Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide guidance on how to integrate with AWS Signer #1548

Open
webfinesse opened this issue Oct 8, 2024 · 1 comment · May be fixed by #1553
Open

Provide guidance on how to integrate with AWS Signer #1548

webfinesse opened this issue Oct 8, 2024 · 1 comment · May be fixed by #1553
Labels
enhancement New feature or request

Comments

@webfinesse
Copy link

webfinesse commented Oct 8, 2024
edited
Loading

Problem

I use AWS Signer for my Lambda functions, when trying to deploy the collector layer from the community ARNs. (e.g. arn:aws:lambda:us-east-1:184161586896:layer:opentelemetry-collector-arm64-0_11_0:1) I get the following error:

"Lambda cannot deploy the function. The function or layer might be signed using a signature that the client is not configured to accept. Check the provided signature for arn:aws:lambda:us-east-1:184161586896:layer:opentelemetry-collector-arm64-0_11_0:1. (Service: Lambda, Status Code: 400, Request ID: 3fc2323f-c669-4b01-b55f-743efb7550d8, Extended Request ID: null)" (RequestToken: 085537f1-e14d-444a-e4d3-9b5859b39822, HandlerErrorCode: InvalidRequest)

This makes sense as the layer is not signed by my AWS Signer profile.

Workaround

Ultimately, I was able to solve this by downloading the Github Release source code and running make build (make publish-layer will not sign my layer, so this was not helpful.) Once built and the contents put into the appropriate zip file, I used terraform to create my signed layer:

module "label_opentelemetry_collector_layer" {
  source  = "cloudposse/label/null"
  version = "0.25.0"
  context = module.label.context
  name    = "opentelemetry-collector-layer"
}

resource "aws_s3_object" "opentelemetry_collection_layer" {
  tags = module.label_opentelemetry_collector_layer.tags
  bucket = aws_s3_bucket.npcninja_lambda_bucket.id
  key    = "open-telemetry-collector-layer.zip"
  source = "${path.module}/../../libs/opentelemetry_layer/open-telemetry-collector-layer.zip"
  etag   = filemd5("${path.module}/../../libs/opentelemetry_layer/open-telemetry-collector-layer.zip")
}

resource "aws_s3_object" "opentelemetry_configuration" {
  bucket = aws_s3_bucket.npcninja_lambda_bucket.bucket
  tags   = module.label_opentelemetry_collector_layer.tags
  key    = "opentelemetry_configuration.${var.deployment_environment_name}.yml"
  source = "${path.module}/opentelemetry_configuration.${var.deployment_environment_name}.yml"
  etag   = filemd5("${path.module}/opentelemetry_configuration.${var.deployment_environment_name}.yml")
}

resource "aws_signer_signing_job" "this" {
  profile_name = aws_signer_signing_profile.this.name

  source {
    s3 {
      bucket  = aws_s3_bucket.npcninja_lambda_bucket.bucket
      key     = aws_s3_object.opentelemetry_collection_layer.id
      version = aws_s3_object.opentelemetry_collection_layer.version_id
    }
  }

  destination {
    s3 {
      bucket = aws_s3_bucket.npcninja_lambda_bucket.bucket
      prefix = "signed/"
    }
  }

  ignore_signing_job_failure = true
}

resource "aws_lambda_layer_version" "this" {
  layer_name = "opentelemetry-collector"
  compatible_architectures = ["arm64"]
  compatible_runtimes = ["nodejs14.x", "nodejs16.x", "nodejs18.x", "java11", "python3.8", "python3.9", "python3.10", "python3.11"]
  s3_bucket = aws_signer_signing_job.this.signed_object[0].s3[0].bucket
  s3_key = aws_signer_signing_job.this.signed_object[0].s3[0].key
  source_code_hash = filebase64sha256("${path.module}/../../libs/opentelemetry_layer/open-telemetry-collector-layer.zip")
}

I could then inject the arn into my lambda function configuration in terraform using a variable:

// ...
opentelemetry_configuration = {
    yaml_arn = aws_s3_object.opentelemetry_configuration.arn
    yaml_uri = "s3://${aws_s3_bucket.npcninja_lambda_bucket.bucket_regional_domain_name}/${aws_s3_object.opentelemetry_configuration.key}"
    collector_arn = aws_lambda_layer_version.this.arn
  }
// ...

then in my lambda function module:

// ...
layers = [
    var.opentelemetry_configuration.collector_arn
  ]

// ...

I am not sure this is the optimal way to implement this and I am open to simpler ways to implement this.

Proposal

Assuming this is the optimal solution, the following would have helped me.

  • provide official .zip files of the layer as part of the GitHub release so I do not have to build my own collector binary.
  • provide documentation on how to best integrate the collector with AWS Signer using CDK/SAM/Terraform/OpenTofu
@webfinesse webfinesse added the enhancement New feature or request label Oct 8, 2024
@tylerbenson
Copy link
Member

You can find the zip files on the build at the bottom in the artifact section: https://github.com/open-telemetry/opentelemetry-lambda/actions/runs/11025063356

If you'd like to modify the build action to attach the zip files to the release, I'd be open to accepting a PR for that work.

@webfinesse webfinesse linked a pull request Oct 13, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Adding Binary to Release webfinesse/opentelemetry-lambda
2 participants
@tylerbenson @webfinesse