如何解决资源定义格式错误
我正在编写一个用于构建 ECR 存储库的 cloudformation 模板。我已经使用事件模式构建了它,仅当图像扫描具有高或严重漏洞时,才会在将图像推送到存储库时通知我。为了简单起见,我首先构建了它,以便它不会向 SNS 发送通知,而是在 Cloudwatch 日志中创建一个日志条目。这一切都运行良好,但现在我试图让它通过 SNS 发送电子邮件,但我遇到了问题。我在 Topic Policy 中尝试了几种不同的方法,例如 !GetAtt ScanReportTopic.arn 作为 Resources 的值,我还尝试了 Resources: "*" 和其他一些东西。
我不知道还能尝试什么。这是我正在使用的模板(电子邮件混淆)
Resources:
EventBusTestRuleCritical:
Type: AWS::Events::Rule
Properties:
EventBusName: default
EventPattern:
source:
- aws.ecr
detail-type:
- ECR Image Scan
detail:
finding-severity-counts:
CRITICAL:
- exists: true
Targets:
- Arn: !Ref ScanReportTopic
Id: ScanReporting
EventBusTestRuleHigh:
Type: AWS::Events::Rule
Properties:
EventBusName: default
EventPattern:
source:
- aws.ecr
detail-type:
- ECR Image Scan
detail:
finding-severity-counts:
HIGH:
- exists: true
Targets:
- Arn: !Ref ScanReportTopic
Id: ScanReporting
ECRTestRepo:
Type: AWS::ECR::Repository
Properties:
RepositoryName: TestScanRepo #Optional
ImageScanningConfiguration:
scanOnPush: "true"
ScanReportTopic:
Type: AWS::SNS::Topic
Properties:
displayName: scanTopic #Optional
Subscription:
- Endpoint: notreal@fakemail.com
Protocol: email
# TopicName: Optional
TopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
Topics:
-
!Ref ScanReportTopic
PolicyDocument:
Id: !Ref ScanReportTopic
Statement:
- Sid: __default_statement_ID
Effect: Allow
Action: sns:Publish
Resource: !Ref ScanReportTopic
Principal: !Sub 'arn:aws:events:${AWS::Region}:${AWS::AccountId}:event-bus/default'
解决方法
TopicPolicy 下的所有内容都需要缩进更多:
TopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
Topics:
-
!Ref ScanReportTopic
PolicyDocument:
Id: !Ref ScanReportTopic
Statement:
- Sid: __default_statement_ID
Effect: Allow
Action: sns:Publish
Resource: !Ref ScanReportTopic
Principal: !Sub 'arn:aws:events:${AWS::Region}:${AWS::AccountId}:event-bus/default'
建议尝试使用 CloudFormation Linter 中的 VSCode 在创作模板以及自动完成和文档链接时内联查看其中一些错误:
除了@PatMyron 所写的内容之外,您的模板中还有几个错误:
-
RepositoryName不能有大写。 -
TopicPolicy不正确。应该是events.amazonaws.com。 -
Id中的PolicyDocument不应是 ARN。
Principal 中的 顺便说一下,您在 Resource 中的 TopicPolicy 是正确的。
更正的模板:
Resources:
EventBusTestRuleCritical:
Type: AWS::Events::Rule
Properties:
EventBusName: default
EventPattern:
source:
- aws.ecr
detail-type:
- ECR Image Scan
detail:
finding-severity-counts:
CRITICAL:
- exists: true
Targets:
- Arn: !Ref ScanReportTopic
Id: ScanReporting
EventBusTestRuleHigh:
Type: AWS::Events::Rule
Properties:
EventBusName: default
EventPattern:
source:
- aws.ecr
detail-type:
- ECR Image Scan
detail:
finding-severity-counts:
HIGH:
- exists: true
Targets:
- Arn: !Ref ScanReportTopic
Id: ScanReporting
ECRTestRepo:
Type: AWS::ECR::Repository
Properties:
RepositoryName: testscanrepo #Optional
ImageScanningConfiguration:
scanOnPush: "true"
ScanReportTopic:
Type: AWS::SNS::Topic
Properties:
DisplayName: scanTopic #Optional
Subscription:
- Endpoint: notreal@fakemail.com
Protocol: email
# TopicName: Optional
TopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
Topics:
-
!Ref ScanReportTopic
PolicyDocument:
Id: PolicyForMySNSTopic
Statement:
- Sid: AllowEvents
Effect: Allow
Action: sns:Publish
Resource: !Ref ScanReportTopic
Principal: {Service: events.amazonaws.com}
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
