Using a cloudformation YAML template, how can I create an alarm calls a lambda function when the alarm is triggered?

Question

Hello,

I'm trying to create an alarm and lambda functions with a cloud formation template (using a YAML file). I want to be able to set an alarm for a Lambda that will check the duration of the lambda, and when a threshold is passed for duration, the alarm action should call a separate lambda function that will eventually post to a teams channel via a web hook.

In my template I'm just trying to prove the concept, I saw this link that very recently AWS have added support for calling a lambda function via alarm actions:

https://aws.amazon.com/about-aws/whats-new/2023/12/amazon-cloudwatch-alarms-lambda-change-action/#:~:text=To%20invoke%20Lambda%20actions%20on,ALARM%20or%20INSUFFICIENT_DATA%20state%20changes.

Which links to:

https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-actions

But I'm unsure of how to get this to work with my example? It doesn't provide a YAML example.

Could someone provide some insight? thanks.

Answer

Hi,
To create a CloudFormation YAML template that creates an alarm triggering a Lambda function, you can use the AWS::CloudWatch::Alarm resource along with the AWS::Lambda::Permission resource to grant permission for CloudWatch to invoke the Lambda function. Below is an example YAML template:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  MyLambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      Handler: index.handler
      Role: !GetAtt LambdaExecutionRole.Arn
      Code:
        S3Bucket: my-lambda-bucket
        S3Key: lambda-code.zip
      Runtime: python3.8

LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: LambdaExecutionPolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Resource: '*'

MyAlarm:
    Type: AWS::CloudWatch::Alarm
    Properties:
      AlarmDescription: "Alarm for Lambda errors"
      Namespace: AWS/Lambda
      MetricName: Errors
      Dimensions:
        - Name: FunctionName
          Value: !GetAtt MyLambdaFunction.FunctionName
      Statistic: Sum
      Period: 300
      EvaluationPeriods: 1
      Threshold: 1
      ComparisonOperator: GreaterThanThreshold
      AlarmActions:
        - !Ref MyLambdaInvokePermission

MyLambdaInvokePermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !GetAtt MyLambdaFunction.Arn
      Principal: cloudwatch.amazonaws.com
      SourceArn: !GetAtt MyAlarm.Arn

In this template:

MyLambdaFunction defines your Lambda function.
    LambdaExecutionRole defines an IAM role for the Lambda function to execute with necessary permissions.
    MyAlarm defines the CloudWatch alarm that triggers when the error count exceeds the threshold.
    MyLambdaInvokePermission grants permission for CloudWatch to invoke the Lambda function.

Make sure to replace my-lambda-bucket with the name of your S3 bucket containing the Lambda function code and index.handler with the appropriate handler function in your Lambda code.

Answer

Hello.

I created an example CloudFormation template.  
This template configures resource-based policies and creates CloudWatch alarms.  
By specifying the ARN of the Lambda function in "AlarmActions" and "OKActions", you can use it as a target for CloudWatch alarms.  
```
AWSTemplateFormatVersion: 2010-09-09

Parameters:
  LambdaName:
    Type: String
  LambdaARN:
    Type: String

Resources:
  LambdaPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: "lambda:InvokeFunction"
      FunctionName: !Ref LambdaName
      Principal: "lambda.alarms.cloudwatch.amazonaws.com"
      SourceArn: !GetAtt LambdaAlarm.Arn

LambdaAlarm:
    Type: AWS::CloudWatch::Alarm
    Properties:
      AlarmName: !Sub "test-lambda-alarm"
      AlarmDescription: "test"
      Namespace: "AWS/Lambda"
      Dimensions:
        - Name: "FunctionName"
          Value: !Ref LambdaName
      MetricName: "Duration"
      Unit: "Milliseconds"
      Period: 300
      Statistic: "Average"
      Threshold: 80
      ComparisonOperator: "GreaterThanOrEqualToThreshold"
      EvaluationPeriods: 1
      DatapointsToAlarm: 1
      TreatMissingData: "missing"
      ActionsEnabled: True
      AlarmActions:
        - !Ref LambdaARN
      OKActions:
        - !Ref LambdaARN
```

Using a cloudformation YAML template, how can I create an alarm calls a lambda function when the alarm is triggered?

관련 콘텐츠