Loading...
Loading...
Deploy an event-driven workflow that routes S3 uploads to either Lambda or Fargate via Step Functions based on file size. Uses EventBridge to trigger a Step Functions state machine when objects are uploaded to S3. Small files are processed by Lambda, large files by a Fargate task. Includes VPC, ECR repository, ECS cluster, and scoped IAM roles. Trigger keywords: Step Functions, Fargate, Lambda, S3 event, EventBridge, ECS, ECR, file processing, workflow orchestration, serverless.
npx skill4agent add aws/agent-toolkit-for-aws processing-s3-uploads-with-step-functionsaws sts get-caller-identityaws kms create-key --description "Key for CloudWatch Logs encryption" --region {region}aws sts get-caller-identity --query 'Account' --output textaws ec2 describe-vpcs --filters Name=isDefault,Values=true --query 'Vpcs[0].VpcId' --output text --region {region}aws ec2 create-default-vpc --region {region}aws ec2 describe-subnets --filters Name=vpc-id,Values={vpc_id} --query 'Subnets[0:2].SubnetId' --output text --region {region}aws ec2 create-security-group --group-name fargate-sg --description "Security group for Fargate tasks" --vpc-id {vpc_id} --region {region}aws ec2 revoke-security-group-egress --group-id {sg_id} --ip-permissions IpProtocol=-1,IpRanges='[{CidrIp=0.0.0.0/0}]' --region {region}aws ec2 authorize-security-group-egress --group-id {sg_id} --protocol tcp --port 443 --cidr 0.0.0.0/0 --region {region}aws ec2 authorize-security-group-egress --group-id {sg_id} --protocol udp --port 53 --cidr 0.0.0.0/0 --region {region}aws ecr create-repository --repository-name {ecr_repo_name} --region {region}docker --versionaws ecr get-login-password --region {region} | docker login --username AWS --password-stdin {account_id}.dkr.ecr.{region}.amazonaws.comscripts/Dockerfilescripts/fargate_processor.pycd scripts
docker build --platform linux/amd64 -t {ecr_repo_name} .
docker tag {ecr_repo_name}:latest {account_id}.dkr.ecr.{region}.amazonaws.com/{ecr_repo_name}:latest
docker push {account_id}.dkr.ecr.{region}.amazonaws.com/{ecr_repo_name}:latest
cd ..references/iam-roles.mdscripts/lambda_function.pypython3 -c "import zipfile,io; z=io.BytesIO(); f=zipfile.ZipFile(z,'w'); f.writestr('lambda_function.py', open('scripts/lambda_function.py').read()); f.close(); open('/tmp/lambda_function.zip','wb').write(z.getvalue())"aws lambda create-function \
--function-name sfn-file-processor \
--runtime python3.12 \
--handler lambda_function.lambda_handler \
--role arn:aws:iam::{account_id}:role/sfn-lambda-role \
--zip-file fileb:///tmp/lambda_function.zip \
--timeout 60 \
--architectures x86_64 \
--region {region}aws lambda get-function --function-name sfn-file-processor --region {region}aws logs create-log-group --log-group-name /StepFunctionFargateTask --region {region}aws logs associate-kms-key --log-group-name /StepFunctionFargateTask --kms-key-arn {kms_key_arn} --region {region}references/ecs-task-definition.mdaws s3api create-bucket --bucket {bucket_name} --region {region} --create-bucket-configuration LocationConstraint={region}--create-bucket-configurationaws s3api put-bucket-notification-configuration --bucket {bucket_name} --notification-configuration '{"EventBridgeConfiguration": {}}' --region {region}aws s3api put-bucket-encryption --bucket {bucket_name} --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms"}}]}' --region {region}scripts/statemachine.asl.jsonsed -e 's|${LambdaFunction}|arn:aws:lambda:{region}:{account_id}:function:sfn-file-processor|g' \
-e 's|${Cluster}|arn:aws:ecs:{region}:{account_id}:cluster/sfn-cluster|g' \
-e 's|${TaskDefinition}|{task_definition_arn}|g' \
-e 's|${Subnet1}|{subnet1_id}|g' \
-e 's|${Subnet2}|{subnet2_id}|g' \
-e 's|${SecurityGroup}|{sg_id}|g' \
scripts/statemachine.asl.json > /tmp/statemachine.asl.jsonaws stepfunctions create-state-machine \
--name {state_machine_name} \
--definition file:///tmp/statemachine.asl.json \
--role-arn arn:aws:iam::{account_id}:role/sfn-state-machine-role \
--type STANDARD \
--region {region}aws events put-rule \
--name s3-to-stepfunctions \
--event-pattern '{
"source": ["aws.s3"],
"detail-type": ["Object Created"],
"detail": {
"bucket": {
"name": ["{bucket_name}"]
}
}
}' \
--region {region}aws events put-targets \
--rule s3-to-stepfunctions \
--targets '[{
"Id": "StepFunctionsTarget",
"Arn": "{state_machine_arn}",
"RoleArn": "arn:aws:iam::{account_id}:role/sfn-eventbridge-role"
}]' \
--region {region}aws sqs create-queue --queue-name s3-to-stepfunctions-dlq --region {region}aws events put-targets \
--rule s3-to-stepfunctions \
--targets '[{
"Id": "StepFunctionsTarget",
"Arn": "{state_machine_arn}",
"RoleArn": "arn:aws:iam::{account_id}:role/sfn-eventbridge-role",
"DeadLetterConfig": {
"Arn": "arn:aws:sqs:{region}:{account_id}:s3-to-stepfunctions-dlq"
}
}]' \
--region {region}aws cloudwatch put-metric-alarm --alarm-name sfn-execution-failures --metric-name ExecutionsFailed --namespace AWS/States --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --dimensions Name=StateMachineArn,Value={state_machine_arn} --region {region}echo 'test data' > /tmp/small-file.txt
aws s3 cp /tmp/small-file.txt s3://{bucket_name}/small-file.txt --region {region}aws stepfunctions list-executions --state-machine-arn {state_machine_arn} --region {region}aws s3api get-bucket-notification-configuration --bucket {bucket_name}aws events describe-rule --name s3-to-stepfunctions --region {region}aws ecr describe-images --repository-name {ecr_repo_name} --region {region}/StepFunctionFargateTaskaws logs tail /aws/lambda/sfn-file-processor --region {region}lambda:InvokeFunctioniam:PassRoleaws ec2 revoke-security-group-egress --group-id {sg_id} --ip-permissions IpProtocol=-1,IpRanges='[{CidrIp=0.0.0.0/0}]'aws ec2 authorize-security-group-egress --group-id {sg_id} --protocol tcp --port 443 --cidr 0.0.0.0/0aws ec2 authorize-security-group-egress --group-id {sg_id} --protocol udp --port 53 --cidr 0.0.0.0/0aws ecr put-image-scanning-configuration --repository-name {ecr_repo_name} --image-scanning-configuration scanOnPush=true --region {region}aws s3api put-bucket-encryption --bucket {bucket_name} --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms"}}]}'aws logs associate-kms-key --log-group-name /StepFunctionFargateTask --kms-key-arn <KMS_KEY_ARN>