如何解决CloudFormation 删除更新堆栈操作上的 AWS Cognito Lambda 触发器
我注意到,每当部署新的 CloudFormation 堆栈更改时,我的用户池触发器都会被删除,并且必须在 AWS 仪表板中手动重新添加或以编程方式重新添加。这有点令人担忧,因为这些触发器通过 Cognito 和后端系统之间的通信执行一些关键操作。
起初我认为这是我们正在使用的部署框架,但这里是一个 CF 模板的准系统示例,我可以复制它:
更新以反映用户池的 Lambda 附件
{
"AWstemplateFormatVersion": "2010-09-09","Resources": {
"UserPool": {
"Type": "AWS::Cognito::UserPool","Properties": {
"UserPoolName": "test","UsernameAttributes": [
"email"
],"EmailVerificationMessage": "Your verification code is {####}.","EmailVerificationSubject": "Your verification code","Policies": {
"PasswordPolicy": {
"MinimumLength": 8,"RequireLowercase": true,"RequireNumbers": true
}
}
}
},"UserPoolClient": {
"Type": "AWS::Cognito::UserPoolClient","Properties": {
"ClientName": "Test Client","UserPoolId": {
"Ref": "UserPool"
},"ExplicitAuthFlows": [
"ALLOW_REFRESH_TOKEN_AUTH","ALLOW_USER_PASSWORD_AUTH","ALLOW_USER_SRP_AUTH"
],"GenerateSecret": false
}
},"PreSignUpHandlerLambdaFunction": {
"Type": "AWS::Lambda::Function","Properties": {
"Role": "arn:aws:iam::...","Code": {
"S3Bucket": "code-bucket","S3Key": "code-bucket/functions.zip"
},"Handler": "handlers/pre-sign-up.default","Runtime": "nodejs12.x","FunctionName": "test-preSignUpHandler","MemorySize": 1024,"Timeout": 6
}
},"PreSignUpHandlerCustomCognitoUserPool1": {
"Type": "Custom::CognitoUserPool","Version": 1,"DependsOn": [
"PreSignUpHandlerLambdaFunction"
],"Properties": {
"Servicetoken": "arn:aws:lambda:...","UserPoolName": "test","UserPoolConfigs": [
{
"Trigger": "PreSignUp"
}
]
}
}
}
}
我已经深入研究了更新生成的 CloudWatch 日志,但关于用户池更新和触发器的删除,没有任何事情是透明的。 有没有其他人遇到过这种情况,是否有任何解决方法?
解决方法
这是 CloudFormation 的预期行为。当在堆栈更新时检测到配置漂移时,它会将其恢复到与您的堆栈模板一致的状态。如果要保留更改,则应在 CFN 模板中指定触发器。请务必在资源政策中授予认知访问权限:
{
"Version": "2012-10-17","Id": "default","Statement": [
{
"Sid": "lambda-allow-cognito-my-function","Effect": "Allow","Principal": {
"Service": "cognito-idp.amazonaws.com"
},"Action": "lambda:InvokeFunction","Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-function","Condition": {
"StringEquals": {
"AWS:SourceAccount": "123456789012"
},"ArnLike": {
"AWS:SourceArn": "arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_myUserPoolId"
}
}
}
]
}
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。