Still a Work In Progress...

slack-smart-alias

A lambda that lets you dynamically set a user group/alias like @oncall based on a schedule

Installation From Source

Clone this repo

git clone [email protected]:markddavidoff/slack-smart-alias.git

Install python requirements

Make sure you have python 3.7 (or downgrade the runtime setting in serverless.yml to your version)

pip install -r requirements.txt

Setup Slack

• todo setup app
• todo setup usergroup

Configuration / Running Locally

Configs come from 3 places:

• Application configs in settings.py which each have descriptive comments there.
• Sensitive configs/tokens are pulled from environment vars and loaded to python vars in settings.py
• Lambda scheduling and run options in serverless.yml which are discussed in the serverless docs and below

In production, serverless loads env vars from AWS Secrets Manager or AWS Parameter Store as mapped in serverless.yml.

Set the sensitive configs

• SLACK_SMART_ALIAS_SLACK_API_TOKEN - The Slack API token to use for authentication to the Slack WebAPI you set up in Setup Slack. Needs the Slack permissions: usergroups:read, usergroups:write, users:read, users:read.email, users.profile:read
• GOOGLE_SERVICE_ACCOUNT_KEYFILE - The json dict of the keyfile for the service account to use for Google Cal. You will also need to share the calendar with the email of the service account with write perms

For production:

• Add the key to Parameter Store/Secrets Manager and then update the path for the variable under provider>environment>[var name] in serverless.yml as described in serverless variable docs

When running locally:

• Just load config to a local env var such as with export [var name]=[var value] before running.

Run locally

Once all env vars are set locally you can run the alias code locally with

or you can load production env vars to a local lambda emulator using serverless's invoke local with

serverless invoke local --function set_alias

/#todo add data to the above call

Deploying to Lambda using serverless

This lambda uses serverless, a toolkit that makes building, deploying and maintaining serverless apps like this lambda painless. The instructions assume you're using AWS, if you're not, you'll have to tweak some things in serverless.yml to make it work with your provider

Setup serverless

Their getting started page is here, copy pasted for your convenience below (you'll also need to install npm first):

# Installing the serverless cli
npm install -g serverless
# Updating serverless from a previous version of serverless
npm install -g serverless

Then install some useful serverless plugins (you can uses sls as short for serverless)

serverless-python-requirements

Its pretty annoying to add external requirements to a lambda when deploying manually. You have to build the wheels for the packages on an aws linux ami and include those in the zip that you upload. Luckily, there's a serverless plugin to make that all super easy.

sls plugin install -n serverless-python-requirements

serverless-local-schedule

*No more translating times to UTC! This plugin lets you setup your crons at local time with a specified timezone and takes care of the translation for you *

sls plugin install -n serverless-local-schedule

Setup your provider (AWS) credentials

The Serverless Framework needs access to your cloud provider's account so that it can create and manage resources on your behalf.

If you already have the awscli installed locally:

• If you have profile configured and setup in ~/.aws/credentials, you're good to go.
• If you don't have a profile setup you can use the serverless config credentials command to set one up for you

Else, read the serverless aws setup docs

Make sure the profile you're using to deploy has the permissions to modify all resources serverless needs. This is a good base to start with but may need tweaking as the serverless framework evolves:

{
   "Sid": "BaseServerlessPermissions",
   "Effect": "Allow",
   "Action": [
       "cloudformation:CreateStack",
       "cloudformation:DescribeStacks",
       "cloudformation:DescribeStackEvents",
       "cloudformation:DescribeStackResource",
       "cloudformation:ValidateTemplate",
       "cloudformation:UpdateStack",
       "cloudformation:ListStacks",
       "iam:GetRole",
       "lambda:UpdateFunctionCode",
       "lambda:UpdateFunctionConfig",
       "lambda:GetFunctionConfiguration",
       "lambda:ListVersionsByFunction",
       "lambda:AddPermission",
       "s3:DeleteObject",
       "s3:GetObject",
       "s3:ListBucket",
       "s3:PutObject"
   ],
   "Resource": "*"
},

Setup the role your lambda runs with

Above we made sure our developer account had the permissions to deploy and manage a serverless application. But we also need to setup the permissions for the lambda itself. It needs to access other aws resources, such as CloudWatch so it can write to a log and receive triggers.

• TODO

Serverless guide for this is here.

Permissions needed:

• AWSLambdaVPCAccessExecutionRole

We created a role with the following policy: todo:

Setup your lambda run frequency

• See the notes in the serverless.yml file under functions>set_alias>events>schedule.