我目前正在使用 CloudFormation 模板设置 AWS CodePipeline。我已为通知配置了一个 SNS 主题,并将其附加到针对我的 CodePipeline 的 CodeStar 通知规则。但是,我在发送管道事件(例如管道启动、失败和成功)的 SNS 通知时遇到问题。
在 AWS 控制台中我看到 sns 主题无法访问
我已经仔细检查了我的配置,但无法找出问题所在。有人可以帮我解决这个问题吗?
代码示例: 我已设置 AWS CloudFormation 模板来创建必要的资源。以下是我的 CloudFormation 模板的片段:
Parameters:
RepositoryName:
Type: String
Description: Name of the repository to create
Default: sns-alert-adam
artifactBucket:
Type: String
Description: Name of the artifact bucket to create
Default: sns-alert-adam-s3-artifact-bucket
snsTopicName:
Description: Email Address for sending SNS notifications
Type: String
Default: codestar-notifications-sns-alert-adam
EmailAddress:
Description: Email Address for sending SNS notifications
Type: String
Default: [email protected]
Resources:
## IAM Role for CodePipeline
CodePipelineRole:
Type: AWS::IAM::Role
Properties:
RoleName: CodePipelineRole-adam
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- codepipeline.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: !Sub ${RepositoryName}-codepipeline-adam
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- lambda:InvokeFunction
- lambda:ListFunctions
- opsworks:CreateDeployment
- opsworks:DescribeApps
- opsworks:DescribeCommands
- opsworks:DescribeDeployments
- opsworks:DescribeInstances
- opsworks:DescribeStacks
- opsworks:UpdateApp
- opsworks:UpdateStack
- cloudformation:CreateStack
- cloudformation:DeleteStack
- cloudformation:DescribeStacks
- cloudformation:UpdateStack
- cloudformation:CreateChangeSet
- cloudformation:DeleteChangeSet
- cloudformation:DescribeChangeSet
- cloudformation:ExecuteChangeSet
- cloudformation:SetStackPolicy
- cloudformation:ValidateTemplate
- codebuild:BatchGetBuilds
- codebuild:StartBuild
- codebuild:BatchGetBuildBatches
- codebuild:StartBuildBatch
- cloudformation:ValidateTemplate
- states:DescribeExecution
- states:DescribeStateMachine
- states:StartExecution
- sns:*
Resource: "*"
Effect: Allow
- Action:
- codestar-connections:UseConnection
Resource: "*"
Effect: Allow
- Action:
- elasticbeanstalk:*
- ec2:*
- elasticloadbalancing:*
- autoscaling:*
- cloudwatch:*
- sns:*
- cloudformation:*
- rds:*
- sqs:*
- ecs:*
Resource: "*"
Effect: Allow
- Action:
- s3:GetObject
- s3:GetObjectVersion
- s3:GetBucketVersioning
- s3:PutObject
- s3:PutObjectAcl
- s3:PutObjectVersionAcl
Resource:
- arn:aws:s3:::sns-alert-adam-s3-artifact-bucket
- arn:aws:s3:::sns-alert-adam-s3-artifact-bucket/*
Effect: Allow
- Action:
- codedeploy:CreateDeployment
- codedeploy:GetApplication
- codedeploy:GetApplicationRevision
- codedeploy:GetDeployment
- codedeploy:GetDeploymentConfig
- codedeploy:RegisterApplicationRevision
Resource: "*"
Effect: Allow
- Action:
- codecommit:CancelUploadArchive
- codecommit:GetBranch
- codecommit:GetCommit
- codecommit:GetRepository
- codecommit:GetUploadArchiveStatus
- codecommit:UploadArchive
Resource: "*"
Effect: Allow
- Sid: StatusNotificationsPolicy
Effect: Allow
Action:
- sns:Publish
- sns:Subscribe
- SNS:GetTopicAttributes
- SNS:SetTopicAttributes
- SNS:AddPermission
- SNS:RemovePermission
- SNS:DeleteTopic
- SNS:Subscribe
- SNS:ListSubscriptionsByTopic
Resource: !Sub arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:codestar-notifications-sns-alert-adam
CreateSnsAlertPipeline:
Type: AWS::CodePipeline::Pipeline
Properties:
ArtifactStore:
Type: S3
Location: !Ref artifactBucket
Name: !Sub ${RepositoryName}-sns-alert-pipeline
RoleArn: !GetAtt CodePipelineRole.Arn
Stages:
- Name: Source
Actions:
- Name: Source
ActionTypeId:
Category: Source
Owner: AWS
Version: 1
Provider: CodeCommit
OutputArtifacts:
- Name: SourceOutput
Configuration:
RepositoryName: !Ref RepositoryName
BranchName: main
RunOrder: 1
- Name: Build
Actions:
- Name: Build
ActionTypeId:
Category: Build
Owner: AWS
Version: 1
Provider: CodeBuild
InputArtifacts:
- Name: SourceOutput
Configuration:
ProjectName: !Ref RepositoryName
RunOrder: 1
CodeStar:
Type: AWS::CodeStarNotifications::NotificationRule
Properties:
Name: 'My Notification Rule for Comments on Commits'
DetailType: FULL
Resource: !Sub arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:sns-alert-adam-sns-alert-pipeline
EventTypeIds:
- codepipeline-pipeline-pipeline-execution-started
- codepipeline-pipeline-pipeline-execution-failed
- codepipeline-pipeline-pipeline-execution-succeeded
Targets:
- TargetType: SNS
TargetAddress: !Sub arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${snsTopicName}
MySNSTopic:
Type: AWS::SNS::Topic
Properties:
TopicName: codestar-notifications-sns-alert-adam
Subscription:
- Endpoint: !Ref EmailAddress
Protocol: email
TopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
Topics:
- !Ref MySNSTopic
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: codestar-notifications.amazonaws.com
Action:
- SNS:Publish
Resource: !Ref MySNSTopic
要使用 CloudFormation 模板解决在 AWS CodePipeline 设置中无法访问 SNS 主题的问题,您可以按照以下步骤操作:
检查 SNS 主题配置:验证 CloudFormation 模板中的 SNS 主题配置是否正确。确保准确定义主题名称、通知电子邮件地址和订阅。
IAM 角色权限:查看 CloudFormation 模板中定义的 IAM 角色 (CodePipelineRole)。确认该角色具有与 SNS 主题交互所需的权限,包括发布消息。
CodePipeline 配置:仔细检查模板中 CodePipeline (CreateSnsAlertPipeline) 的配置。确保正确设置管道以触发管道事件的 SNS 通知。
CodeStar通知规则:验证模板中CodeStar通知规则(CodeStar)的配置。确认规则针对通知的正确 CodePipeline 和 SNS 主题。
SNS 主题策略:查看 CloudFormation 模板中的 SNS 主题策略(TopicPolicy)。确保策略允许 codestar-notifications.amazonaws.com 服务主体将消息发布到 SNS 主题。
控制台监控:监控 AWS 管理控制台是否有与 SNS 主题相关的任何错误消息或通知。检查是否有任何可能指示主题无法访问的原因的特定错误代码或消息。
通过仔细检查和验证 CloudFormation 模板的这些方面,您可以识别并解决导致 AWS CodePipeline 设置中无法访问 SNS 主题的任何配置错误或问题。