An AWS Lambda function for better Slack notifications.
This was a fork of assertible/lambda-cloudwatch-slack, however, now it not only formats cloudwatch alarms, but also will accept any json data and send to to slack as well.
Other non-trivial changes were made to the upstream project, such as upgrading to Node 8.10, improved testing, using a dedicated logger, removing abandoned sections of code, adding a Docker build environment, and converting this to use Serverless instead instead of node-lambda.
Follow these steps to configure the webhook in Slack:
-
Navigate to the Slack API apps page and create a new app in your workspace.
-
Under Features, click incoming webhooks.
-
Create a new integration in the channel of your choice. For now, you will need to deploy a new lambda for each webhook. I would reccomend choosing one alert channel for each AWS environment, and having all alerts go there.
-
Click 'Authorize' at the bottom to install the app in that channel.
-
Copy the webhook URL from the setup instructions and use it in the next section.
The incoming webhook is defined via SSM during the deployment process. Unencrypted is read from /devops/sns-slack-lambda/HOOK_URL
, and the kms hook is read from /devops/sns-slack-lambda/KMS_HOOK_URL
.
If you don't want or need to encrypt your hook URL, you can just set HOOK_URL
, and the KMS_HOOK_URL
is ignored.
If you do want to encrypt your hook URL, follow these steps to encrypt your Slack hook URL for use in this function:
-
Create a KMS key - http://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html.
-
Encrypt the event collector token using the AWS CLI. $ aws kms encrypt --key-id alias/ --plaintext "<SLACK_HOOK_URL>"
Note: You must exclude the protocol from the URL (e.g. "hooks.slack.com/services/abc123").
-
Copy the base-64 encoded, encrypted key (CiphertextBlob) to the ENCRYPTED_HOOK_URL variable.
-
Give your function's role permission for the kms:Decrypt action. Example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1443036478000",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"<your KMS key ARN>"
]
}
]
}
With the variables filled in, you can test the function:
docker build -t sns-slack-lambda . && \
docker run --rm sns-slack-lambda
The final step is to deploy the integration to AWS Lambda:
export AWS_REGION=us-east-1 && \
export AWS_ENV=dev && \
export ORG=my-company
./deploy
Which is the same thing as running these commands:
export AWS_ENV=dev && \
export AWS_REGION=us-east-1 && \
export DEPLOY_BUCKET=deploy-bucket-$AWS_ENV-$AWS_REGION && \
docker build -t sns-slack-lambda . && \
iam-docker-run \
--image sns-slack-lambda \
--profile $AWS_ENV \
-e DEPLOY_BUCKET=$DEPLOY_BUCKET \
--full-entrypoint "npm run deploy"