Lambda-promtail: Add support for processing SQS messages, add promtailClient Type, add logger, upgrade dependencies and fix unexpected flushing behaviors

[CCOLLOT]

What this PR does / why we need it:

Context

I want to :

• Use lambda-promtail to ingest AWS VPC flow logs from S3 files, deploying it as an AWS lambda function.
• Configure the s3 Notification to send messages to SQS instead of directly to lambda in order to be able to spin up a secondary SQS queue to be used as a dead-letter queue lambda can send unsuccessfully processed events to.
  • This way I am able to use the AWS SQS redrive feature to process logs after fixing an outage in the ingestion flow and I am not limited by lambda giving up after 2 (default) retries.

I faced several issues:

• lambda-promtail tries to flush a batch when it gets bigger than BATCH_SIZE. The current implementation does not reset the size of the batch, leading to a flush to loki/promtail for every single added line after reaching BATCH_SIZE (and making the below file descriptor issue much worse because the http.Client is currently created in the send function.
• lambda-promtail reached the quota of file_descriptors of AWS lambda (1024) very quickly due to http.Client being created thousands of times when processing large files (a VPC flow log file can reach dozens of MB very quick, meaning hundreds of thousands of lines.

Added Feature

• Add support for processing events from an SQS queue
  • Side effect: add support for on-failure recovery using and SQS queue.
  • If merged, I would happily upload my terraform sample code to setup the S3 --> SQS main--> lambda --> SQS DLQ -->redrive to SQS main

Fixed bugs

• The flushBatch function would reset the stream after flushing but it wouldn't reset the size of the batch, leading to lambda-promtail flushing every single following line to loki/promtail. In my case it led to logs being processed very slowly by lambda when the total size is way above the default batchSize. I would reach the 15 min timeout on AWS lambda for almost every single file.
• The http.Clientused to flush logs to loki/promtail was being recreated thousands of times, which made the process quickly run out of file descriptors (limited to 1024 in AWS lambda). I set it as a global variable to avoid impacting other parts of the code for now but if required we could do it a little cleaner via dependency injection.

After fixing those bugs my average lambda execution time for vpc flow log files (size between 10mb and 100mb) went from timing out at 15 min to ~3 seconds.

Upgrades:

• Go version to 1.19
• Dependencies using go get -u ./...

Other

• Reorganized imports
• Fixed some typos

Special notes for your reviewer:

Checklist

• Reviewed the CONTRIBUTING.md guide (required)
• Documentation added
• Tests updated
• CHANGELOG.md
• Changes that require user attention or interaction to upgrade are documented in docs/sources/upgrading/_index.md

[grafanabot]

./tools/diff_coverage.sh ../loki-target-branch/test_results.txt test_results.txt ingester,distributor,querier,querier/queryrange,iter,storage,chunkenc,logql,loki

Change in test coverage per package. Green indicates 0 or positive change, red indicates that test coverage for a package fell.

+           ingester	0%
+        distributor	0%
+            querier	0%
+ querier/queryrange	0%
+               iter	0%
+            storage	0%
+           chunkenc	0%
+              logql	0%
+               loki	0%

[grafanabot]

./tools/diff_coverage.sh ../loki-target-branch/test_results.txt test_results.txt ingester,distributor,querier,querier/queryrange,iter,storage,chunkenc,logql,loki

Change in test coverage per package. Green indicates 0 or positive change, red indicates that test coverage for a package fell.

+           ingester	0%
+        distributor	0%
+            querier	0%
+ querier/queryrange	0%
+               iter	0%
+            storage	0%
+           chunkenc	0%
+              logql	0%
+               loki	0%

[grafanabot]

./tools/diff_coverage.sh ../loki-target-branch/test_results.txt test_results.txt ingester,distributor,querier,querier/queryrange,iter,storage,chunkenc,logql,loki

Change in test coverage per package. Green indicates 0 or positive change, red indicates that test coverage for a package fell.

+           ingester	0%
+        distributor	0%
+            querier	0%
+ querier/queryrange	0%
+               iter	0%
+            storage	0%
+           chunkenc	0%
+              logql	0%
+               loki	0%

[grafanabot]

./tools/diff_coverage.sh ../loki-target-branch/test_results.txt test_results.txt ingester,distributor,querier,querier/queryrange,iter,storage,chunkenc,logql,loki

Change in test coverage per package. Green indicates 0 or positive change, red indicates that test coverage for a package fell.

+           ingester	0%
+        distributor	0%
+            querier	0%
+ querier/queryrange	0%
+               iter	0%
+            storage	0%
+           chunkenc	0%
+              logql	0%
+               loki	0%

[grafanabot]

./tools/diff_coverage.sh ../loki-target-branch/test_results.txt test_results.txt ingester,distributor,querier,querier/queryrange,iter,storage,chunkenc,logql,loki

Change in test coverage per package. Green indicates 0 or positive change, red indicates that test coverage for a package fell.

+           ingester	0%
+        distributor	0%
+            querier	0%
+ querier/queryrange	0%
+               iter	0%
+            storage	0%
+           chunkenc	0%
+              logql	0%
+               loki	0%

[cstyan]

few minor comments

reviewing this I also started thinking that it might make sense to implement a client type within lambda promtail that we could attach functions to, and it could store the promtailClient reference rather than creating more package level globals

[cstyan]

did you mean to include this println?

[CCOLLOT]

I used it for debugging purposes and ended up leaving it there since it's a useful piece of information (it helps immediately know what event/file is being processed) and because it prints only 1 line per lambda invocation (so it's not like it's going to cost a lot in Cloudwatch logs).

As the code is growing maybe we should have a more structured approach.
Maybe we could remove this line and open up another MR to use the standard logger (and set the LOG_LEVEL or DEBUG using an environment variable)? WDYT?

[cstyan]

I'm fine with keeping as is or implementing something more structured.

[CCOLLOT]

Okay I implemented the logger in my latest commit, I went with go-kit since it's the one used in the main project

[CCOLLOT]

Thanks! I will update this PR with your comments and the new client type ✌️

[grafanabot]

./tools/diff_coverage.sh ../loki-target-branch/test_results.txt test_results.txt ingester,distributor,querier,querier/queryrange,iter,storage,chunkenc,logql,loki

Change in test coverage per package. Green indicates 0 or positive change, red indicates that test coverage for a package fell.

+           ingester	0%
+        distributor	0%
+            querier	0%
+ querier/queryrange	0%
+               iter	0%
+            storage	0%
+           chunkenc	0%
+              logql	0%
+               loki	0%

[grafanabot]

./tools/diff_coverage.sh ../loki-target-branch/test_results.txt test_results.txt ingester,distributor,querier,querier/queryrange,iter,storage,chunkenc,logql,loki

Change in test coverage per package. Green indicates 0 or positive change, red indicates that test coverage for a package fell.

+           ingester	0%
+        distributor	0%
+            querier	0%
+ querier/queryrange	0%
+               iter	0%
+            storage	0%
+           chunkenc	0%
+              logql	0%
+               loki	0%

[cstyan]

Looks like there's a conflict with your CHANGELOD.md changes. Might be easiest to remove that commit, merge upstream main into your branch, and then make your changelog entry again. I'll have a look at the client and logger changes in the morning.

[grafanabot]

./tools/diff_coverage.sh ../loki-target-branch/test_results.txt test_results.txt ingester,distributor,querier,querier/queryrange,iter,storage,chunkenc,logql,loki

Change in test coverage per package. Green indicates 0 or positive change, red indicates that test coverage for a package fell.

+           ingester	0%
+        distributor	0%
+            querier	0%
+ querier/queryrange	0%
+               iter	0%
+            storage	0%
+           chunkenc	0%
+              logql	0%
+               loki	0%

[cstyan]

why are we removing the object fetching code here and moving it?

[CCOLLOT]

This gets3Object function does two different things, it gets an *s3.Client from the client map (and updates the map if creating a new client), then it fetches the s3 object.
I thought it made more sense to move the client part to a dedicated getS3Client function (besides, one of the bugs fixed with this MR is actually linked to a "do_something_with_a_client" function with the said client being created in the same function).
Doing so left the gets3Object function as a wrapper just calling s3.getObject without any other action, so it made little sense to keep it, which is why I moved it back to processS3Event.

If it does not make sense and/or if it is not a desired change I can just set it back the way it was. What do you think?

[cstyan]

👍 got it

[JStickler]

[Docs squad] Couple of small suggestions.

[JStickler]

[docs sqad] docs look good, I'll leave it to engineering to approve the code.

[cstyan]

I appreciate the bug fixes 👍

Having never used SQS myself I can't speak to the validity of the SQS specific code or how you're talking about using it, but I trust that you or other users will be using it enough to point out any issues that need fixing going forward.

I'll leave this for a day just to have one last read through and see if anyone else has comments, and then merge.

[CCOLLOT]

I appreciate the bug fixes 👍

Having never used SQS myself I can't speak to the validity of the SQS specific code or how you're talking about using it, but I trust that you or other users will be using it enough to point out any issues that need fixing going forward.

I'll leave this for a day just to have one last read through and see if anyone else has comments, and then merge.

Glad I could help. I've been running this code for days/weeks now and it runs smoothly.

Thanks for the review. ✌️

[cstyan]

hey @CCOLLOT my bad for leaving this unmerged, do you mind just resolving the conflicts? I will merge after that

[CCOLLOT]

hey @CCOLLOT my bad for leaving this unmerged, do you mind just resolving the conflicts? I will merge after that

There you go. I had to fix main_test.go because it prevented the project from building successfully. I also removed my changes to go.sum and go.mod and went with main's files (even if they use older versions in general)