如何解决Terraform-Cloudformation-aws 实例提供程序:提供的 Arn 格式不正确
我正在创建一个 cloudformation 堆栈,以通过 TF 在 aws gov 云中生成 aws 实例调度程序。目标是基于标签启动/停止 ec2。实现它的方法很多,但我必须使用 terraform 和 cloudformation。这是存储库 --> https://github.com/Vinod1908/TestTerraform/blob/master/instanceScheduler.tf
以下是我认为我被阻止的代码部分:
"InstanceSchedulerEncryptionKey": {
"Type": "AWS::KMS::Key","Properties": {
"Description": "Key for SNS","Enabled": true,"EnableKeyRotation": true,"KeyPolicy": {
"Statement": [
{
"Sid": "default","Effect": "Allow","Principal": {
"AWS": {
"Fn::Sub": "arn:$${AWS::Partition}:iam::$${AWS::AccountId}:root"
}
},"Action": "kms:*","Resource": "*"
},{
"Sid": "Allows use of key","Principal": {
"AWS": {
"Fn::GetAtt": [
"SchedulerRole","Arn"
]
}
},"Action": [
"kms:GenerateDataKey*","kms:Decrypt"
],"Resource": "*"
}
]
}
}
},"Code": {
"S3Bucket": {
"Fn::Join": [
"-",[
"solutions",{
"Ref": "AWS::Region"
}
]
]
},"S3Key": "aws-instance-scheduler/v1.3.1/instance-scheduler.zip"
错误:
错误:等待创建 CloudFormation 堆栈时出错:无法创建 CloudFormation 堆栈,请求回滚(ROLLBACK_COMPLETE):[“以下资源创建失败:[InstanceSchedulerEncryptionKey,SchedulerRule]。用户请求回滚。” "资源创建已取消" "参数 arn:aws:lambda:us-gov-west-1:###########..:function:Schedule-InstanceSchedulerMain 无效。原因:提供的 Arn 不是格式正确。(服务:AmazonCloudWatchEvents;状态代码:400;错误代码:ValidationException;请求 ID:37adac0c-6758-4b4f-ac86-0d0140742c80;代理:null)"]
不确定它在 gov 云中是否可行,但我正在寻找潜在的解决方案并找到了这个 https://github.com/awslabs/aws-instance-scheduler/issues/11。我正在测试它但还没有成功..请帮忙!!
添加新行:
谢谢大家的回复。我的问题是使用正确的 arn arn:aws-us-gov
我只是应用代码,它正在通过。现在我在下面得到这个,我确定它与我的 s3 上的策略/角色有关。请让我知道我下面的代码有什么问题。有什么想法吗?
s3 代码部分:
"SchedulerPolicy": {
"Type": "AWS::IAM::Policy","Metadata": {
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W12","reason": "All policies have been scoped to be as restrictive as possible. This solution needs to access ec2/rds resources across all regions."
}
]
}
},"Properties": {
"PolicyName": "SchedulerPolicy","Roles": [
{
"Ref": "SchedulerRole"
}
],"PolicyDocument": {
"Version": "2012-10-17","Statement": [
{
"Effect": "Allow","Action": [
"logs:CreateLogGroup","logs:CreateLogStream","logs:PutLogEvents","logs:PutRetentionPolicy"
],"Resource": [
{
"Fn::Join": [
":",[
"arn:aws-us-gov:logs",{
"Ref": "AWS::Region"
},{
"Ref": "AWS::AccountId"
},"log-group",{
"Ref": "SchedulerLogGroup"
},"*"
]
]
},{
"Fn::Join": [
":","log-group:/aws/lambda/*"
]
]
}
]
},{
"Effect": "Allow","Action": [
"s3:Getobject","s3:PutObject","s3:*"
],"Resource": {
"Fn::Join": [
":",[
"arn:aws-us-gov:s3:::instanceschedulertest","arn:aws-us-gov:s3:::instanceschedulertest/*"
]
]
}
},"Action": [
"rds:DeleteDBSnapshot","rds:DescribedBSnapshots","rds:StopDBInstance"
],[
"arn:aws-us-gov:rds:*",{
"Ref": "AWS::AccountId"
},"snapshot:*"
]
]
}
},"Action": [
"rds:AddTagsToResource","rds:RemoveTagsFromresource","rds:StartDBInstance","rds:StopDBInstance"
错误:
Error: error waiting for CloudFormation Stack creation: Failed to create CloudFormation stack,rollback requested (ROLLBACK_COMPLETE): ["The following resource(s) Failed to create: [Main]. Rollback requested by user." "Your access has been denied by S3,please make sure your request credentials have permission to Getobject for solutions-us-gov-west-1/aws-instance-scheduler/v1.3.1/instance-scheduler.zip. S3 Error Code: AccessDenied. S3 Error Message: Access Denied (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException; Request ID: 95db6874-d4ad-4499-95f7-f73777a6d4db; Proxy: null)"]
感谢大家的指点,非常感谢您的意见。
解决方法
失败的原因是您在 Terraform 代码中形成了错误的 ARN。
在你的仓库中, link
将以下关于 Lambda 的行:1047、1358、1420 替换为 "arn:aws-us-gov:lambda" 而不是 "arn:aws:lambda"强>.
根据 aws 的文档:ARN 应采用此格式 arn:aws-us-gov:lambda:account-id:function:function-name.
您的问题的答案是更新上述行。但是我相信您会在其他资源方面遇到错误,因为您正在创建的所有资源都在美国地区。因此,请更新您在代码中形成的所有必要的 Joining Function Arn 行。 :)
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。