This Python 3 script allows you to link an AWS account to NR Cloud integrations and configure it for receiving Lambda monitoring data from agents. This script relies in AWS CLI to perform some actions in your AWS account, so you will need to install and configure it with proper credentials (explained below).
-
Python >= 2.6.6 (including pip, if it is not already installed)
-
Note: If you haven't added your python bin directory to your path yet, you will need to do that as well. For example, with the default Python (2.7) on MacOS Mojave, you would need to add
~/Library/Python/2.7/binto your path. -
You also have to perform the initial configuration of the AWS CLI to set the proper credentials and default region.
$ aws configure AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY Default region name [None]: us-west-2 Default output format [None]: jsonNote: If you have multiple AWS profiles and you don't want to use the default while running this script, set the
AWS_DEFAULT_PROFILEenvironment variable to the name of the required profile.Make sure this new profile is properly configured (including the default region). Example:
export AWS_DEFAULT_PROFILE=my-other-profile
In order to use the script you will need to have enough permissions in your New Relic account and in you AWS account.
In your New Relic account your user will have to either be an Admin or an User with the Infrastructure manager role.
In your AWS account will need to have enough permissions to create IAM resources (Role and Policy) and Lambda functions. These resources will be created via Coudformation stacks, so you will need permissions to create those.
The full list of permissions required in AWS are:
Resource: *
Actions:
"cloudformation:CreateChangeSet",
"cloudformation:CreateStack",
"cloudformation:DescribeStacks",
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:GetRole",
"iam:PassRole",
"lambda:AddPermission",
"lambda:CreateFunction",
"lambda:GetFunction",
"logs:DeleteSubscriptionFilter",
"logs:DescribeSubscriptionFilters",
"logs:PutSubscriptionFilter"
"s3:GetObject"
Resource: "arn:aws:serverlessrepo:us-east-1:463657938898:applications/NewRelic-log-ingestion"
Actions:
"serverlessrepo:CreateCloudFormationTemplate"
"serverlessrepo:GetCloudFormationTemplate"
-
Download this zip file that contains all files of this repository:
curl -L -O https://github.com/newrelic/nr-lambda-onboarding/archive/master.zip -
Uncompress the zip file:
unzip master.zip -
Change to
nr-lambda-onboarding-masterdirectory:cd nr-lambda-onboarding-master -
Add execution permission to
newrelic-cloudscript:chmod +x newrelic-cloud
usage: ./newrelic-cloud set-up-lambda-integration [args]
This command will execute all the required steps necessary to fully enable Lambda monitoring in your New Relic account. The steps are:
- Link your AWS account in NR Cloud integrations.
- Enable AWS Lambda integration.
- Install NewRelic-log-ingestion Lambda function. This function sends monitoring data from you instrumented functions to New Relic. It also sends data from VPC FlowLogs and RDS enhanced monitoring.
- --nr-account-id NR_ACCOUNT_ID : Your New Relic account ID.
- --aws-role-policy : (Optional) Name of the policy assigned to the AWS role. Supply a name if you want to create the role with a restricted policy (only Lambda permissions). Omit the parameter to create the role with the AWS default
ReadOnlyAccesspolicy. - --linked-account-name LINKED_ACCOUNT_NAME : Name of your AWS account that will appear in NR Cloud integrations. It is used to easily identify you account in NR. The cloud account will be created if it does not exist yet.
- --nr-api-key NR_API_KEY : Your New Relic User API key (different from New Relic REST API key!). Check the documentation on how to obtain a user API key.
- --nr-license-key NR_LICENSE_KEY : Your New Relic license key. Check the documentation on how to obtain a license key.
- --regions REGIONS : (Optional) List of regions where to install the New Relic log ingestion function. If no value is supplied it will fetch the list of regions from EC2 and use that as the list of regions.
Note: if this command fails with the error (UnrecognizedClientException) when calling the GetFunction operation: The security token included in the request is invalid., it is commonly because there was no region supplied. Just add the --regions flag with your authorized regions, then run the command again and it should pass.
Example:
./newrelic-cloud set-up-lambda-integration \
--nr-account-id "account_id" \
--linked-account-name "account_name" \
--aws-role-policy "NewRelicLambdaPolicy" \
--nr-api-key "api_key" \
--nr-license-key "license_key" \
--regions "region_1" "region-2"
usage: ./newrelic-cloud stream-lambda-logs [args]
This command will execute all the required steps necessary to start sending Lambda agent data to New Relic. It will create a log subscription filter for each of the given intrumented Lambdas to NewRelic-log-ingestion function, so agent data will be streamed to this function which will forward it to New Relic ingestion services.
- --functions FUNCTIONS : One of more function (names) to enable log streaming.
- --regions REGIONS : (Optional) List of regions where the script will try to setup the log streaming for the given functions. If no value is supplied it will fetch the list of regions from EC2 and use that as the list of regions.
Example:
./newrelic-cloud stream-lambda-logs --functions "my-function-1" "my-function-2" --regions "region_1" "region_2"
usage: ./newrelic-cloud check-lambda-setup-status [args]
This command will perform a few simple checks of the basic requirements for having Lambda instrumentation working. It will not check for required permissions either in AWS or New Relic.
- --nr-account-id NR_ACCOUNT_ID : Your New Relic account id.
- --linked-account-name LINKED_ACCOUNT_NAME : Name of your AWS account that appears in NR Cloud integrations you want to check.
- --nr-api-key NR_API_KEY : Your New Relic user API key. Check the documentation on how to obtain an API key.
- --nr-license-key NR_LICENSE_KEY : Your New Relic license key. Check the documentation on how to obtain an license key.
- --functions FUNCTIONS : List of (space-separated) function names to check.
- --regions REGIONS (Optional) List of (space-separated) regions where to perform the checks.
Example:
./newrelic-cloud check-lambda-setup-status \
--nr-account-id "account_id" \
--linked-account-name "account_name" \
--nr-api-key "api_key" \
--nr-license-key "license_key" \
--functions "my-function-1" "my-function-2" \
--regions "region_1" "region_2"