我正在尝试部署 AWS EventBridge 计划并使用以下 terraform 配置附加其所有相关策略。
resource "aws_iam_role" "eventbridge_role" {
name = "EventBridgeRoleForStepFunctions"
assume_role_policy = jsonencode({
"Version" = "2012-10-17",
"Statement" = [
{
"Effect" = "Allow",
"Principal" = {
"Service" = "events.amazonaws.com"
},
"Action" = "sts:AssumeRole"
}
]
})
}
resource "aws_iam_policy" "eventbridge_invoke_stepfunctions_policy" {
name = "EventBridgeInvokeStepFunctionsPolicy"
path = "/"
description = "Allow EventBridge to invoke Step Functions"
policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Effect = "Allow",
Action = "states:StartExecution",
Resource = aws_sfn_state_machine.MySandboxStateMachine.arn
}
]
})
}
resource "aws_iam_role_policy_attachment" "eventbridge_role_policy_attachment" {
role = aws_iam_role.eventbridge_role.name
policy_arn = aws_iam_policy.eventbridge_invoke_stepfunctions_policy.arn
}
resource "aws_scheduler_schedule" "every_five_minutes" {
name = "every-five-minutes"
group_name = "default"
flexible_time_window {
mode = "OFF"
}
schedule_expression = "cron(0/5 * * * ? *)"
target {
arn = aws_sfn_state_machine.MySandboxStateMachine.arn
role_arn = aws_iam_role.eventbridge_role.arn
}
}
Creating Amazon EventBridge Scheduler Schedule (every-five-minutes): operation error Scheduler: CreateSchedule, https response error StatusCode: 400, RequestID: a3a7f4fa-b96e-4107-a041-2cd339e266c7, ValidationException: The execution role you provide must allow AWS EventBridge Scheduler to assume the role.
正确附加策略的修复方法是什么,因为我打赌我遵循了 Terraform 的 AWS 指南。
您需要在代入角色策略中使用正确的服务名称。在本例中,它是(docs):
"scheduler.amazonaws.com"
因此,您需要将代码更改为以下内容:
resource "aws_iam_role" "eventbridge_role" {
name = "EventBridgeRoleForStepFunctions"
assume_role_policy = jsonencode({
"Version" = "2012-10-17",
"Statement" = [
{
"Effect" = "Allow",
"Principal" = {
"Service" = "scheduler.amazonaws.com"
},
"Action" = "sts:AssumeRole"
}
]
})
}