docs(examples): Add DynamoDB Telephone Example (#164)

jshlbrd · web-flow · commit 135d76af5b99 · 2024-04-29T07:16:40.000-07:00
* docs(examples): Add DynamoDB Telephone Example

* docs: Rename Resources

* docs: Examples README
diff --git a/examples/terraform/aws/README.md b/examples/terraform/aws/README.md
@@ -82,6 +82,59 @@ flowchart LR
     end
 ```
 
+## Telephone
+
+Deploys a data pipeline that implements a "telephone" pattern by sharing data as context between multiple Lambda functions using a DynamoDB table. This pattern can be used to enrich events across unique data sources.
+
+```mermaid
+
+flowchart LR
+    %% resources
+    md_kinesis([Device Management
+    Kinesis Data Stream])
+    edr_kinesis([EDR Kinesis Data Stream])
+    idp_kinesis([IdP Kinesis Data Stream])
+    dynamodb([DynamoDB Table])
+
+    edrEnrichmentHandler[[Handler]]
+    edrEnrichmentTransforms[Transforms]
+
+    edrTransformHandler[[Handler]]
+    edrTransformTransforms[Transforms]
+
+    idpEnrichmentHandler[[Handler]]
+    idpEnrichmentTransforms[Transforms]
+
+    mdEnrichmentHandler[[Handler]]
+    mdEnrichmentTransforms[Transforms]
+
+    %% connections
+    edr_kinesis --> edrEnrichmentHandler
+    subgraph Substation EDR Enrichment Node 
+    edrEnrichmentHandler --> edrEnrichmentTransforms
+    end
+
+    edr_kinesis --> edrTransformHandler
+    subgraph Substation EDR Transform Node 
+    edrTransformHandler --> edrTransformTransforms
+    end
+
+    idp_kinesis --> idpEnrichmentHandler
+    subgraph Substation IdP Enrichment Node 
+    idpEnrichmentHandler --> idpEnrichmentTransforms
+    end
+
+    md_kinesis --> mdEnrichmentHandler
+    subgraph Substation Dvc Mgmt Enrichment Node 
+    mdEnrichmentHandler --> mdEnrichmentTransforms
+    end
+
+    edrEnrichmentTransforms --- dynamodb
+    edrTransformTransforms --- dynamodb
+    idpEnrichmentTransforms --- dynamodb
+    mdEnrichmentTransforms --- dynamodb
+```
+
 # Firehose
 
 ## Data Transform
diff --git a/examples/terraform/aws/dynamodb/telephone/config/const.libsonnet b/examples/terraform/aws/dynamodb/telephone/config/const.libsonnet
@@ -0,0 +1,8 @@
+local sub = import '../../../../../../build/config/substation.libsonnet';
+
+{
+  kv_store: sub.kv_store.aws_dynamodb({
+    table_name: 'substation',
+    attributes: { partition_key: 'PK', sort_key: 'SK', ttl: 'TTL', value: 'cache' },
+  }),
+}
diff --git a/examples/terraform/aws/dynamodb/telephone/config/dvc_mgmt_enrichment/config.jsonnet b/examples/terraform/aws/dynamodb/telephone/config/dvc_mgmt_enrichment/config.jsonnet
@@ -0,0 +1,10 @@
+local sub = import '../../../../../../../build/config/substation.libsonnet';
+local const = import '../const.libsonnet';
+
+{
+  concurrency: 1,
+  transforms: [
+    // Puts the user's metadata into the KV store indexed by the host name.
+    sub.tf.enrich.kv_store.set({ obj: { src: 'host.name', trg: 'user' }, prefix: 'md_user', kv_store: const.kv_store }),
+  ],
+}
diff --git a/examples/terraform/aws/dynamodb/telephone/config/edr_enrichment/config.jsonnet b/examples/terraform/aws/dynamodb/telephone/config/edr_enrichment/config.jsonnet
@@ -0,0 +1,18 @@
+local sub = import '../../../../../../../build/config/substation.libsonnet';
+local const = import '../const.libsonnet';
+
+{
+  concurrency: 1,
+  transforms: [
+    // If the host metadata contains the host name, then it's put into the KV store
+    // indexed by the host ID.
+    sub.tf.meta.switch({ cases: [
+      {
+        condition: sub.cnd.all([
+          sub.cnd.num.len.gt({ obj: { src: 'host.name' }, value: 0 }),
+        ]),
+        transform: sub.tf.enrich.kv_store.set({ obj: { src: 'host.id', trg: 'host' }, prefix: 'edr_host', kv_store: const.kv_store }),
+      },
+    ] }),
+  ],
+}
diff --git a/examples/terraform/aws/dynamodb/telephone/config/edr_transform/config.jsonnet b/examples/terraform/aws/dynamodb/telephone/config/edr_transform/config.jsonnet
@@ -0,0 +1,24 @@
+local sub = import '../../../../../../../build/config/substation.libsonnet';
+local const = import '../const.libsonnet';
+
+// cnd_copy is a helper function for copying values that are not null.
+local cnd_copy(source, target) = sub.pattern.tf.conditional(
+  condition=sub.cnd.num.len.gt({ obj: { src: source }, value: 0 }),
+  transform=sub.tf.object.copy({ obj: { src: source, trg: target } }),
+);
+
+{
+  concurrency: 1,
+  transforms: [
+    // The value from the KV store can be null, so the result is hidden in metadata and checked before
+    // copying it into the message data. Many of these values are supersets of each other, so values are
+    // overwritten if they exist. If any source key is missing, the transform is skipped.
+    sub.tf.enrich.kv_store.get({ obj: { src: 'host.id', trg: 'meta edr_host' }, prefix: 'edr_host', kv_store: const.kv_store }),
+    cnd_copy(source='meta edr_host', target='host'),
+    sub.tf.enrich.kv_store.get({ obj: { src: 'host.name', trg: 'meta md_user' }, prefix: 'md_user', kv_store: const.kv_store }),
+    cnd_copy(source='meta md_user', target='user'),
+    sub.tf.enrich.kv_store.get({ obj: { src: 'user.email', trg: 'meta idp_user' }, prefix: 'idp_user', kv_store: const.kv_store }),
+    cnd_copy(source='meta idp_user', target='user'),
+    sub.tf.send.stdout(),
+  ],
+}
diff --git a/examples/terraform/aws/dynamodb/telephone/config/idp_enrichment/config.jsonnet b/examples/terraform/aws/dynamodb/telephone/config/idp_enrichment/config.jsonnet
@@ -0,0 +1,31 @@
+local sub = import '../../../../../../../build/config/substation.libsonnet';
+local const = import '../const.libsonnet';
+
+{
+  concurrency: 1,
+  transforms: [
+    // The user's status is determined to be inactive if there is a successful deletion event.
+    // Any other successful authentication event will set the user's status to active.
+    //
+    // In production deployments, additional filtering should be used to reduce the number of
+    // queries made to the KV store.
+    sub.tf.meta.switch({ cases: [
+      {
+        condition: sub.cnd.all([
+          sub.cnd.str.eq({ object: { source_key: 'event.category' }, value: 'authentication' }),
+          sub.cnd.str.eq({ object: { source_key: 'event.type' }, value: 'deletion' }),
+          sub.cnd.str.eq({ object: { source_key: 'event.outcome' }, value: 'success' }),
+        ]),
+        transform: sub.tf.object.insert({ object: { target_key: 'user.status.-1' }, value: 'idp_inactive' }),
+      },
+      {
+        condition: sub.cnd.all([
+          sub.cnd.str.eq({ object: { source_key: 'event.outcome' }, value: 'success' }),
+        ]),
+        transform: sub.tf.object.insert({ object: { target_key: 'user.status.-1' }, value: 'idp_active' }),
+      },
+    ] }),
+    // Puts the user's metadata into the KV store indexed by their email address.
+    sub.tf.enrich.kv_store.set({ obj: { src: 'user.email', trg: 'user' }, prefix: 'idp_user', kv_store: const.kv_store }),
+  ],
+}
diff --git a/examples/terraform/aws/dynamodb/telephone/dvc_mgmt_data.jsonl b/examples/terraform/aws/dynamodb/telephone/dvc_mgmt_data.jsonl
@@ -0,0 +1,2 @@
+{"host":{"name":"Alice's MacBook Pro"},"user":{"email":"alice@brex.com"}}
+{"host":{"name":"Bob's MacBook Pro"},"user":{"email":"bob@brex.com"}}
diff --git a/examples/terraform/aws/dynamodb/telephone/edr_data.jsonl b/examples/terraform/aws/dynamodb/telephone/edr_data.jsonl
@@ -0,0 +1,2 @@
+{"host":{"id":"eb67b0b6a1d04086b75ee38d02018a10","name":"Alice's MacBook Pro"}}
+{"event":{"category":"network","type":"connection"},"host":{"id":"eb67b0b6a1d04086b75ee38d02018a10"},"process":{"name":"Spotify","pid":"d3a6c0b9d3751559f206e12fb1b8f226"},"server":{"ip":"35.186.224.39","port":443}}
diff --git a/examples/terraform/aws/dynamodb/telephone/idp_data.jsonl b/examples/terraform/aws/dynamodb/telephone/idp_data.jsonl
@@ -0,0 +1,2 @@
+{"event":{"category":"authentication","outcome":"success","type":"access"},"user":{"email":"alice@brex.com","roles":["Manager", "Security", "Engineering"]}}
+{"event":{"category":"authentication","outcome":"success","type":"deletion"},"user":{"email":"bob@brex.com","roles":["Manager", "Security", "Engineering"]}}
diff --git a/examples/terraform/aws/dynamodb/telephone/post_deploy.sh b/examples/terraform/aws/dynamodb/telephone/post_deploy.sh
@@ -0,0 +1,4 @@
+sleep 5
+AWS_DEFAULT_REGION=$AWS_REGION python3 ../build/scripts/aws/kinesis/put_records.py substation_edr terraform/aws/dynamodb/telephone/edr_data.jsonl  --print-response
+AWS_DEFAULT_REGION=$AWS_REGION python3 ../build/scripts/aws/kinesis/put_records.py substation_idp terraform/aws/dynamodb/telephone/idp_data.jsonl  --print-response
+AWS_DEFAULT_REGION=$AWS_REGION python3 ../build/scripts/aws/kinesis/put_records.py substation_md terraform/aws/dynamodb/telephone/dvc_mgmt_data.jsonl  --print-response
diff --git a/examples/terraform/aws/dynamodb/telephone/terraform/_resources.tf b/examples/terraform/aws/dynamodb/telephone/terraform/_resources.tf
@@ -0,0 +1,57 @@
+data "aws_caller_identity" "caller" {}
+
+module "appconfig" {
+  source = "../../../../../../build/terraform/aws/appconfig"
+
+  config = {
+    name         = "substation"
+    environments = [{ name = "example" }]
+  }
+}
+
+module "ecr" {
+  source = "../../../../../../build/terraform/aws/ecr"
+
+  config = {
+    name         = "substation"
+    force_delete = true
+  }
+}
+
+module "ecr_autoscale" {
+  source = "../../../../../../build/terraform/aws/ecr"
+
+  config = {
+    name         = "autoscale"
+    force_delete = true
+  }
+}
+
+module "dynamodb" {
+  source = "../../../../../../build/terraform/aws/dynamodb"
+
+  config = {
+    name      = "substation"
+    hash_key  = "PK"
+    range_key = "SK"
+    ttl       = "TTL"
+
+    attributes = [
+      {
+        name = "PK"
+        type = "S"
+      },
+      {
+        name = "SK"
+        type = "S"
+      },
+    ]
+  }
+
+  access = [
+    module.edr_enrichment.role.name,
+    module.edr_transform.role.name,
+    module.idp_enrichment.role.name,
+    module.dvc_mgmt_enrichment.role.name,
+  ]
+}
diff --git a/examples/terraform/aws/dynamodb/telephone/terraform/autoscaler.tf b/examples/terraform/aws/dynamodb/telephone/terraform/autoscaler.tf
@@ -0,0 +1,38 @@
+# Used for deploying and maintaining the Kinesis Data Streams autoscaling application; does not need to be used if deployments don't include Kinesis Data Streams.
+module "lambda_autoscaling" {
+  source = "../../../../../../build/terraform/aws/lambda"
+
+  config = {
+    name        = "autoscale"
+    description = "Autoscaler for Kinesis Data Streams"
+    image_uri   = "${module.ecr_autoscale.url}:v1.2.0"
+    image_arm   = true
+  }
+}
+
+# SNS topic for Kinesis Data Stream autoscaling alarms.
+resource "aws_sns_topic" "autoscaling_topic" {
+  name = "autoscale"
+}
+
+resource "aws_sns_topic_subscription" "autoscaling_subscription" {
+  topic_arn = aws_sns_topic.autoscaling_topic.arn
+  protocol  = "lambda"
+  endpoint  = module.lambda_autoscaling.arn
+
+  depends_on = [
+    module.lambda_autoscaling.name
+  ]
+}
+
+resource "aws_lambda_permission" "autoscaling_invoke" {
+  statement_id  = "AllowExecutionFromSNS"
+  action        = "lambda:InvokeFunction"
+  function_name = module.lambda_autoscaling.name
+  principal     = "sns.amazonaws.com"
+  source_arn    = aws_sns_topic.autoscaling_topic.arn
+
+  depends_on = [
+    module.lambda_autoscaling.name
+  ]
+}
diff --git a/examples/terraform/aws/dynamodb/telephone/terraform/dvc_mgmt.tf b/examples/terraform/aws/dynamodb/telephone/terraform/dvc_mgmt.tf
@@ -0,0 +1,45 @@
+# Kinesis Data Stream that stores data sent from pipeline sources.
+module "dvc_mgmt_kinesis" {
+  source = "../../../../../../build/terraform/aws/kinesis_data_stream"
+
+  config = {
+    name              = "substation_md"
+    autoscaling_topic = aws_sns_topic.autoscaling_topic.arn
+  }
+
+  access = [
+    # Autoscales the stream.
+    module.lambda_autoscaling.role.name,
+    # Consumes data from the stream.
+    module.dvc_mgmt_enrichment.role.name,
+  ]
+}
+
+module "dvc_mgmt_enrichment" {
+  source    = "../../../../../../build/terraform/aws/lambda"
+  appconfig = module.appconfig
+
+  config = {
+    name        = "dvc_mgmt_enrichment"
+    description = "Substation node that enriches device management data."
+    image_uri   = "${module.ecr.url}:v1.2.0"
+    image_arm   = true
+    env = {
+      "SUBSTATION_CONFIG" : "http://localhost:2772/applications/substation/environments/example/configurations/dvc_mgmt_enrichment"
+      "SUBSTATION_LAMBDA_HANDLER" : "AWS_KINESIS_DATA_STREAM"
+      "SUBSTATION_DEBUG" : true
+    }
+  }
+}
+
+resource "aws_lambda_event_source_mapping" "dvc_mgmt_enrichment" {
+  event_source_arn                   = module.dvc_mgmt_kinesis.arn
+  function_name                      = module.dvc_mgmt_enrichment.arn
+  maximum_batching_window_in_seconds = 5
+  batch_size                         = 100
+  parallelization_factor             = 1
+  # In this example, we start from the beginning of the stream,
+  # but in a prod environment, you may want to start from the end
+  # of the stream to avoid processing old data ("LATEST").
+  starting_position = "TRIM_HORIZON"
+}
diff --git a/examples/terraform/aws/dynamodb/telephone/terraform/edr.tf b/examples/terraform/aws/dynamodb/telephone/terraform/edr.tf
@@ -0,0 +1,78 @@
+# Kinesis Data Stream that stores data sent from pipeline sources.
+module "edr_kinesis" {
+  source = "../../../../../../build/terraform/aws/kinesis_data_stream"
+
+  config = {
+    name              = "substation_edr"
+    autoscaling_topic = aws_sns_topic.autoscaling_topic.arn
+  }
+
+  access = [
+    # Autoscales the stream.
+    module.lambda_autoscaling.role.name,
+    # Consumes data from the stream.
+    module.edr_enrichment.role.name,
+    module.edr_transform.role.name,
+  ]
+}
+
+module "edr_transform" {
+  source    = "../../../../../../build/terraform/aws/lambda"
+  appconfig = module.appconfig
+
+  config = {
+    name        = "edr_transform"
+    description = "Substation node that transforms EDR data."
+    image_uri   = "${module.ecr.url}:v1.2.0"
+    image_arm   = true
+    env = {
+      "SUBSTATION_CONFIG" : "http://localhost:2772/applications/substation/environments/example/configurations/edr_transform"
+      "SUBSTATION_LAMBDA_HANDLER" : "AWS_KINESIS_DATA_STREAM"
+      "SUBSTATION_DEBUG" : true
+    }
+  }
+}
+
+resource "aws_lambda_event_source_mapping" "edr_transform" {
+  event_source_arn = module.edr_kinesis.arn
+  function_name    = module.edr_transform.arn
+  # This is set to 30 seconds (compared to the other data sources
+  # 5 seconds) to simulate the asynchronous arrival of data in a 
+  # real-world scenario.
+  maximum_batching_window_in_seconds = 30
+  batch_size                         = 100
+  parallelization_factor             = 1
+  # In this example, we start from the beginning of the stream,
+  # but in a prod environment, you may want to start from the end
+  # of the stream to avoid processing old data ("LATEST").
+  starting_position = "TRIM_HORIZON"
+}
+
+module "edr_enrichment" {
+  source    = "../../../../../../build/terraform/aws/lambda"
+  appconfig = module.appconfig
+
+  config = {
+    name        = "edr_enrichment"
+    description = "Substation node that enriches EDR data."
+    image_uri   = "${module.ecr.url}:v1.2.0"
+    image_arm   = true
+    env = {
+      "SUBSTATION_CONFIG" : "http://localhost:2772/applications/substation/environments/example/configurations/edr_enrichment"
+      "SUBSTATION_LAMBDA_HANDLER" : "AWS_KINESIS_DATA_STREAM"
+      "SUBSTATION_DEBUG" : true
+    }
+  }
+}
+
+resource "aws_lambda_event_source_mapping" "edr_enrichment" {
+  event_source_arn                   = module.edr_kinesis.arn
+  function_name                      = module.edr_enrichment.arn
+  maximum_batching_window_in_seconds = 5
+  batch_size                         = 100
+  parallelization_factor             = 1
+  # In this example, we start from the beginning of the stream,
+  # but in a prod environment, you may want to start from the end
+  # of the stream to avoid processing old data ("LATEST").
+  starting_position = "TRIM_HORIZON"
+}
diff --git a/examples/terraform/aws/dynamodb/telephone/terraform/idp.tf b/examples/terraform/aws/dynamodb/telephone/terraform/idp.tf

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+{"host":{"name":"Alice's MacBook Pro"},"user":{"email":"[email protected]"}}`
	`2`	`+{"host":{"name":"Bob's MacBook Pro"},"user":{"email":"[email protected]"}}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+{"host":{"id":"eb67b0b6a1d04086b75ee38d02018a10","name":"Alice's MacBook Pro"}}`
	`2`	`+{"event":{"category":"network","type":"connection"},"host":{"id":"eb67b0b6a1d04086b75ee38d02018a10"},"process":{"name":"Spotify","pid":"d3a6c0b9d3751559f206e12fb1b8f226"},"server":{"ip":"35.186.224.39","port":443}}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+{"event":{"category":"authentication","outcome":"success","type":"access"},"user":{"email":"[email protected]","roles":["Manager", "Security", "Engineering"]}}`
	`2`	`+{"event":{"category":"authentication","outcome":"success","type":"deletion"},"user":{"email":"[email protected]","roles":["Manager", "Security", "Engineering"]}}`