-
Notifications
You must be signed in to change notification settings - Fork 232
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CNCF AWS accounts for public Lambda layer #685
Comments
@wangzlei I'd like to better understand what the security implications are of providing a public Lambda layer with using a CNCF AWS account vs. using an AWS account that AWS provides. Let's add this to the agenda for the upcoming Wed SIG meeting. |
OTel Lambda SIG meeting today discussed this topic. Here answer @alolita 's question. Why OTel Lambda need CNCF account.From customer's perspective there is not difference between using a CNCF AWS account vs. using an AWS account that AWS provides. The only special is account id is showing in Lambda layer ARN, the pattern is We known who provides account, who pays the bill and has absolute power. When AWS upstreams OTel Lambda project to OpenTelemetry community, the project lost
|
Cost estimationTo publish public Lambda layer we need a CI/CD workflow to cover integration test, soaking, canary, etc. That needs AWS services Lambda, API Gateway, CloudWatch, Xray and S3. |
What account does OTel Lambda wantOTel Lambda CI/CD will run integration/soaking/canary test by AWS services Lambda, XRay, CloudWatch, CloudFormation, S3, API Gatewa, deploy public Lambda layer in AWS Lambda. If OTel Lambda will get an IAM user derived from a shared CNCF-OTel account, the easiest way is to have Because AWS Lambda layer is regional resource, has to be deployed to every region respectively. CN regions(Beijing and Ningxia) are isolated from normal regions, CN AWS account and normal AWS account cannot access with each other, we need 2 accounts, one for CN regions and one for normal regions. As the best practice we also want to separate Test and Prod if possible, the test account is for integration/soaking/canary test, the Prod account is only for carrying Public Lambda Layer and run smoke test before change to be public access. To sum up, in the best practice we need 4 accounts(IAM users) for:
The simple solution is combining test and prod, we need at least 2 accounts(IAM users) for:
|
@wangzlei @open-telemetry/lambda-extension-maintainers is this still something that the OTel Lambda SIG would like to set up? is the cost estimate above still valid? thx! |
@trask I'll look to validate that estimate, but it seems roughly correct. I do think it would be good to have access to CNCF-owned accounts for CI and releases. |
@Aneurysm9 I noticed that the CloudFormation service is mentioned above, but is not included in the estimate, can you update the estimate to include that as well if it's needed? |
CloudFormation is a free service. There is no charge for using it, only for the resources that it is used to deploy. It's been somewhat hard to accurately validate the estimate using our existing testing environment as it is shared with other test infrastructure that would not be necessary for the Lambda SIG. The only significant Lambda-related expense that I've been able to identify as out-of-line with this estimate is related to provisioned concurrency test functions that were not properly cleaned up following testing. Otherwise, all of these expense estimates appear appropriately conservative with the potential exception of S3 which may be on the order of $10/mo instead of $2.50, depending on retained storage size. |
Filed a service desk ticket to track this: https://cncfservicedesk.atlassian.net/servicedesk/customer/portal/1/CNCFSD-1556?created=true |
@Aneurysm9 @wangzlei do we need 2 or 4 accounts? The 2 account approach seems better to me but open to suggestions |
Updated the ticket to reflect this |
Could we please get a status update on the ticket? @carlosalberto, @tedsuo, @mtwo ? |
Following up, thanks for the ping! They asked if our cost estimates listed here are still correct and are waiting for us to reply. |
I think Anthony addressed this in his previous comment but we'll double check. @Aneurysm9 @bryan-aguilar could yall please confirm the cost estimates or rerun the numbers based on current usage? |
Nothing has changed from a cost estimate perspective since this comment. |
Thanks Anthony! @mtwo confirmed it is the same! |
Replied back on the ticket! |
Got a reply back from the CNCF. They've asked if we'd like them to apply this to our existing AWS account: [email protected]. Two questions:
|
No credentials on my end! |
I do not have credentials for accessing that account. I'm fine with using an existing account if it is the path of least resistance. |
Turns out that the CNCF manages the account for us. I'll tell them to make the necessary changes! |
I've asked them to give access to @cartersocha , @Aneurysm9 , and @codeboten |
We haven’t received any emails yet |
@mtwo the delay on getting access the account is starting to really affect sig output and ability to deliver. Any way we can push this along? |
Interesting, following up with the CNCF now |
I've pinged the ticket, I'll post here as soon as I get a response |
Just got the credentials, I'm sharing them with each of you via the CNCF Slack |
OpenTelemetry Lambda SIG wants to publish public Lambda layer in AWS accounts for integration test, soaking and distro. Lambda users can play OTel by consuming these public Lambda layers freely like downloading java dependencies from Maven repo in Java development.
cc @alolita @mwto @codeboten
The text was updated successfully, but these errors were encountered: