时间戳

首页 > 解决方案 > Terraform-Cloudformation-aws 实例提供程序:前提是 Arn 格式不正确

amazon-web-services - Terraform-Cloudformation-aws 实例提供程序:前提是 Arn 格式不正确

问题描述

我正在创建一个 cloudformation 堆栈以通过 TF 在 aws gov 云中生成 aws 实例调度程序。目标是根据标签启动/停止 ec2。实现它的方法很多,但我必须使用 terraform 和 cloudformation。这是回购-> https://github.com/Vinod1908/TestTerraform/blob/master/instanceScheduler.tf
下面是我认为我被阻止的代码部分:

        "InstanceSchedulerEncryptionKey": {
            "Type": "AWS::KMS::Key",
            "Properties": {
                "Description": "Key for SNS",
                "Enabled": true,
                "EnableKeyRotation": true,
                "KeyPolicy": {
                    "Statement": [
                        {
                            "Sid": "default",
                            "Effect": "Allow",
                            "Principal": {
                               "AWS": { 
                                    "Fn::Sub": "arn:$${AWS::Partition}:iam::$${AWS::AccountId}:root"    
                                }
                            },
                            "Action": "kms:*",
                            "Resource": "*"
                        },
                        {
                            "Sid": "Allows use of key",
                            "Effect": "Allow",
                            "Principal": {
                                "AWS": {
                                    "Fn::GetAtt": [
                                        "SchedulerRole",
                                        "Arn"
                                    ]
                                }
                            },
                            "Action": [
                                "kms:GenerateDataKey*",
                                "kms:Decrypt"
                            ],
                            "Resource": "*"
                        }
                    ]
                }
            }
        },

              "Code": {
                    "S3Bucket": {
                        "Fn::Join": [
                            "-",
                            [
                                "solutions",
                                {
                                    "Ref": "AWS::Region"
                                }
                            ]
                        ]
                    },
                    "S3Key": "aws-instance-scheduler/v1.3.1/instance-scheduler.zip"

错误 :

错误:等待创建 CloudFormation 堆栈时出错:未能创建 CloudFormation 堆栈,请求回滚 (ROLLBACK_COMPLETE):[“未能创建以下资源:[InstanceSchedulerEncryptionKey, SchedulerRule]。用户请求回滚。” “资源创建已取消”“参数 arn:aws:lambda:us-gov-west-1:###########..:function:Schedule-InstanceSchedulerMain 无效。原因:前提是 Arn 不是格式正确。(服务:AmazonCloudWatchEvents;状态代码:400;错误代码:ValidationException;请求 ID:37adac0c-6758-4b4f-ac86-0d0140742c80;代理:null)"]

不确定它在 gov 云中是否可行,但我正在寻找潜在的解决方案并找到了这个https://github.com/awslabs/aws-instance-scheduler/issues/11。我正在测试它,但还没有成功..请帮忙!

添加新行:

谢谢大家的回复。我的问题是使用正确的 arnarn:aws-us-gov 我只是应用代码并且它正在运行。现在我在下面得到这个,我确信它与我的 s3 上的策略/角色有关。请让我知道下面的代码有什么问题。有什么想法吗?

s3 代码部分:

      "SchedulerPolicy": {
            "Type": "AWS::IAM::Policy",
            "Metadata": {
                "cfn_nag": {
                    "rules_to_suppress": [
                        {
                            "id": "W12",
                            "reason": "All policies have been scoped to be as restrictive as possible. This solution needs to access ec2/rds resources across all regions."
                        }
                    ]
                }
            },
            "Properties": {
                "PolicyName": "SchedulerPolicy",
                "Roles": [
                    {
                        "Ref": "SchedulerRole"
                    }
                ],
                "PolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Action": [
                                "logs:CreateLogGroup",
                                "logs:CreateLogStream",
                                "logs:PutLogEvents",
                                "logs:PutRetentionPolicy"
                            ],
                            "Resource": [
                                {
                                    "Fn::Join": [
                                        ":",
                                        [
                                            "arn:aws-us-gov:logs",
                                            {
                                                "Ref": "AWS::Region"
                                            },
                                            {
                                                "Ref": "AWS::AccountId"
                                            },
                                            "log-group",
                                            {
                                                "Ref": "SchedulerLogGroup"
                                            },
                                            "*"
                                        ]
                                    ]
                                },
                                {
                                    "Fn::Join": [
                                        ":",
                                        [
                                            "arn:aws-us-gov:logs",
                                            {
                                                "Ref": "AWS::Region"
                                            },
                                            {
                                                "Ref": "AWS::AccountId"
                                            },
                                            "log-group:/aws/lambda/*"
                                        ]
                                    ]
                                }
                            ]
                        },
                        {
                            "Effect": "Allow",
                            "Action": [
                                "s3:GetObject",
                                "s3:PutObject",
                                "s3:*"
                            ],
                            "Resource": {
                                "Fn::Join": [
                                    ":",
                                    [
                                        "arn:aws-us-gov:s3:::instanceschedulertest",
                                        "arn:aws-us-gov:s3:::instanceschedulertest/*"
                                    ]
                                ]
                            }
                        },                        
                        {
                            "Effect": "Allow",
                            "Action": [
                                "rds:DeleteDBSnapshot",
                                "rds:DescribeDBSnapshots",
                                "rds:StopDBInstance"
                            ],
                            "Resource": {
                                "Fn::Join": [
                                    ":",
                                    [
                                        "arn:aws-us-gov:rds:*",
                                        {
                                            "Ref": "AWS::AccountId"
                                        },
                                        "snapshot:*"
                                    ]
                                ]
                            }
                        },
                        {
                            "Effect": "Allow",
                            "Action": [
                                "rds:AddTagsToResource",
                                "rds:RemoveTagsFromResource",
                                "rds:DescribeDBSnapshots",
                                "rds:StartDBInstance",
                                "rds:StopDBInstance"

错误:

Error: error waiting for CloudFormation Stack creation: failed to create CloudFormation stack, rollback requested (ROLLBACK_COMPLETE): ["The following resource(s) failed to create: [Main]. Rollback requested by user." "Your access has been denied by S3, please make sure your request credentials have permission to GetObject for solutions-us-gov-west-1/aws-instance-scheduler/v1.3.1/instance-scheduler.zip. S3 Error Code: AccessDenied. S3 Error Message: Access Denied (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException; Request ID: 95db6874-d4ad-4499-95f7-f73777a6d4db; Proxy: null)"]

谢谢大家的所有指点,我非常感谢您的意见。

标签: amazon-web-servicesaws-lambdaterraformamazon-cloudformationamazon-cloudwatch

解决方案

它失败的原因是您在 Terraform 代码中形成了错误的 ARN。

在您的仓库中, 链接

将以下关于 Lambda 的行替换为:1047、1358、1420 为"arn:aws-us-gov:lambda"而不是"arn:aws:lambda"

根据aws的文档:ARN 应该是这种格式arn:aws-us-gov:lambda:account-id:function:function-name.

您的问题的答案是更新上述行。但我确信您会在其他资源方面遇到错误,因为您创建的所有资源都在 Us-Region 中。因此,请更新您在代码中形成的所有必要的 Joining Function Arn 行。:)

推荐阅读