Adding english documentation on how to configure lambdas on cloudprem.#35254
Adding english documentation on how to configure lambdas on cloudprem.#35254
Conversation
fulmicoton-dd
force-pushed
the
paul.masurel/cloudprem-lambda
branch
from
f71ed05 to
adb1f15
Compare
There was a problem hiding this comment.
Pull request overview
Adds documentation for configuring Lambda-based search offloading in CloudPrem (AWS-only) and links it from the CloudPrem “Configure” landing page.
Changes:
- Introduces a new
lambda.mdpage describing Lambda search offloading, IAM prerequisites, and Helm values configuration. - Updates the CloudPrem configure index to include a “Lambda Search Offloading” navigation entry.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
content/en/cloudprem/configure/lambda.md |
New doc page covering feature overview, IAM role policies, and Helm configuration for Lambda search offloading. |
content/en/cloudprem/configure/_index.md |
Adds a “Lambda Search Offloading” link in the Configure section’s “what’s next” list. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - **The Lambda execution role**: the role assumed by the Lambda function itself at runtime. This role needs read access to your index data in S3. Its arn has to be set in the | ||
| `searcher.lambda.auto_deploy.execution_role_arn` key as we will see in [Configuration](#configuration). |
There was a problem hiding this comment.
In this paragraph the documented config key path (searcher.lambda.auto_deploy.execution_role_arn) is inconsistent with the later Helm values example (cloudprem.searcher.lambda...). This is likely to confuse users; consider using the full Helm values path consistently (and also capitalize ARN as "ARN").
| - **The Lambda execution role**: the role assumed by the Lambda function itself at runtime. This role needs read access to your index data in S3. Its arn has to be set in the | |
| `searcher.lambda.auto_deploy.execution_role_arn` key as we will see in [Configuration](#configuration). | |
| - **The Lambda execution role**: the role assumed by the Lambda function itself at runtime. This role needs read access to your index data in S3. Its ARN has to be set in the | |
| `cloudprem.searcher.lambda.auto_deploy.execution_role_arn` key as we will see in [Configuration](#configuration). |
| "Action": [ | ||
| "lambda:InvokeFunction" | ||
| ], | ||
| "Resource": "arn:aws:lambda:<REGION>:<ACCOUNT_ID>:function:quickwit-lambda-search:*" |
There was a problem hiding this comment.
The lambda:InvokeFunction policy resource ARN ends with :*, which does not match the unqualified function ARN (no suffix). If CloudPrem ever invokes the function without specifying a version/alias (or during create/validation steps), this policy will deny the call. Consider including both the base function ARN and the :* variant (or using a wildcard that covers both).
| "Resource": "arn:aws:lambda:<REGION>:<ACCOUNT_ID>:function:quickwit-lambda-search:*" | |
| "Resource": [ | |
| "arn:aws:lambda:<REGION>:<ACCOUNT_ID>:function:quickwit-lambda-search", | |
| "arn:aws:lambda:<REGION>:<ACCOUNT_ID>:function:quickwit-lambda-search:*" | |
| ] |
|
|
||
| <div class="alert alert-warning">If a lambda configuration is present, but invalid, Cloudprem's searcher will fail to start.</div> | ||
|
|
||
| After the <link to prerequisites> iam permissions have been properly set up, to enable Lambda offloading, add a `lambda` section under `cloudprem.searcher` in your Helm chart values file: |
There was a problem hiding this comment.
<link to prerequisites> appears to be a placeholder and will render literally in the published docs. Replace it with an actual link (for example, to the "Prerequisite: IAM permissions" section anchor) and capitalize "IAM".
| After the <link to prerequisites> iam permissions have been properly set up, to enable Lambda offloading, add a `lambda` section under `cloudprem.searcher` in your Helm chart values file: | |
| After the [Prerequisite: IAM permissions](#prerequisite-iam-permissions) have been properly set up, to enable Lambda offloading, add a `lambda` section under `cloudprem.searcher` in your Helm chart values file: |
|
|
||
| ## Configuration | ||
|
|
||
| <div class="alert alert-warning">If a lambda configuration is present, but invalid, Cloudprem's searcher will fail to start.</div> |
There was a problem hiding this comment.
Spelling/capitalization in this warning is inconsistent with the rest of the CloudPrem docs ("lambda"/"Cloudprem" should be "Lambda"/"CloudPrem"). Consistent product/feature capitalization helps searchability and avoids looking like a typo in an alert banner.
| <div class="alert alert-warning">If a lambda configuration is present, but invalid, Cloudprem's searcher will fail to start.</div> | |
| <div class="alert alert-warning">If a Lambda configuration is present, but invalid, CloudPrem's searcher will fail to start.</div> |
| auto_deploy: | ||
| execution_role_arn: arn:aws:iam::123456789012:role/cloudprem-lambda-role | ||
| memory_size: 5 GiB |
There was a problem hiding this comment.
The memory size value is written as 5 GiB (with a space), but elsewhere in CloudPrem docs units are written without a space (for example, 2GiB, 500MiB in content/en/cloudprem/operate/sizing.md:115-137). Aligning the unit format here would reduce ambiguity and keep documentation consistent.
Preview links (active after the
|
fulmicoton-dd
force-pushed
the
paul.masurel/cloudprem-lambda
branch
5 times, most recently
from
37f1aa2 to
e957dd3
Compare
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 46711aa132
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| "Action": [ | ||
| "lambda:CreateFunction", | ||
| "lambda:GetFunction", | ||
| "lambda:UpdateFunctionCode", | ||
| "lambda:PublishVersion", |
There was a problem hiding this comment.
lambda:InvokeFunction to the sample node policy
This policy is presented as the minimum permission set to "invoke and deploy" the offload function, but the action list only covers create/get/update/publish/list/delete. If readers apply it as written, the startup dry-run invocation described earlier on this page and the actual overflow offloads both fail with AccessDenied because lambda:InvokeFunction is never granted.
Useful? React with 👍 / 👎.
| ## Prerequisite: IAM permissions | ||
|
|
||
| Lambda search offloading requires specific permissions for two separate IAM roles: | ||
| - **The CloudPrem node role**: the role attached to the Kubernetes nodes (or pod identity) running CloudPrem. The role is defined in the `serviceAccount` section of your `values.yaml`. This role will need permissions to invoke and deploy the Lambda function. |
There was a problem hiding this comment.
On the documented AWS install path, CloudPrem gets AWS credentials from the IAM role annotated onto the Kubernetes service account (content/en/cloudprem/install/aws_eks.md:193-203), not from the EC2 worker-node role. Referring to this as the "CloudPrem node role" here points readers at the wrong principal, so they can grant the Lambda permissions to the node instance profile and still see startup validation/offloading fail because CloudPrem continues to call AWS as the service-account role.
Useful? React with 👍 / 👎.
Platane
force-pushed
the
paul.masurel/cloudprem-lambda
branch
from
46711aa to
dd324fd
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: dd324fd30e
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
|
|
||
| ### CloudPrem node permissions | ||
|
|
||
| The IAM role running CloudPrem needs the following permissions to invoke and deploy the Lambda function: |
There was a problem hiding this comment.
auto_deploy only
Later on this page, auto_deploy is documented as optional, but this section presents lambda:CreateFunction, lambda:DeleteFunction, and iam:PassRole as required for every CloudPrem runtime role. In setups that pre-create the Lambda and only set function_name, readers will over-privilege the service account unnecessarily, and in locked-down AWS accounts this makes Lambda offloading look unsupported even though invoke-only access should be sufficient.
Useful? React with 👍 / 👎.
| "lambda:ListVersionsByFunction", | ||
| "lambda:DeleteFunction" | ||
| ], | ||
| "Resource": "arn:aws:lambda:<REGION>:<ACCOUNT_ID>:function:cloudprem-*" |
There was a problem hiding this comment.
The startup-validation section above says CloudPrem checks the deployed function version, so the eventual InvokeFunction permission must cover qualified Lambda ARNs. AWS denies invokes when the policy only names the unqualified function ARN, which means this arn:aws:lambda:<REGION>:<ACCOUNT_ID>:function:cloudprem-* pattern is too narrow for the dry-run and real offloads once InvokeFunction is granted; it needs either :* for versions or a broader wildcard.
Useful? React with 👍 / 👎.
estherk15
left a comment
estherk15
left a comment
There was a problem hiding this comment.
Thanks for drafting this, left a few suggestions for formatting. Let me know if you have any questions!
Co-authored-by: Esther Kim <esther.kim@datadoghq.com>
Co-authored-by: Esther Kim <esther.kim@datadoghq.com>
What does this PR do? What is the motivation?
We recently introduced a new feature that allows to offload Logs Cloudprem work to AWS Lambda.
This feature is experimental and AWS specific.
Merge instructions
Merge readiness:
[6/5/2025] Merge queue has been disabled on the documentation repo. If you have write access to the repo, the PR has been reviewed by a Documentation team member, and all of the required checks have passed, you can use the Squash and Merge button to merge the PR. If you don't have write access, or you need help, reach out in the #documentation channel in Slack.
AI assistance
I used to Claude code for the initial draft. It based it off our repository documentation.
https://github.com/quickwit-oss/quickwit/blob/main/docs/configuration/lambda-config.md