AWS Terraform EventBright 计划策略

问题描述 投票:0回答:1

我正在尝试部署 AWS EventBridge 计划并使用以下 terraform 配置附加其所有相关策略。

resource "aws_iam_role" "eventbridge_role" {
  name = "EventBridgeRoleForStepFunctions"

  assume_role_policy = jsonencode({
    "Version" = "2012-10-17",
    "Statement" = [
      {
        "Effect"    = "Allow",
        "Principal" = {
          "Service" = "events.amazonaws.com"
        },
        "Action"    = "sts:AssumeRole"
      }
    ]
  })
}

resource "aws_iam_policy" "eventbridge_invoke_stepfunctions_policy" {
  name        = "EventBridgeInvokeStepFunctionsPolicy"
  path        = "/"
  description = "Allow EventBridge to invoke Step Functions"

  policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Effect   = "Allow",
        Action   = "states:StartExecution",
        Resource = aws_sfn_state_machine.MySandboxStateMachine.arn
      }
    ]
  })
}

resource "aws_iam_role_policy_attachment" "eventbridge_role_policy_attachment" {
  role       = aws_iam_role.eventbridge_role.name
  policy_arn = aws_iam_policy.eventbridge_invoke_stepfunctions_policy.arn
}

resource "aws_scheduler_schedule" "every_five_minutes" {
  name       = "every-five-minutes"
  group_name = "default"

  flexible_time_window {
    mode = "OFF"
  }

  schedule_expression = "cron(0/5 * * * ? *)"

  target {
    arn      = aws_sfn_state_machine.MySandboxStateMachine.arn
    role_arn = aws_iam_role.eventbridge_role.arn
  }
}
Creating Amazon EventBridge Scheduler Schedule (every-five-minutes): operation error Scheduler: CreateSchedule, https response error StatusCode: 400, RequestID: a3a7f4fa-b96e-4107-a041-2cd339e266c7, ValidationException: The execution role you provide must allow AWS EventBridge Scheduler to assume the role.

正确附加策略的修复方法是什么,因为我打赌我遵循了 Terraform 的 AWS 指南。

amazon-web-services aws-lambda terraform terraform-provider-aws
1个回答
0
投票

您需要在代入角色策略中使用正确的服务名称。在本例中,它是(docs):

"scheduler.amazonaws.com"

因此,您需要将代码更改为以下内容:

resource "aws_iam_role" "eventbridge_role" {
  name = "EventBridgeRoleForStepFunctions"

  assume_role_policy = jsonencode({
    "Version" = "2012-10-17",
    "Statement" = [
      {
        "Effect"    = "Allow",
        "Principal" = {
          "Service" = "scheduler.amazonaws.com"
        },
        "Action"    = "sts:AssumeRole"
      }
    ]
  })
}
© www.soinside.com 2019 - 2024. All rights reserved.