AWS EventBridge规则在Terraform部署期间不触发步骤功能

发布于 2025-02-12 21:21:00 字数 1127 浏览 1 评论 0原文

我有一些Terraform代码来部署触发步骤功能的CloudWatch/EventBridge规则。我希望规则在每2分钟后每2分钟触发步骤函数，如下面的代码：

resource "aws_iam_role" "cw_sfn_role" {
  name               = "cw_sfn_role"
  assume_role_policy = data.aws_iam_policy_document.sfn_trigger_policy.json
}

data "aws_iam_policy_document" "sfn_trigger_policy" {
  statement {
    actions = [
      "sts:AssumeRole"
    ]

    principals {
      type = "Service"
      identifiers = ["states.amazonaws.com",
      "events.amazonaws.com"]
    }


  }
}

resource "aws_cloudwatch_event_rule" "step_function_trigger_event_rule" {
  name                = "trigger-step-function"
  description         = "Trigger every 2 min"
  schedule_expression = "rate(2 minutes)"
  is_enabled          = true
}


resource "aws_cloudwatch_event_target" "step_function_target" {
  arn      = aws_sfn_state_machine.sfn_state_machine.arn
  rule     = aws_cloudwatch_event_rule.step_function_trigger_event_rule.name
  role_arn = aws_iam_role.cw_sfn_role.arn
}

从AWS控制台，该规则正确连接到步骤函数，但不会触发它。同样，当我从AWS控制台手动创建规则时，触发步骤函数而没有任何问题。我怀疑问题是来自我的分配策略，或者schedue_expression。我在这里想念什么？

原文

I have some terraform code to deploy a cloudwatch/eventbridge rule that triggers a step function. I want the rule to trigger the step function after every 2 minutes as indicated in the code below:

resource "aws_iam_role" "cw_sfn_role" {
  name               = "cw_sfn_role"
  assume_role_policy = data.aws_iam_policy_document.sfn_trigger_policy.json
}

data "aws_iam_policy_document" "sfn_trigger_policy" {
  statement {
    actions = [
      "sts:AssumeRole"
    ]

    principals {
      type = "Service"
      identifiers = ["states.amazonaws.com",
      "events.amazonaws.com"]
    }


  }
}

resource "aws_cloudwatch_event_rule" "step_function_trigger_event_rule" {
  name                = "trigger-step-function"
  description         = "Trigger every 2 min"
  schedule_expression = "rate(2 minutes)"
  is_enabled          = true
}


resource "aws_cloudwatch_event_target" "step_function_target" {
  arn      = aws_sfn_state_machine.sfn_state_machine.arn
  rule     = aws_cloudwatch_event_rule.step_function_trigger_event_rule.name
  role_arn = aws_iam_role.cw_sfn_role.arn
}

From the aws console, the rule is attached correctly to the step function but it doesn't trigger it. Also, when i manually create a rule from the aws console, the step function is triggered without any issues. I suspect the problem is either from my assigned policies or schedule_expression. What am I missing here?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

世界和平 2025-02-19 21:21:01

由于您的目标是步骤功能，因此需要允许调用其源（您的情况下的CloudWatch事件）。

这类似于Lambda的Invoke许可，以允许任何源触发它。

您为CloudWatch事件指定的角色必须包括以下权限

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
             "Action": [ "states:StartExecution" ],
            "Resource": [ "arn:aws:states:*:*:stateMachine:*" ]
        }
     ]
}

As your target is Step Function, it needs to allow invocation permission to its source (CloudWatch Events in your case).

This is similar to Invoke Permission for lambda to allow any source to trigger it.

The role that you specify for CloudWatch Events must include the below permissions

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
             "Action": [ "states:StartExecution" ],
            "Resource": [ "arn:aws:states:*:*:stateMachine:*" ]
        }
     ]
}

回复收藏 0 原文

~没有更多了~