applied feedback from review

This commit is contained in:
trujillo-adam 2022-09-28 20:29:05 -07:00
parent 67c4216822
commit fc5fdc27d0
4 changed files with 28 additions and 26 deletions

View File

@ -14,7 +14,7 @@ You can configure Consul to allow services in your mesh to invoke Lambda functio
The first step is to register your Lambda functions into Consul. We recommend using the [Lambda registrator module](https://github.com/hashicorp/terraform-aws-consul-lambda/tree/main/modules/lambda-registrator) to automatically synchronize Lambda functions into Consul. You can also manually register Lambda functions into Consul if you are unable to use the Lambda registrator. The first step is to register your Lambda functions into Consul. We recommend using the [Lambda registrator module](https://github.com/hashicorp/terraform-aws-consul-lambda/tree/main/modules/lambda-registrator) to automatically synchronize Lambda functions into Consul. You can also manually register Lambda functions into Consul if you are unable to use the Lambda registrator.
Refer to [Register Lambda Functions Overview](TODO) for additional information about registering Lambda functions into Consul. Refer to [Lambda Function Registration Requirements](/docs/lambda/registration/index) for additional information about registering Lambda functions into Consul.
## Invoke Lambda functions from Consul service mesh ## Invoke Lambda functions from Consul service mesh
@ -22,13 +22,13 @@ After registering AWS Lambda functions, you can invoke Lambda functions from the
Refer to Invoke Lambda Functions from Services for details. Refer to Invoke Lambda Functions from Services for details.
## Invoke mesh service from Lambda function ## Invoke mesh services from Lambda function
You can also add the `consul-lambda-extension` plugin as a layer in your Lambda functions, which enables them to send requests to services in the mesh. The plugin starts a sidecar proxy that directs requests from Lambda functions to [mesh gateways](docs/connect/gateways#mesh-gateways). The gateways route traffic to the destination service to complete the request. You can also add the `consul-lambda-extension` plugin as a layer in your Lambda functions, which enables them to send requests to services in the mesh. The plugin starts a lightweight sidecar proxy that directs requests from Lambda functions to [mesh gateways](docs/connect/gateways#mesh-gateways). The gateways route traffic to the destination service to complete the request.
![Invoke mesh service from Lambda function](/img/invoke-service-from-lambda-flow.svg) ![Invoke mesh service from Lambda function](/img/invoke-service-from-lambda-flow.svg)
Refer to [Invoke Services from Lambda Functions](TODO) for additional information about registering Lambda functions into Consul. Refer to [Invoke Services from Lambda Functions](/docs/lambda/invoke-from-lambda) for additional information about registering Lambda functions into Consul.
## Cross-datacenter communication ## Cross-datacenter communication

View File

@ -13,11 +13,11 @@ This topic describes how to invoke services in the mesh from Lambda functions re
The following steps describe the process: The following steps describe the process:
1. Deploy the services you want to allow Lambda to invoke. 1. Deploy the services you want to allow the Lambda function to invoke.
1. (Optional) Enable L7 traffic management in the local datacenter. 1. (Optional) Enable L7 traffic management in the local datacenter.
1. Deploy the mesh gateway 1. Deploy the mesh gateway.
1. Deploy the Lambda registrator 1. Deploy the Lambda registrator.
1. Invoke the Lambda function 1. Invoke the the Lambda function.
You must add the `consul-lambda-extension` extension as a Lambda layer to enable Lambda functions to send requests to mesh services. Refer to the [AWS Lambdas documentation](https://docs.aws.amazon.com/lambda/latest/dg/invocation-layers.html) for instructions on how to add layers to your Lambda functions. You must add the `consul-lambda-extension` extension as a Lambda layer to enable Lambda functions to send requests to mesh services. Refer to the [AWS Lambdas documentation](https://docs.aws.amazon.com/lambda/latest/dg/invocation-layers.html) for instructions on how to add layers to your Lambda functions.
@ -120,16 +120,16 @@ The mesh gateway must be running and registered to the Lambda functions Consu
## Deploy the Lambda extension layer ## Deploy the Lambda extension layer
The `consul-lambda-extension` extension runs during the `init` phase of the Lambda function execution. The extension retrieves the data that the Lambda registrator has been configured to store from AWS Parameter Store and creates a lightweight TCP proxy. The proxy creates a local listener for each upstream defined in the `CONSUL_SERVICE_UPSTREAMS` environment variable. The `consul-lambda-extension` extension runs during the `Init` phase of the Lambda function execution. The extension retrieves the data that the Lambda registrator has been configured to store from AWS Parameter Store and creates a lightweight TCP proxy. The proxy creates a local listener for each upstream defined in the `CONSUL_SERVICE_UPSTREAMS` environment variable.
When the Lambda function is invoked, the extension retrieves the data from the AWS Parameter Store so that the function can process requests. When the Lambda function receives a shutdown event, the extension also stops. The extension periodically retrieves the data from the AWS Parameter Store so that the function can process requests. When the Lambda function receives a shutdown event, the extension also stops.
1. Download the `consul-lambda-extension` extension from releases.hashicorp.com: 1. Download the `consul-lambda-extension` extension from releases.hashicorp.com:
```shell-session ```shell-session
curl -o consul-lambda-extension_<version>_linux_amd64.zip https://releases.hashicorp.com/consul-lambda/<version>/consul-lambda-extension_<version>_linux_amd64.zip curl -o consul-lambda-extension_<version>_linux_amd64.zip https://releases.hashicorp.com/consul-lambda/<version>/consul-lambda-extension_<version>_linux_amd64.zip
``` ```
1. Create the AWS Lambda layer. You can create the layer manually using the AWS CLI or AWS Console, but we recommend using Terraform: 1. Create the AWS Lambda layer in the same AWS region as the Lambda function. You can create the layer manually using the AWS CLI or AWS Console, but we recommend using Terraform:
<CodeBlockConfig filename="consul-lambda-extension.tf"> <CodeBlockConfig filename="consul-lambda-extension.tf">
@ -197,7 +197,7 @@ func main() {
## Deploy the Lambda function ## Deploy the Lambda function
1. Create and apply an IAM policy that allows the Lambda functions role to fetch the Lambda extensions data from the Parameter Store. The following example, creates an IAM role for the Lambda function, creates an IAM policy with the necessary permissions and attaches the policy to the role: 1. Create and apply an IAM policy that allows the Lambda functions role to fetch the Lambda extensions data from the AWS Parameter Store. The following example, creates an IAM role for the Lambda function, creates an IAM policy with the necessary permissions and attaches the policy to the role:
<CodeBlockConfig filename="lambda-iam-policy.tf"> <CodeBlockConfig filename="lambda-iam-policy.tf">
@ -250,7 +250,7 @@ func main() {
``` ```
</CodeBlockConfig> </CodeBlockConfig>
1. Configure and deploy the Lambda function. Refer to the [Lambda function configuration](#lambda-function-configuration) reference for information about all available options. There are several methods for deploying Lambda functions. The following example uses Terraform to deploy a function that can invoke the `static-server` upstream service using mTLS data stored under the `/lambda_extension_data` prefix: 1. Configure and deploy the Lambda function. Refer to the [Lambda extension configuration](#lambda-extension-configuration) reference for information about all available options. There are several methods for deploying Lambda functions. The following example uses Terraform to deploy a function that can invoke the `static-server` upstream service using mTLS data stored under the `/lambda_extension_data` prefix:
<CodeBlockConfig filename="lambda-function.tf"> <CodeBlockConfig filename="lambda-function.tf">
@ -277,9 +277,9 @@ func main() {
1. Issue the `terraform apply` command and Consul automatically configures a service for the Lambda function. 1. Issue the `terraform apply` command and Consul automatically configures a service for the Lambda function.
### Lambda function configuration ### Lambda extension configuration
Define the following environment variables to configure each Lambda function. The configurations apply to each Lambda function in your environment: Define the following environment variables in your Lambda functions to configure the Lambda extension. The variables apply to each Lambda function in your environment:
| Variable | Description | Default | | Variable | Description | Default |
| --- | --- | --- | | --- | --- | --- |
@ -287,7 +287,7 @@ Define the following environment variables to configure each Lambda function. T
| <nobr>`CONSUL_EXTENSION_DATA_PREFIX`</nobr> | Specifies the prefix that the plugin pulls configuration data from. The data must be located in the following directory: <br/>`“${CONSUL_EXTENSION_DATA_PREFIX}/${CONSUL_SERVICE_PARTITION}/${CONSUL_SERVICE_NAMESPACE}/<lambda-function-name>”` | none | | <nobr>`CONSUL_EXTENSION_DATA_PREFIX`</nobr> | Specifies the prefix that the plugin pulls configuration data from. The data must be located in the following directory: <br/>`“${CONSUL_EXTENSION_DATA_PREFIX}/${CONSUL_SERVICE_PARTITION}/${CONSUL_SERVICE_NAMESPACE}/<lambda-function-name>”` | none |
| `CONSUL_SERVICE_NAMESPACE` | Specifies the Consul namespace the service is registered into. | `default` | | `CONSUL_SERVICE_NAMESPACE` | Specifies the Consul namespace the service is registered into. | `default` |
| `CONSUL_SERVICE_PARTITION` | Specifies the Consul partition the service is registered into. | `default` | | `CONSUL_SERVICE_PARTITION` | Specifies the Consul partition the service is registered into. | `default` |
| `CONSUL_REFRESH_FREQUENCY` | Specifies the amount of time the extension waits before re-pulling data from the Parameter Store. Use [Go `time.Duration`](https://pkg.go.dev/time@go1.19.1#ParseDuration) string values, for example, `”30s”`. <br/>The time is added to the duration configured in the Lambda registrator `sync_frequency_in_minutes` configuration. Refer to [Lambda registrator configuration options](/docs/lambda/registration/automate#lambda-registrator-configuration-options). The combined configurations determine how stale the data may become. Lambda functions can run for up to 14 hours. We recommend configuring an acceptable value to preview stale certificates. | `“5m”` | | `CONSUL_REFRESH_FREQUENCY` | Specifies the amount of time the extension waits before re-pulling data from the Parameter Store. Use [Go `time.Duration`](https://pkg.go.dev/time@go1.19.1#ParseDuration) string values, for example, `”30s”`. <br/>The time is added to the duration configured in the Lambda registrator `sync_frequency_in_minutes` configuration. Refer to [Lambda registrator configuration options](/docs/lambda/registration/automate#lambda-registrator-configuration-options). The combined configurations determine how stale the data may become. Lambda functions can run for up to 14 hours, so we recommend configuring a value that results in acceptable staleness for certificates. | `“5m”` |
| `CONSUL_SERVICE_UPSTREAMS` | Specifies the upstream services that the Lambda function can call. Specify the value as an unlabelled annotation according to the [`consul.hashicorp.com/connect-service-upstreams` annotation format](/docs/k8s/annotations-and-labels#consul-hashicorp-com-connect-service-upstreams) in Consul on Kubernetes. For example, `"[service-name]:[port]:[optional-datacenter]"` | none | | `CONSUL_SERVICE_UPSTREAMS` | Specifies the upstream services that the Lambda function can call. Specify the value as an unlabelled annotation according to the [`consul.hashicorp.com/connect-service-upstreams` annotation format](/docs/k8s/annotations-and-labels#consul-hashicorp-com-connect-service-upstreams) in Consul on Kubernetes. For example, `"[service-name]:[port]:[optional-datacenter]"` | none |
## Invoke the Lambda function ## Invoke the Lambda function

View File

@ -13,7 +13,7 @@ This topic describes how to automate Lambda function registration using the Cons
You can deploy the Lambda registrator to your environment to automatically register and deregister Lambda functions with Consul based on the function's tags. Refer to the [AWS Lambda tags documentation](https://docs.aws.amazon.com/lambda/latest/dg/configuration-tags.html) to learn about tags. You can deploy the Lambda registrator to your environment to automatically register and deregister Lambda functions with Consul based on the function's tags. Refer to the [AWS Lambda tags documentation](https://docs.aws.amazon.com/lambda/latest/dg/configuration-tags.html) to learn about tags.
The registrator also stores and periodically updates information required to make mTLS requests to upstream services in the AWS parameter store. This enables Lambda functions to invoke mesh services. Refer to [Invoke Services from Lambda Functions](TODO) for additional information. The registrator also stores and periodically updates information required to make mTLS requests to upstream services in the AWS parameter store. This enables Lambda functions to invoke mesh services. Refer to [Invoke Services from Lambda Functions](/docs/lambda/invoke-from-lambda) for additional information.
The registrator runs as a Lambda function that is invoked by AWS EventBridge. Refer to the [AWS EventBridge documentation](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html) for additional information. The registrator runs as a Lambda function that is invoked by AWS EventBridge. Refer to the [AWS EventBridge documentation](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html) for additional information.

View File

@ -65,7 +65,9 @@ To register a Lambda service with a terminating gateway, add the service to the
`Services` field of the terminating gateway's `terminating-gateway` `Services` field of the terminating gateway's `terminating-gateway`
configuration entry. configuration entry.
### Optional: Run a Mesh Gateway ### Run a Mesh Gateway
A mesh gateway is required to enable Lambda functions to invoke mesh services, but optional to enable services to invoke Lambda functions.
You can set up a mesh gateway so that you can invoke Lambda services across datacenters and admin partitions. The mesh gateway must be running and registered in the relevant Consul datacenters and partitions. Refer to the following documentation and tutorials for instructions on how to set up mesh gateways: You can set up a mesh gateway so that you can invoke Lambda services across datacenters and admin partitions. The mesh gateway must be running and registered in the relevant Consul datacenters and partitions. Refer to the following documentation and tutorials for instructions on how to set up mesh gateways: