amazon-web-services - Cloudwatch 自定义事件 SQS 无法正常工作
问题描述
我正在使用 terraform 创建队列,同时还创建 Cloudwatch 事件规则并将其中一个队列设置为规则的目标。
总之,我有一个队列,它是 3 个单独的 cloudwatch 事件的目标。问题是,即使 cloudwatch 事件规则相同,但只有一个在通过 terraform 创建时有效,其他的最终在控制台中调用失败,没有日志或任何类型的可调试信息。如果自定义事件是从 aws 控制台创建的,则一切正常。
在 terraform 中创建队列
resource "aws_sqs_queue" "queue_cron" {
name = "cron"
visibility_timeout_seconds = 300 # 5 minutes
delay_seconds = 0
message_retention_seconds = 1800 # 30 minutes
receive_wait_time_seconds = 20
}
唯一的工作块
resource "aws_cloudwatch_event_rule" "eve_vendors_bot_sync" {
name = "vendors-bot-sync"
schedule_expression = "rate(1 minute)"
description = "Notify cron queue for vendors bot sync"
is_enabled = true
}
resource "aws_cloudwatch_event_target" "sqs_cron_vendors_bot_sync" {
rule = aws_cloudwatch_event_rule.eve_vendors_bot_sync.name
arn = var.queue_cron_arn
target_id = "sqsCronVendorBotSync"
input_transformer {
input_template = <<EOF
{
"messageType":"cron",
"cronType":"vendors-bot-sync"
}
EOF
}
}
即使它的结构与上述结构相同,也不起作用。
resource "aws_cloudwatch_event_rule" "eve_restos_sync" {
name = "restos-sync"
schedule_expression = "rate(1 minute)"
description = "Notify cron queue for restos sync"
is_enabled = true
}
resource "aws_cloudwatch_event_target" "sqs_cron_restos_sync" {
rule = aws_cloudwatch_event_rule.eve_restos_sync.name
arn = var.queue_cron_arn
target_id = "sqsCronRestosSync"
input_transformer {
input_template = <<EOF
{
"messageType":"cron",
"cronType":"restaurant-hours-open-close-management"
}
EOF
}
}
和上面的一样,不起作用
resource "aws_cloudwatch_event_rule" "eve_vendors_orders_sync" {
name = "vendors-orders-sync"
schedule_expression = "rate(1 minute)"
description = "Notify cron queue for vendors orders sync"
is_enabled = true
}
resource "aws_cloudwatch_event_target" "target_cron_vendors_sync" {
rule = aws_cloudwatch_event_rule.eve_vendors_orders_sync.name
arn = var.queue_cron_arn
target_id = "sqsCronVendorsOrderSync"
input_transformer {
input_template = <<EOF
{
"messageType":"cron",
"cronType":"vendors-orders-sync"
}
EOF
}
}
回答
@Marchin 正确指出的难题中缺失的部分确实是阻止 cloudwatch 向 SQS 发送消息的策略。这是使它工作的更新配置。
- 创建队列
- 创建一个策略,允许 cloudwatch 向队列发送消息
- 将策略附加到队列
resource "aws_sqs_queue" "queue_cron" {
name = "cron"
visibility_timeout_seconds = 300 # 5 minutes
delay_seconds = 0
message_retention_seconds = 1800 # 30 minutes
receive_wait_time_seconds = 20
}
data "aws_iam_policy_document" "policy_sqs" {
statement {
sid = "AWSEvents_"
effect = "Allow"
actions = [
"sqs:SendMessage",
]
principals {
type = "Service"
identifiers = ["events.amazonaws.com"]
}
resources = [aws_sqs_queue.queue_cron.arn]
}
}
resource "aws_sqs_queue_policy" "cron_sqs_policy" {
queue_url = aws_sqs_queue.queue_cron.id
policy = data.aws_iam_policy_document.policy_sqs.json
}
解决方案
我认为您对 SQS 队列的权限丢失或不正确。假设您正在创建您queue_cron
的 terraform(未在问题中显示),允许 CW 事件向其发送消息的队列及其策略将是:
data "aws_caller_identity" "current" {}
data "aws_region" "current" {}
resource "aws_sqs_queue" "queue_cron" {
name = "queue_cron"
}
resource "aws_sqs_queue_policy" "test" {
queue_url = aws_sqs_queue.queue_cron.id
policy = <<POLICY
{
"Version": "2012-10-17",
"Id": "sqspolicy",
"Statement": [
{
"Sid": "First",
"Effect": "Allow",
"Principal": {
"AWS": "${data.aws_caller_identity.current.account_id}"
},
"Action": "sqs:*",
"Resource": "${aws_sqs_queue.queue_cron.arn}"
},
{
"Sid": "AWSEvents_",
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "sqs:SendMessage",
"Resource": "${aws_sqs_queue.queue_cron.arn}",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:events:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:rule/*"
}
}
}
]
}
POLICY
}
推荐阅读
- reactjs - 错误:元素类型无效:需要一个字符串(对于内置组件)或一个类/函数(对于复合组件)react-native
- python - 从 Python 中的小样本中识别自然语言
- python - 对 django rest framework social oauth2 的 TokeView 的串行请求导致错误
- visual-studio-code - 每当我重新启动 Visual Studio Code 时,远程 - WSL 扩展都会给我警告消息
- django - SearchFieldError - 无法使用字段“body”进行搜索。请将 index.SearchField('body') 添加到 Page.search_fields
- python - Python将excel文件与不同的非标准列名组合起来
- oracle - OBIEE12c 管理工具的行更新计数不起作用
- reactjs - 如何从材料 ui 文本字段 i 中删除选择文件工具提示
- git - 远程分支在本地仓库中不可见
- typescript - 当两个方法名称相同但参数不同时使用 sinon.spy