New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow self managed Apache Kafka as an event source #8718
Comments
Hello @lewgordon 👋 Thank you for your proposal, it looks good overall, however, I have a few questions:
Thanks! |
Will check on this today!
Yeah I think that makes sense. However, things like |
Hi @pgrzesik, I believe all the new types that aren't mentioned in the documentation should work. I opened a PR with them (awsdocs/aws-cloudformation-user-guide#898) to just confirm this though. However, speaking with an Amazon support rep I believe the internal team has been notified, too. |
Thanks for following up @lewgordon and for clarification around
Let me know what do you think 💯 |
Here's a snippet from the Cloudformation I ran yesterday, hopefully it clarifies a bit on what the resource needs to look like: "KafkaEventSource": {
"Type" : "AWS::Lambda::EventSourceMapping",
"Properties": {
"Topics": ["ConfigurationChanged"],
"FunctionName": {"Ref": "HelloLambdaFunction"},
"SelfManagedEventSource": {
"Endpoints": {"KafkaBootstrapServers": ["abc2.xyz.com:9092"]}
},
"SourceAccessConfigurations": [
{"Type": "VPC_SECURITY_GROUP", "URI": "security_group:sg-1234567890"},
{"Type": "VPC_SUBNET", "URI": "subnet:subnet-1234567890"}
]
}
}, I do like the functions:
compute:
handler: handler.compute
events:
- kafka:
accessConfigurations:
- type: saslScram512Auth
arn(or uri): arn:aws:secretsmanager:us-east-1:01234567890:secret:MyBrokerSecretName
topic: mytopic
bootstrapServers:
- abc3.xyz.com:9092
- abc2.xyz.com:9092
- kafka:
accessConfigurations:
- type: vpcSubnet
vpcSubnets:
- subnet-0011001100
- subnet-0022002200
- type: vpcSecurityGroup
vpcSecurityGroups:
- sg-0123456789
topic: mytopic
bootstrapServers:
- abc3.xyz.com:9092
- abc2.xyz.com:9092
- kafka:
accessConfigurations:
- type: vpcSecurityGroup
vpcSecurityGroups:
- sg-0123456789
topic: mytopic
bootstrapServers:
- abc3.xyz.com:9092
- abc2.xyz.com:9092 Also my initial thought was to simplify the URIs that are needed for |
Thank you @lewgordon - I missed the fact that it's multiple I think there are no other outstanding questions and it's ready for implementation - let me know what do you think. Would you be okay with updating the issue with the final version of the implementation proposal? And of course, we'd be more than happy to accept a PR 🙌 |
Sure I wouldn't necessarily assign it to me right away, but I may look into the implementation next week! |
@pgrzesik thinking through some of the implementation a bit I found another "quirk" that'll have to do with functions:
compute:
handler: handler.compute
events:
- kafka:
accessConfigurations:
- type: vpcSubnet
vpcSubnets:
Ref: VpcSubnets
- type: vpcSecurityGroup
vpcSecurityGroups:
- sg-0123456789
topic: mytopic
bootstrapServers:
- abc3.xyz.com:9092
- abc2.xyz.com:9092 Where "KafkaEventSource": {
"Type" : "AWS::Lambda::EventSourceMapping",
"Properties": {
"Topics": ["mytopic"],
"FunctionName": {"Ref": "ComputerLambdaFunction"},
"SelfManagedEventSource": {
"Endpoints": {"KafkaBootstrapServers": ["abc3.xyz.com:9092", "abc2.xyz.com:9092"]}
},
"SourceAccessConfigurations": [
{"Type": "VPC_SECURITY_GROUP", "URI": "security_group:sg-0123456789"},
{"Type": "VPC_SUBNET", "URI": "subnet:???"},
]
}
}, I think the we could disallow functions:
compute:
handler: handler.compute
events:
- kafka:
accessConfigurations:
- vpcSubnet: subnet-0011001100
- vpcSubnet: subnet-0022002200
- vpcSecurityGroup: sg-0123456789
topic: mytopic
bootstrapServers:
- abc3.xyz.com:9092
- abc2.xyz.com:9092 Sorry if we'll need to go through more rounds of discussion around the event object, but I think it'll be worth it. Looking forward to your thoughts! |
Hey @lewgordon, thanks for mentioning that issue, you're totally right. In the proposed example, we still will have to disallow the use of CF intrinsic functions, or do you think we'd be just fine with using |
That was my initial thought at least. Basically, for any intrinsic function we could use |
If that's going to work, I believe your latest suggestion is the best way to implement it @lewgordon 👍 |
Just as a side note. We support CF intrinsic functions only in properties which we pass directly (as-is) to CloudFormation template (where they're supported). So if the case here is different, I believe we simply should not support CF intrinsic functions (there definitely should not be the need to resolve those functions) |
That sounds good to me. I think it'll simplify this PR a bit, too. |
Concerning accessConfigurations:
saslScram512Auth: arn:aws:secretsmanager:us-east-1:01234567890:secret:MyBrokerSecretName # can be an array
vpcSubnet:
- subnet-0011001100
- subnet-0022002200
vpcSecurityGroup: sg-0123456789 # can be an array At least what's currently reminds me the design of function event on our side, which is troublesome and doesn't feel natural (we've scheduled to change it: #7601) |
@medikoo I think that's valid now that we won't accept the use of the intrinsic functions. The problem with that configuration initially was how it'd translate to Cloudformation. For example, if we allowed the use of accessConfigurations:
saslScram512Auth: arn:aws:secretsmanager:us-east-1:01234567890:secret:MyBrokerSecretName # can be an array
vpcSubnet:
- subnet-0011001100
- subnet-0022002200
vpcSecurityGroup: sg-0123456789 # can be an array Would not translate to a valid Cloudformation template for this resource, since we wouldn't be able to determine how many values were in "KafkaEventSource": {
"Type" : "AWS::Lambda::EventSourceMapping",
"Properties": {
"Topics": ["mytopic"],
"FunctionName": {"Ref": "ComputerLambdaFunction"},
"SelfManagedEventSource": {
"Endpoints": {"KafkaBootstrapServers": ["abc3.xyz.com:9092", "abc2.xyz.com:9092"]}
},
"SourceAccessConfigurations": [
{"Type": "VPC_SECURITY_GROUP", "URI": "security_group:sg-0123456789"},
{"Type": "VPC_SUBNET", "URI": "subnet:???"},
]
}
}, Hope that makes sense and I think that by not allowing the intrinisic functions your proposal does seem more natural. |
@lewgordon thanks for explanation, yes we definitely should not support any CF intristic functions here, as it's not a value we directly pass to CF template. In such case I suggest to improve the syntax to one now proposed. What do you think? @pgrzesik what's your opinion on that? |
I agree with the proposal to simplify the syntax if we're not allowing CloudFormation intrinsic functions - that was the only reason for current syntax 👍 |
Hi @pgrzesik @medikoo, after some testing yesterday I think the experience without the use of intrinsic functions is going to make this event painful to use. My (if potentially biased) workflow would to be able to contain all the resources within the one Serverless stack and definitely discourage the pattern of doing a double deploy. For example: functions:
compute:
events:
- kafka:
accessConfigurations:
vpcSecurityGroup:
- Fn::Sub:
- "security_group:${SecurityGroupId}"
- SecurityGroupId:
Ref: LambdaSecurityGroup
topic: MyTopic
bootstrapServers:
- abc.xyc.com:9092
resources:
Resources:
LambdaSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties: {...} I think this would be much more preferable, even if I needed to use |
@lewgordon I'm not sure if that's possible. AFAIK we need to resolve a Technically the way things work in a Framework:
|
Use case description
We'd like to utilize our self managed Kafka cluster as an event source, now that AWS will allow it.
Proposed solution
I would think it would look fairly similar to what was implemented for #8117. See https://docs.aws.amazon.com/lambda/latest/dg/kafka-smaa.html for additional details. I also provided an example of what I'm thinking the serverless.yml events would look like, although feedback is appreciated!
I didn't enumerate all of the options that would be provided, but I figure it'd support all of the options for the https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-eventsourcemapping.html resource, but being focused on using
SelfManagedEventSource
specifically.The text was updated successfully, but these errors were encountered: