Skip to content

Latest commit

 

History

History
225 lines (167 loc) · 8.96 KB

README.md

File metadata and controls

225 lines (167 loc) · 8.96 KB

Utility Lambda Functions for AWS Step Functions

This is a collection of small AWS Lambda functions I use in my AWS Step Functions.

These functions adopt the unix philosophy of "do one thing and do it well".

AWS Powertools for Lambda is the only external run time dependency. This is included via a Lambda layer. Everything else comes from core Python.

These functions do not require network access. If you have a CloudWatch VPC endpoint, then the functions use it, otherwise HTTPS egress is open to the internet so logging works.

The functions all run on ARM64 using the default terraform configuration.

Example

module "util_fns" {
  source = "[email protected]:proactiveops/util-fns.git?ref=main"

  cloudwatch_vpce_security_group = "sg-4badf00d"

  subnets = "subnet-d34db33f"
  tags    = var.tags

  enabled_functions = [
    "ip_to_object",
    "jira_match",
    "redact"
  ]
}

IP to Object

Wrapper for Python's core ipaddress library. The function supports both IPv4 and IPv6 addresses.

Expected payload:

{
    "ip": "198.51.100.1"
}

Jira Match

Search for Jira ticket references in a string. Returns unique matches as a list.

Expected payload:

{
    "body": "ABC-123 This string contains 2 ticket references ZYX-987"
}

Redact Text

Redact PII entities in a string identified by Amazon Comprehend. Comprehend only supports redaction an asynchronous batch operation. This function performs the redaction on a string in real time. Other sources of redaction rules can be used, so long as they use the Amazon Comprehend PII Entities schema.

Use the optional ignored_entities property with a list of entities to not redact.

{
  "text": "Hello Paul Santos. The latest statement for your credit card account 4111-1111-1111-1111 was mailed to 123 Any Street, Seattle, WA 98109.",
  "entities": [
    {
      "Score": 0.9999669790267944,
      "Type": "NAME",
      "BeginOffset": 6,
      "EndOffset": 18
    },
    {
      "Score": 0.8905550241470337,
      "Type": "CREDIT_DEBIT_NUMBER",
      "BeginOffset": 69,
      "EndOffset": 88
    },
    {
      "Score": 0.9999889731407166,
      "Type": "ADDRESS",
      "BeginOffset": 103,
      "EndOffset": 138
    }
  ],
  "ignored_entities": [
    "NAME"
  ]
}

Deprecated Functions

In List

Step Functions intrinsic functions provide some array operations. Unfortunately the States.ArrayContains function returns a boolean, rather than the position of the item in the list.

The position of the item in the zero based array is returned as an integer. -1 is returned if the item isn't found.

Expected payload:

{
    "list": ["apple", "banana", "cherry"], 
    "item": "banana"
}

In String

Searches for a substring within a string. Whitespace is trimmed from both the string and substring.

The function returns the starting position of the substring within the string. If the substring isn't found -1 is returned.

{
    "string": "team",
    "substring": "i"
}

The following function are no longer being maintained. Use JSONata in your Step Functions instead.

ISO Format to Timestamp

Converts an ISO 8601 format date time string to a unix timestamp. If the string isn't provided, the current UTC timestamp is returned.

Expected payload:

{
    "isoformat": "1985-10-26T08:33:00Z"
}

Lookup Key

The function looks up a key in a JSON object (or Python dictionary) and returns the value. If the key isn't found, null is returned.

Empty JSON objects are often converted to empty lists. This function handles this scenario and returns null.

Expected payload:

{
    "values": {
        "key1": "value",
        "key2": "another-value"
    },
    "key": "key1"
}

Unix Timestamp to ISO Format

Converts a unix timestamp to an ISO 8601 format date time string. If the timestamp isn't provided, the current time UTC is used.

Expected payload:

{
    "timestamp": 499163580
}

Requirements

Name Version
terraform ~> 1.0
archive >= 2.0, < 3.0
aws >= 5.0, < 6.0

Providers

Name Version
archive 2.6.0
aws 5.70.0

Modules

No modules.

Resources

Name Type
aws_cloudwatch_log_group.lambda resource
aws_iam_policy.lambda resource
aws_iam_role.lambda resource
aws_iam_role_policy_attachment.lambda resource
aws_lambda_function.lambda resource
aws_security_group.this resource
aws_vpc_security_group_egress_rule.open resource
aws_vpc_security_group_egress_rule.vpc resource
archive_file.this data source
aws_iam_policy.permission_boundary data source
aws_iam_policy_document.lambda data source
aws_iam_policy_document.lambda_assume data source
aws_region.current data source
aws_subnet.this data source
aws_vpc.this data source

Inputs

Name Description Type Default Required
cloudwatch_vpce_security_group ID of the security group containing the VPC endpoint for CloudWatch Logs string "" no
enabled_functions A list of functions to enable list(string)
[
"ip_to_object",
"jira_match",
"redact"
]
no
iam_role_permission_boundary The ARN of the IAM policy to use as a permission boundary for the IAM role string null no
iam_role_prefix A prefix to use for the IAM role name string "" no
namespace The namespace prefix to use for all resources string "util-fns" no
powertools_version The version of the AWS Lambda Powertools Lambda layer string "5" no
subnets A list of subnet IDs to use for the VPC list(string) n/a yes
tags A map of tags to apply to all resources map(string) {} no

Outputs

Name Description
lambda_functions A map of the Lambda function names to their ARNs
lambda_role The ARN of the IAM role used by the Lambda functions
security_group The ID of the security group used by the Lambda functions