Using aws fis with qldb
TypeScriptAWS Fault Injection Simulator (FIS) is a service that allows you to perform fault injection experiments on AWS resources to improve their fault tolerance and resiliency. Amazon Quantum Ledger Database (QLDB) is a fully managed ledger database that provides a transparent, immutable, and cryptographically verifiable transaction log owned by a central trusted authority.
To carry out fault injection experiments on a QLDB ledger using AWS FIS, you would typically do the following:
- Define the AWS QLDB Ledger: You begin by setting up a QLDB ledger. This is your target resource on which you intend to perform fault testing.
- Set Up AWS FIS Experiment Template: You define an experiment template in AWS FIS where you specify the target (the QLDB ledger in your case), the actions (such as injecting API errors, delays, or throttling), and stop conditions.
The following TypeScript program uses Pulumi to create a QLDB ledger and sets up an AWS FIS experiment template to target this ledger. This is an illustration of how you might set up both resources using Pulumi.
import * as aws from "@pulumi/aws"; // Create a QLDB Ledger const myLedger = new aws.qldb.Ledger("myLedger", { // Replace with your desired ledger name name: "MyLedger", // Define permissions mode permissionsMode: "ALLOW_ALL", // Set this to true to enable deletion protection, preventing your ledger from being accidentally deleted deletionProtection: false, }); // Role for AWS FIS to assume const fisRole = new aws.iam.Role("fisRole", { assumeRolePolicy: { Version: "2012-10-17", Statement: [{ Action: "sts:AssumeRole", Effect: "Allow", Principal: { Service: "fis.amazonaws.com", }, }], }, }); // Policy that grants the FIS role permission to send logs to CloudWatch const fisRolePolicy = new aws.iam.RolePolicy("fisFunctionLogs", { role: fisRole.id, policy: { Version: "2012-10-17", Statement: [{ Action: [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], Effect: "Allow", Resource: "arn:aws:logs:*:*:*", }], }, }); // Here we would define the FIS experiment template, we would have to specify // the actions and the target. Since AWS FIS service and resources such as // experiment templates are not directly available in Pulumi yet, we'll have // to use AWS management console or AWS CLI to create an experiment template // targeting the QLDB ledger. export const ledgerName = myLedger.name; export const fisRoleArn = fisRole.arn;
Breakdown of the TypeScript Program:
-
QLDB Ledger Creation: We define a new ledger named
MyLedger
.permissionsMode
must be set; it is a required parameter determining how permissions are managed in the ledger. You may choose to enabledeletionProtection
to prevent accidental deletion of the ledger. -
AWS IAM Role for FIS: We create an IAM role (
fisRole
) that AWS FIS will assume when performing experiments. The role's trust policy allows thefis.amazonaws.com
service to assume it. -
IAM Role Policy for Logging: An IAM policy (
fisRolePolicy
) is attached to the role, granting necessary permissions for AWS FIS to send logs to Amazon CloudWatch during experiments. -
Exports: The program exports the ledger name and the ARN of the IAM role created for AWS FIS in case we need to reference these outside of the Pulumi program.
Important Notes:
-
FIS Experiment Template: Currently, there are no Pulumi resources directly available to manage AWS FIS Experiment Templates. Therefore, you will have to use the AWS Management Console or AWS CLI to create and manage experiment templates.
-
Fault Injection Actions: When you set up your experiment template via AWS Management Console or CLI, you can define actions (such as injecting API errors) to the QLDB service to simulate fault conditions.
-
Permissions: Make sure that the IAM role you create has the necessary permissions not just for logging, but also to perform fault injection actions you plan to use in your experiments.
Remember to replace placeholder values like ledger names with actual values suitable for your use case.