My local environment had the following:
OSX El Capitan 10.11.6
node --version v7.2.0
Detailed Steps:
Create a slack slash-command
- Navigate to my.slack.com/services/new/slash-commands, choose the slack team you want to add the slash-command integration to, and login
- Name your custom command, mine was "/healthcheck"
- Configure Integration Settings
- Command: /healthcheck
- URL: Use a dummy test REST API for now, like https://jsonplaceholder.typicode.com/posts. <Fill the real REST API URL later after we create the AWS Lambda microservice>
- Method: POST
- Token: <Generated from slack, will be used with AWS Lambda microservice>
- Customize Name: healthcheckuser
- Customize Icon: Used the cherryshoe icon
- Click "Save Integration"
Prerequisites you'll need to do prior to creating Lambda microservice
- Create an IAM role to grant external identities access to your AWS account
- I created a role called "healthcheckrole"
- Create a Key Management Service (KMS) key. Followed these instructions to create a KMS key:
- Create a new Customer Master Key (CMK key)
- Click on "Create key"
- Enter in key alias and description
- Alias: Slack_healthcheck_key
- Description: Slack health to lambda service key
- Key Material Design: KMS
- Click 'Next Step'
- Define Key Administrative Permissions. Choose the userrole you created earlier, mine was healthcheckrole
- Click "Finish"
- Now we need to encrypt the Token created from Slack with the Slack_healthcheck_key we just created, using AWS CLI. I am running on OSX, and already had python dependencies installed
- I ran through the CLI installation guide using pip and configured AWS CLI so I could run it locally
- Encrypted the Token created from Slack with command:
aws kms encrypt --key-id alias/<KMS key name> --plaintext "<COMMAND_TOKEN FROM SLASH COMMAND>"
We created the alias during the "Create a KMS key" step above, so the resulting command is:
aws kms encrypt --key-id alias/Slack_healthcheck_key --plaintext "<COMMAND_TOKEN FROM SLASH COMMAND>"
The json returned will have CiphertextBlob and KeyId attributes and values - Grab the base-64 encoded encrypted key that was created under cipherTextBlob json attribute value from the encrypt command, we will use it in a later step
- Navigate to https://console.aws.amazon.com/lambda/ and login to your AWS account. Click the “Get Started Now” button
- Click "Create a Lambda function" button
- Select blueprint, search for and select the "slack-echo-command"
- Configure triggers,
- API name: healthstatus
- Deployment stage: prod
- Security: Open <We will choose Open for now, we can add security at a later time>
- Configure function,
- Name: healthstatus
- Description: Function handles a Slack slash command and makes a REST call to health status api
- Runtime: Node.js 4.3
- Inline code is automatically created for you via the blueprint chosen, this is the original code:
- Here is the updated code to make a call to a REST endpoint to get the health status of an application. I added the use of the "https" library, and in the processEvent function, made the https call to the health status endpoint. In this example here, I was calling a health REST api to https://api.openaq.org/status
- Replace the “kmsEncryptedToken” environment variable value from <enter value here> to the cipherTextBlob value (This is the base-64 encoded encrypted <COMMAND_TOKEN FROM SLASH COMMAND>). You can also check the "Enable encryption helpers" checkbox.
- Select the Role as "Choose existing role"
- Existing role should be the IAM role you granted earlier, mine is "healthcheckrole"
- Everything else leave as default
- Click "Next"
- Click "Create function"
- Click on "Test" button to test your function. You should see an error "Request token (undefined) does not match expected", since it was not invoked from slack (or properly simulated)
- Let's go ahead and deploy the API now, so we can simulate the call externally
- Go to Actions -> Publish new version. Grab the AWS API Gateway Endpoint from the Triggers tag, it should look similar to https://<uniqueid>.execute-api.us-east-1.amazonaws.com/prod/healthCheck
- We can now simulate the call from slack by doing a curl invocation
curl -v -X POST --data "token=<COMMAND_TOKEN FROM SLASH COMMAND>&user_name=healthcheckuser&command=healthcheck&text=commandText&channel_name=channel" https://<uniqueid>.execute-api.us-east-1.amazonaws.com/prod/healthCheck
Received the following response: "api.openaq.org/status is [green]"
'use strict';
/*
This function handles a Slack slash command and echoes the details back to the user.
Follow these steps to configure the slash command in Slack:
1. Navigate to https://<your-team-domain>.slack.com/services/new
2. Search for and select "Slash Commands".
3. Enter a name for your command and click "Add Slash Command Integration".
4. Copy the token string from the integration settings and use it in the next section.
5. After you complete this blueprint, enter the provided API endpoint URL in the URL field.
To encrypt your secrets use the following steps:
1. Create or use an existing KMS Key - http://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html
2. Click the "Enable Encryption Helpers" checkbox
3. Paste <COMMAND_TOKEN> into the kmsEncryptedToken environment variable and click encrypt
Follow these steps to complete the configuration of your command API endpoint
1. When completing the blueprint configuration select "Open" for security
on the "Configure triggers" page.
2. Enter a name for your execution role in the "Role name" field.
Your function's execution role needs kms:Decrypt permissions. We have
pre-selected the "KMS decryption permissions" policy template that will
automatically add these permissions.
3. Update the URL for your Slack slash command with the invocation URL for the
created API resource in the prod stage.
*/
const AWS = require('aws-sdk');
const qs = require('querystring');
const kmsEncryptedToken = process.env.kmsEncryptedToken;
let token;
function processEvent(event, callback) {
const params = qs.parse(event.body);
const requestToken = params.token;
if (requestToken !== token) {
console.error(`Request token (${requestToken}) does not match expected`);
return callback('Invalid request token');
}
const user = params.user_name;
const command = params.command;
const channel = params.channel_name;
const commandText = params.text;
callback(null, `${user} invoked ${command} in ${channel} with the following text: ${commandText}`);
}
exports.handler = (event, context, callback) => {
const done = (err, res) => callback(null, {
statusCode: err ? '400' : '200',
body: err ? (err.message || err) : JSON.stringify(res),
headers: {
'Content-Type': 'application/json',
},
});
if (token) {
// Container reuse, simply process the event with the key in memory
processEvent(event, done);
} else if (kmsEncryptedToken && kmsEncryptedToken !== '<kmsEncryptedToken>') {
const cipherText = { CiphertextBlob: new Buffer(kmsEncryptedToken, 'base64') };
const kms = new AWS.KMS();
kms.decrypt(cipherText, (err, data) => {
if (err) {
console.log('Decrypt error:', err);
return done(err);
}
token = data.Plaintext.toString('ascii');
processEvent(event, done);
});
} else {
done('Token has not been set.');
}
};
'use strict';
/*
This function handles a Slack slash command and echoes the details back to the user.
Follow these steps to configure the slash command in Slack:
1. Navigate to https://<your-team-domain>.slack.com/services/new
2. Search for and select "Slash Commands".
3. Enter a name for your command and click "Add Slash Command Integration".
4. Copy the token string from the integration settings and use it in the next section.
5. After you complete this blueprint, enter the provided API endpoint URL in the URL field.
To encrypt your secrets use the following steps:
1. Create or use an existing KMS Key - http://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html
2. Click the "Enable Encryption Helpers" checkbox
3. Paste <COMMAND_TOKEN> into the kmsEncryptedToken environment variable and click encrypt
Follow these steps to complete the configuration of your command API endpoint
1. When completing the blueprint configuration select "Open" for security
on the "Configure triggers" page.
2. Enter a name for your execution role in the "Role name" field.
Your function's execution role needs kms:Decrypt permissions. We have
pre-selected the "KMS decryption permissions" policy template that will
automatically add these permissions.
3. Update the URL for your Slack slash command with the invocation URL for the
created API resource in the prod stage.
*/
const AWS = require('aws-sdk');
const qs = require('querystring');
const client = require('https');
const kmsEncryptedToken = process.env.kmsEncryptedToken;
let token;
function processEvent(event, callback) {
const params = qs.parse(event.body);
const requestToken = params.token;
if (requestToken !== token) {
console.error(`Request token (${requestToken}) does not match expected`);
return callback('Invalid request token');
}
const user = params.user_name;
const command = params.command;
const channel = params.channel_name;
const commandText = params.text;
console.log(`${user} invoked ${command} in ${channel} with the following text: ${commandText}`);
var options = {
hostname: 'api.openaq.org',
path: '/status',
method: 'GET',
protocol: 'https:'
};
var req = client.request(options, function(response){
console.log("Code: "+response.statusCode+ "\n Headers: "+response.headers);
var body = '';
response.on('data', function (chunk) {
body += chunk;
});
response.on('end',function(){
var jsonResponse = JSON.parse(body);
console.log("healthStatus:" + jsonResponse.results.healthStatus);
callback(null, options.hostname + options.path + ' is [' + jsonResponse.results.healthStatus + ']');
});
});
req.on('error', function(err){
console.log("Error Occurred: "+err.message);
});
// With http.request() one must always call req.end() to signify that you're done with the request - even if there is no data being written to the request body.
req.end();
}
exports.handler = (event, context, callback) => {
const done = (err, res) => callback(null, {
statusCode: err ? '400' : '200',
body: err ? (err.message || err) : JSON.stringify(res),
headers: {
'Content-Type': 'application/json',
},
});
if (token) {
// Container reuse, simply process the event with the key in memory
processEvent(event, done);
} else if (kmsEncryptedToken && kmsEncryptedToken !== '<kmsEncryptedToken>') {
const cipherText = { CiphertextBlob: new Buffer(kmsEncryptedToken, 'base64') };
const kms = new AWS.KMS();
kms.decrypt(cipherText, (err, data) => {
if (err) {
console.log('Decrypt error:', err);
return done(err);
}
token = data.Plaintext.toString('ascii');
processEvent(event, done);
});
} else {
done('Token has not been set.');
}
};
- Since the curl invocation worked, now go back to the slack integration settings for your slash command and update the URL to the AWS API Gateway Endpoint
- Test your slack command from within slack: type in /healthcheck and hit Enter
- Update with security
- Support parameters from slack on which API(s) you want to have health checks for
Thank you I appreciate your comment!
ReplyDelete