UNPKG

serverless

Version:

Serverless Framework - Build web, mobile and IoT applications with serverless architectures using AWS Lambda, Azure Functions, Google CloudFunctions & more

serverless.com/framework/docs/

serverless/serverless

169 lines (129 loc) • 7.79 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
<!-- title: Serverless Framework - AWS Lambda Events - Self-managed Apache Kafka menuText: Kafka description: Setting up AWS self-managed Apache Kafka Events with AWS Lambda via the Serverless Framework layout: Doc --> <!-- DOCS-SITE-LINK:START automatically generated --> ### [Read this on the main serverless docs site](https://www.serverless.com/framework/docs/providers/aws/events/kafka) <!-- DOCS-SITE-LINK:END --> # Kafka A self-managed Apache Kafka cluster can be used as an event source for AWS Lambda. In order to configure lambda to trigger via `kafka` events, you must provide three required properties: - `accessConfigurations` which defines the chosen [authentication](#authentication) method configuration - `topic` to consume messages from - `bootstrapServers` - an array of bootstrap server addresses for your Kafka cluster ## Authentication You must authenticate your Lambda with a self-managed Apache Kafka cluster using one of; - VPC - subnet(s) and security group - SASL SCRAM/PLAIN - AWS Secrets Manager secret containing credentials - Mutual TLS (mTLS) - AWS Secrets Manager secret containing client certificate, private key, and optionally a CA certificate You can provide this configuration via `accessConfigurations` You must provide at least one method, but it is possible to use VPC in parallel with other methods. For example, you may choose to authenticate via mTLS or SASL/SCRAM, and also place your Lambda and cluster within a VPC. Valid options for `accessConfigurations` are: ```yaml saslPlainAuth: arn:aws:secretsmanager:us-east-1:01234567890:secret:SaslPlain saslScram256Auth: arn:aws:secretsmanager:us-east-1:01234567890:secret:SaslScram256 saslScram512Auth: arn:aws:secretsmanager:us-east-1:01234567890:secret:SaslScram512 clientCertificateTlsAuth: arn:aws:secretsmanager:us-east-1:01234567890:secret:ClientCertificateTLS serverRootCaCertificate: arn:aws:secretsmanager:us-east-1:01234567890:secret:ServerRootCaCertificate vpcSubnet: - subnet-0011001100 - subnet-0022002200 vpcSecurityGroup: sg-0123456789 ``` For more information see: - [AWS Documentation - Using Lambda with self-managed Apache Kafka](https://docs.aws.amazon.com/lambda/latest/dg/with-kafka.html#smaa-authentication) - [AWS Documentation - AWS::Lambda::EventSourceMapping SourceAccessConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-eventsourcemapping-sourceaccessconfiguration.html) - [Confluent documentation - Authentication with SASL/PLAIN](https://docs.confluent.io/platform/current/kafka/authentication_sasl/authentication_sasl_plain.html) - [Confluent documentation - Authentication with SASL/SCRAM](https://docs.confluent.io/platform/current/kafka/authentication_sasl/authentication_sasl_scram.html) - [Confluent documentation Encryption and Authentication with SSL](https://docs.confluent.io/platform/current/kafka/authentication_ssl.html) ## Basic Example: SASL/SCRAM In the following example, we specify that the `compute` function should be triggered whenever there are new messages available to consume from Kafka topic `MySelfManagedKafkaTopic` from self-hosted cluster at `xyz.com`. The cluster has been authenticated using SASL/SCRAM, the credentials are stored at secret `MyBrokerSecretName` ```yml functions: compute: handler: handler.compute events: - kafka: accessConfigurations: saslScram512Auth: arn:aws:secretsmanager:us-east-1:01234567890:secret:MyBrokerSecretName topic: MySelfManagedKafkaTopic bootstrapServers: - abc3.xyz.com:9092 - abc2.xyz.com:9092 ``` ## Example: Using mTLS In this example, the lambda event source is a self-managed Apache kafka cluster authenticated via mTLS. The value of `clientCertificateTlsAuth` is an arn of a secret containing the client certificate and privatekey required for the mTLS handshake. The value of `serverRootCaCertificate` is an arn of a secret containing the Certificate Authority (CA) Certificate. This is optional, you only need to provide if your cluster requires it. ```yml functions: compute: handler: handler.compute events: - kafka: accessConfigurations: clientCertificateTlsAuth: arn:aws:secretsmanager:us-east-1:01234567890:secret:ClientCertificateTLS serverRootCaCertificate: arn:aws:secretsmanager:us-east-1:01234567890:secret:ServerRootCaCertificate topic: MySelfManagedMTLSKafkaTopic bootstrapServers: - abc3.xyz.com:9092 - abc2.xyz.com:9092 ``` ## Using VPC configurations You can also specify VPC configurations for your event source. The values will be automatically transformed into their corresponding URI values, so it not required to specify the URI prefix. For example, `subnet-0011001100` will be automatically mapped to the value `subnet:subnet-0011001100`. ```yml functions: compute: handler: handler.compute events: - kafka: accessConfigurations: vpcSubnet: - subnet-0011001100 - subnet-0022002200 vpcSecurityGroup: sg-0123456789 topic: mytopic bootstrapServers: - abc3.xyz.com:9092 - abc2.xyz.com:9092 ``` ## Enabling and disabling Kafka event trigger The `kafka` event also supports `enabled` parameter, which is used to control if the event source mapping is active. Setting it to `false` will pause polling for and processing new messages. In the following example, we specify that the `compute` function's `kafka` event should be disabled. ```yml functions: compute: handler: handler.compute events: - kafka: accessConfigurations: saslScram512Auth: arn:aws:secretsmanager:us-east-1:01234567890:secret:MyBrokerSecretName topic: AWSKafkaTopic bootstrapServers: - abc3.xyz.com:9092 - abc2.xyz.com:9092 enabled: false ``` ## IAM Permissions The Serverless Framework will automatically configure the most minimal set of IAM permissions for you. However you can still add additional permissions if you need to. Read the official [AWS documentation](https://docs.aws.amazon.com/lambda/latest/dg/kafka-smaa.html) for more information about IAM Permissions for Kafka events. ## Setting the BatchSize, MaximumBatchingWindow and StartingPosition You can set the `batchSize`, which effects how many messages can be processed in a single Lambda invocation. The default `batchSize` is 100, and the max `batchSize` is 10000. Likewise `maximumBatchingWindow` can be set to determine the amount of time the Lambda spends gathering records before invoking the function. The default is 0, but **if you set `batchSize` to more than 10, you must set `maximumBatchingWindow` to at least 1**. The maximum is 300. In addition, you can also configure `startingPosition`, which controls the position at which Lambda should start consuming messages from the topic. It supports two possible values, `TRIM_HORIZON` and `LATEST`, with `TRIM_HORIZON` being the default. In the following example, we specify that the `compute` function should have a `kafka` event configured with `batchSize` of 1000, `maximumBatchingWindow` of 30 seconds and `startingPosition` equal to `LATEST`. ```yml functions: compute: handler: handler.compute events: - kafka: accessConfigurations: saslScram512Auth: arn:aws:secretsmanager:us-east-1:01234567890:secret:MyBrokerSecretName topic: MySelfManagedKafkaTopic bootstrapServers: - abc3.xyz.com:9092 - abc2.xyz.com:9092 batchSize: 1000 maximumBatchingWindow: 30 startingPosition: LATEST ```