the data from the AWS Parameter Store so that the function can process requests. When the Lambda function receives a shutdown event, the extension also stops.
|
||||||
|
|
||||||
1. Download the `consul-lambda-extension` extension from releases.hashicorp.com:
|
1. Download the `consul-lambda-extension` extension from [releases.hashicorp.com](https://releases.hashicorp.com/):
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
curl -o consul-lambda-extension_<version>_linux_amd64.zip https://releases.hashicorp.com/consul-lambda/<version>/consul-lambda-extension_<version>_linux_amd64.zip
|
curl -o consul-lambda-extension_<version>_linux_amd64.zip https://releases.hashicorp.com/consul-lambda/<version>/consul-lambda-extension_<version>_linux_amd64.zip
|
||||||
|
@ -247,8 +247,7 @@ func main() {
|
||||||
|
|
||||||
</CodeBlockConfig>
|
</CodeBlockConfig>
|
||||||
|
|
||||||
1. Issue the `terraform apply` command and Consul automatically configures a service for the Lambda function.
|
1. Run the `terraform apply` command and Consul automatically configures a service for the Lambda function.
|
||||||
|
|
||||||
|
|
||||||
### Lambda extension configuration
|
### Lambda extension configuration
|
||||||
|
|
||||||
|
@ -267,7 +266,7 @@ Define the following environment variables in your Lambda functions to configure
|
||||||
|
|
||||||
If _intentions_ are enabled in the Consul service mesh, you must create an intention that allows the Lambda function's Consul service to invoke all upstream services prior to invoking the Lambda function. Refer to [Service Mesh Intentions](/docs/connect/intentions) for additional information.
|
If _intentions_ are enabled in the Consul service mesh, you must create an intention that allows the Lambda function's Consul service to invoke all upstream services prior to invoking the Lambda function. Refer to [Service Mesh Intentions](/docs/connect/intentions) for additional information.
|
||||||
|
|
||||||
There are several ways to invoke Lambda functions. In the following example, the `aws lambda invoke` CLI command invokes the function.:
|
There are several ways to invoke Lambda functions. In the following example, the `aws lambda invoke` CLI command invokes the function:
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ aws lambda invoke --function-name lambda /dev/stdout | cat
|
$ aws lambda invoke --function-name lambda /dev/stdout | cat
|
||||||
|
|
|
@ -25,7 +25,6 @@ Scheduled events fully synchronize functions between Lambda and Consul to preven
|
||||||
|
|
||||||
The following diagram shows the flow of events from EventBridge into Consul:
|
The following diagram shows the flow of events from EventBridge into Consul:
|
||||||
|
|
||||||
|
|
||||||
<ImageConfig width={500}>
|
<ImageConfig width={500}>
|
||||||
|
|
||||||
![Lambda Registrator Architecture](/img/lambda_registrator_architecture.svg)
|
![Lambda Registrator Architecture](/img/lambda_registrator_architecture.svg)
|
||||||
|
@ -43,11 +42,13 @@ Verify that your environment meets the requirements specified in [Lambda Functio
|
||||||
|
|
||||||
## Configuration
|
## Configuration
|
||||||
|
|
||||||
The Lambda registrator stores data in the AWS parameter store. You can configure the type of data stored and how to store it.
|
The Lambda registrator stores data in the AWS Parameter Store. You can configure the type of data stored and how to store it.
|
||||||
|
|
||||||
### Optional: Store the CA certificate in Parameter Store
|
### Optional: Store the CA certificate in Parameter Store
|
||||||
|
|
||||||
When Lambda registrator makes a request to Consul's [HTTP API](/api-docs) over HTTPS and the Consul API is signed by a custom CA, Lambda registrator uses the CA certificate stored in AWS Parameter Store (refer to the [Parameter Store documentation](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html) for additional information) to verify the authenticity of the Consul API. You can apply the following Terraform configuration to store Consul's server CA in Parameter Store:
|
When Lambda registrator makes a request to Consul's [HTTP API](/api-docs) over HTTPS and the Consul API is signed by a custom CA, Lambda registrator uses the CA certificate stored in AWS Parameter Store to verify the authenticity of the Consul API. Refer to the [Parameter Store documentation](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html) for additional information.
|
||||||
|
|
||||||
|
You can apply the following Terraform configuration to store Consul's server CA in Parameter Store:
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
resource "aws_ssm_parameter" "ca-cert" {
|
resource "aws_ssm_parameter" "ca-cert" {
|
||||||
|
@ -73,7 +74,7 @@ If [Consul access control lists (ACLs)](/docs/security/acl) are enabled, Lambda
|
||||||
|
|
||||||
</CodeBlockConfig>
|
</CodeBlockConfig>
|
||||||
|
|
||||||
1. Issue `consul acl policy create` command to create the policy. The following example creates a policy called `lambda-registrator-policy` containing permissions specified in `rules.hcl`:
|
1. Run `consul acl policy create` to create the policy. The following example creates a policy called `lambda-registrator-policy` containing permissions specified in `rules.hcl`:
|
||||||
```shell-session
|
```shell-session
|
||||||
$ consul acl policy create -name "lambda-registrator-policy" -rules @rules.hcl
|
$ consul acl policy create -name "lambda-registrator-policy" -rules @rules.hcl
|
||||||
```
|
```
|
||||||
|
@ -102,7 +103,6 @@ Lambda registrator encrypts and stores all data for Lambda functions in the AWS
|
||||||
|
|
||||||
The registrator also requires the following IAM permissions to access the parameter store:
|
The registrator also requires the following IAM permissions to access the parameter store:
|
||||||
|
|
||||||
|
|
||||||
```json
|
```json
|
||||||
{
|
{
|
||||||
"Version": "2012-10-17",
|
"Version": "2012-10-17",
|
||||||
|
@ -120,17 +120,17 @@ The registrator also requires the following IAM permissions to access the parame
|
||||||
|
|
||||||
| Name | Description |
|
| Name | Description |
|
||||||
| - | - |
|
| - | - |
|
||||||
| `name` | Specifies the name name of the Lambda function associated with the Lambda registrator. The name is also used to construct the Identity and Access Management (IAM) role and policy names used by the Lambda function. |
|
| `name` | Specifies the name of the Lambda function associated with the Lambda registrator. The name is also used to construct the Identity and Access Management (IAM) role and policy names used by the Lambda function. |
|
||||||
| `sync_frequency_in_minutes` | Specifies the interval in minutes that EventBridge uses to trigger a full synchronization. Default is `10`. |
|
| `sync_frequency_in_minutes` | Specifies the interval in minutes that EventBridge uses to trigger a full synchronization. Default is `10`. |
|
||||||
| `timeout` | The maximum number of seconds Lambda registrator can run per invocation before timing out. |
|
| `timeout` | The maximum number of seconds Lambda registrator can run per invocation before timing out. |
|
||||||
| `consul_http_addr` | Specifies the address of the Consul API client. |
|
| `consul_http_addr` | Specifies the address of the Consul API client. |
|
||||||
| `consul_datacenter` | Specifies the Consul datacenter to synchronize with AWS Lambda state data. By default, the Lambda registrator manages Lambda services for all Consul datacenters. When configured for a specific datacenter, Lambda registrator only manages Lambda services with a matching datacenter tag. Refer to [Supported tags](#supported-tags) for additional information. |
|
| `consul_datacenter` | Specifies the Consul datacenter to synchronize with AWS Lambda state data. By default, the Lambda registrator manages Lambda services for all Consul datacenters. When configured for a specific datacenter, Lambda registrator only manages Lambda services with a matching datacenter tag. Refer to [Supported tags](#supported-tags) for additional information. |
|
||||||
| `consul_extension_data_prefix` | Specifies the path prefix in the AWS Parameter Store under which the registrator manages mTLS data. If Lambda functions call mesh services, the value must be set to a non-empty string starting with `/`. |
|
| `consul_extension_data_prefix` | Specifies the path prefix in the AWS Parameter Store under which the registrator manages mTLS data. If Lambda functions call mesh services, the value must be set to a non-empty string starting with `/`. |
|
||||||
| `consul_ca_cert_path` | Specifies the path to the CA certificate stored in the AWS Parameter Store. When Lambda registrator makes an HTTPS request to Consul's API and the Consul API is signed by a custom CA, Lambda registrator uses this CA certificate to verify the authenticity of the Consul API. At startup, Lambda registrator pulls the CA certificate at this path from Parameter Store, writes the certificate to the filesystem and stores the path of that file in `CONSUL_CACERT`. Also see [Optional: Store the CA Certificate in Parameter Store](#optional-store-the-ca-certificate-in-parameter-store)|
|
| `consul_ca_cert_path` | Specifies the path to the CA certificate stored in the AWS Parameter Store. When Lambda registrator makes an HTTPS request to Consul's API and the Consul API is signed by a custom CA, Lambda registrator uses this CA certificate to verify the authenticity of the Consul API. At startup, Lambda registrator pulls the CA certificate at this path from Parameter Store, writes the certificate to the filesystem and stores the path of that file in `CONSUL_CACERT`. Also refer to [Optional: Store the CA Certificate in Parameter Store](#optional-store-the-ca-certificate-in-parameter-store).|
|
||||||
| `consul_http_token_path` | Specifies the path to the ACL token stored in AWS Parameter Store that Lambda registrator presents to access resources. This parameter only required when ACLs are enabled for the Consul server. It is used to fetch an ACL token from Parameter Store and is stored in the `CONSUL_HTTP_TOKEN` environment variable. Also see [Optional: Store the ACL Token in Parameter Store](#optional-store-the-acl-token-in-parameter-store)|
|
| `consul_http_token_path` | Specifies the path to the ACL token stored in AWS Parameter Store that Lambda registrator presents to access resources. This parameter is only required when ACLs are enabled for the Consul server. It is used to fetch an ACL token from Parameter Store and is stored in the `CONSUL_HTTP_TOKEN` environment variable. Also refer tp [Optional: Store the ACL Token in Parameter Store](#optional-store-the-acl-token-in-parameter-store).|
|
||||||
| `node_name` | The Consul node name that Lambdas will be registered to. This defaults to `lambdas`. |
|
| `node_name` | The Consul node name that Lambdas are registered to. Defaults to `lambdas`. |
|
||||||
| `enterprise` | <EnterpriseAlert inline />Determines if the Consul server at `consul_http_addr` is running open source or enterprise. |
|
| `enterprise` | <EnterpriseAlert inline /> Determines if the Consul server at `consul_http_addr` is running open source Consul or Consul Enterprise. |
|
||||||
| `partitions` | <EnterpriseAlert inline />The partitions that Lambda registrator manages. |
|
| `partitions` | <EnterpriseAlert inline /> The partitions that Lambda registrator manages. |
|
||||||
|
|
||||||
## Deploy the Lambda registrator
|
## Deploy the Lambda registrator
|
||||||
|
|
||||||
|
@ -185,6 +185,6 @@ The following tags are supported. The path prefix for all tags is `serverless.co
|
||||||
| <nobr>`<prefix-path>/payload-passthrough`</nobr> | Determines if the body Envoy receives is converted to JSON or directly passed to Lambda. This attribute is optional and defaults to `false`. |
|
| <nobr>`<prefix-path>/payload-passthrough`</nobr> | Determines if the body Envoy receives is converted to JSON or directly passed to Lambda. This attribute is optional and defaults to `false`. |
|
||||||
| `<prefix-path>/invocation-mode` | Specifies the [Lambda invocation mode](https://docs.aws.amazon.com/lambda/latest/operatorguide/invocation-modes.html) Consul uses to invoke the Lambda. The default is `SYNCHRONOUS`, but `ASYNCHRONOUS` invocations are also supported. |
|
| `<prefix-path>/invocation-mode` | Specifies the [Lambda invocation mode](https://docs.aws.amazon.com/lambda/latest/operatorguide/invocation-modes.html) Consul uses to invoke the Lambda. The default is `SYNCHRONOUS`, but `ASYNCHRONOUS` invocations are also supported. |
|
||||||
| `<prefix-path>/datacenter` | Specifies the Consul datacenter in which to register the service. The default is the datacenter configured for Lambda registrator. |
|
| `<prefix-path>/datacenter` | Specifies the Consul datacenter in which to register the service. The default is the datacenter configured for Lambda registrator. |
|
||||||
| `<prefix-path>/namespace` | <EnterpriseAlert inline />Specifies the Consul namespace the service will be registered in. Default is `default` if `enterprise` is enabled. |
|
| `<prefix-path>/namespace` | <EnterpriseAlert inline / >Specifies the Consul namespace the service is registered in. Default is `default` if `enterprise` is enabled. |
|
||||||
| `<prefix-path>/partition` | <EnterpriseAlert inline />Specifies the Consul partition the service will be registered in. Defaults is `default` if `enterprise` is enabled. |
|
| `<prefix-path>/partition` | <EnterpriseAlert inline /> Specifies the Consul partition the service is registered in. Defaults is `default` if `enterprise` is enabled. |
|
||||||
| `<prefix-path>/aliases` | Specifies a `+`-separated string of Lambda aliases that will be registered into Consul. For example, if set to `dev+staging+prod`, the `dev`, `staging`, and `prod` aliases of the Lambda function will be registered into Consul. |
|
| `<prefix-path>/aliases` | Specifies a `+`-separated string of Lambda aliases that are registered into Consul. For example, if set to `dev+staging+prod`, the `dev`, `staging`, and `prod` aliases of the Lambda function are registered into Consul. |
|
||||||
|
|
|
@ -14,7 +14,7 @@ You can either manually register AWS Lambda functions with Consul or use the Lam
|
||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
Consul 1.12.1 and later
|
Consul v1.12.1 and later
|
||||||
|
|
||||||
## Prerequisites
|
## Prerequisites
|
||||||
|
|
||||||
|
@ -50,15 +50,15 @@ enables an IAM user or role to invoke the `example` Lambda function:
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
Define AWS IAM credentials in environment variables, EC2 metadata or
|
Define AWS IAM credentials in environment variables, EC2 metadata, or
|
||||||
ECS metadata. On [AWS EKS](https://aws.amazon.com/eks/), associate an IAM role with the proxy's `ServiceAccount`. Refer to the [AWS IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) documentation for instructions.
|
ECS metadata. On [AWS EKS](https://aws.amazon.com/eks/), associate an IAM role with the proxy's `ServiceAccount`. Refer to the [AWS IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) documentation for instructions.
|
||||||
|
|
||||||
### Mesh gateway
|
### Mesh gateway
|
||||||
|
|
||||||
A mesh gateway is required in the following scenarios:
|
A mesh gateway is required in the following scenarios:
|
||||||
|
|
||||||
* Invoking mesh services from Lambda functions
|
- Invoking mesh services from Lambda functions
|
||||||
* Invoking Lambda functions from a service deployed to a separate Consul data center
|
- Invoking Lambda functions from a service deployed to a separate Consul datacenter
|
||||||
|
|
||||||
Mesh gateways are optional for enabling services to invoke Lambda functions if they are in the same datacenter.
|
Mesh gateways are optional for enabling services to invoke Lambda functions if they are in the same datacenter.
|
||||||
|
|
||||||
|
|
|
@ -46,7 +46,7 @@ You can manually register Lambda functions if you are unable to automate the pro
|
||||||
$ curl --request PUT --data @lambda.json localhost:8500/v1/catalog/register
|
$ curl --request PUT --data @lambda.json localhost:8500/v1/catalog/register
|
||||||
```
|
```
|
||||||
|
|
||||||
1. Create the `service-defaults` configuration entry and include the AWS tags used to invoke the Lambda function in the `Meta` field (see [Supported `Meta` fields](#supported-meta-fields). The following example creates a `service-defaults` configuration entry named `lambda`:
|
1. Create the `service-defaults` configuration entry and include the AWS tags used to invoke the Lambda function in the `Meta` field (refer to [Supported `Meta` fields](#supported-meta-fields). The following example creates a `service-defaults` configuration entry named `lambda`:
|
||||||
|
|
||||||
<CodeBlockConfig filename="lambda-service-defaults.hcl">
|
<CodeBlockConfig filename="lambda-service-defaults.hcl">
|
||||||
|
|
||||||
|
@ -71,7 +71,7 @@ You can manually register Lambda functions if you are unable to automate the pro
|
||||||
|
|
||||||
### Supported `Meta` fields
|
### Supported `Meta` fields
|
||||||
|
|
||||||
The following tags are supported. The path prefix for all tags is `serverless.consul.hashicorp.com/v1alpha1/lambda`. For example, specify the following tag to enable Consul to configure the service as an AWS Lambda function:
|
The following tags are supported. The path prefix for all tags is `serverless.consul.hashicorp.com/v1alpha1/lambda`. For example, specify the following tag to enable Consul to configure the service as an AWS Lambda function:
|
||||||
|
|
||||||
`serverless.consul.hashicorp.com/v1alpha1/lambda/enabled`.
|
`serverless.consul.hashicorp.com/v1alpha1/lambda/enabled`.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue