Sending AWS Cloudwatch Alarms to Amazon Chime

If you love Amazon Chime, and who doesn’t, you’ve probably already embraced it as a widespread communication platform for your team. Since moving to Chime a few months ago, my team has moved almost all communication onto it. We have a team chat room, rooms for individual projects, rooms for scheduling and coordinating testing, and ones for a variety of on-the-side projects and hobbies. We use it exclusively for scheduled meetings and adhoc conversations especially on days when everyone is working from home - thanks snow. With a good app on mobile platforms, it means I can stay in touch with my team better and get answers faster.

A month or so back, Chime added the ability to integrate rooms with Webhooks, enabling programmatic access to chat rooms. This means any app can now integrate with Chime and provide notifications. Unfortunately they haven’t yet added the ability for outgoing hooks which would allow bots and triggering actions from Chime, but I’m sure it’s on their roadmap. Webhooks are as simple as posting a JSON request to a given Chime url, so it’s simple to integrate notifications.

A great use for these webhooks is integrating AWS Cloudwatch alarms. We use AWS pretty heavily as you can imagine, and Cloudwatch provides great monitoring of our system health and state. We already trigger emails, pages, and other actions from these alarms, but getting a Chime message for them helps keep the team in the loop for any issues emerging. While Cloudwatch supports a number of notification types, it doesn’t yet directly support Chime, so we need to create a mapping of the alarm event to post the message to Chime. Luckily AWS Lambda is perfect for this type of behavior. We’ll set up a Cloudwatch alarm that notifies on an SNS topic which our Lambda is subscribed to, posting the contents of the alarm message to Chime.

To get started, we need the Chime webhook url. In Chime, right click on either an existing or new chat room and select “Manage webhooks…”. From here, click to copy the webhook url and save this somewhere as you’ll need it later.

Now we need to move over to the AWS Console. All of these steps can be done on the AWS CLI as well, but for the sake of having a visual, I’ll do it in the console UI.

First, we’ll create the Lambda function to process the Cloudwatch Alarm and notify the webhook. Navigate to the Lambda service in the console and add a new function. Use the default template. We’ll use Python 3.6 for the Runtime. The handler should be set to index.handler. I found it easiest to set up the files needed locally and then upload them, but you can also do it directly in the inline code editor. You’ll need three files, index.py which holds the logic, requirements.txt which lists the required modules, and setup.cfg, used for instantiating the runtime.

You can get the entire function from here: https://github.com/Tylopoda/chimewebhooklambda

When complete, your function should look like this

The function uses an Environment Variable for the webhook url, so set up the following:

Key: CHIME_WEBHOOK

Value: <your chime webhook url from earlier, starting with https://hooks.chime.aws/incomingwebhooks/XXX>

You’ll also need to set up an execution role. Select either an existing role or click to create a new one. Once you create it, you’ll need to go to the IAM service in the console and navigate to the Roles tab. Find the role you just selected and select Attach Policy. The role needs to be able to access SNS and write to Lambda, so grant it two policies, SNS full read to all resources, and Lambda write to all resources. It will look like this when complete.

Now it’s time to create the Cloudwatch Alarm that will publish via SNS. Head over to the Cloudwatch service in the console. Select and existing alarm or create a new one for one of your metrics. The key is to add an Action that publishes to a new SNS topic. You don’t need to add an email alert, but it helps for debugging. It will look like this when complete.

Now, we just need to hook up the SNS topic to the Lambda function. There are two easy ways to do this. You can either head over to the Lambda function and select this as a trigger, or use the SNS service, find your SNS topic name, and select “Create subscription”. This will give you the choice to select a Lambda function, so pick yours.

And that’s it. You can either wait for the alarm to trigger to test that it works, or purposefully trigger the alarm. I created an alarm at 2% CPU usage for testing. When it triggers, you should get both an email and a message to the Chime hook. If you only get the email, double check the IAM role has the right permissions. You can also manually test the Lambda through the console to make sure there are no runtime errors.

Now, when one of your systems has an abnormal issue, you can immediately get an alert on your phone via Chime.