Fatal编程技术网
  • amazon-cloudformation/
  • Amazon cloudformation 在代码构建中使用自定义转换时,运行cloudformation模板失败

Amazon cloudformation 在代码构建中使用自定义转换时,运行cloudformation模板失败

amazon-cloudformation

Amazon cloudformation 在代码构建中使用自定义转换时,运行cloudformation模板失败,amazon-cloudformation,aws-cli,aws-codebuild,Amazon Cloudformation,Aws Cli,Aws Codebuild,我的构建步骤之一是运行一个cloudformation模板,该模板具有自定义转换。转换在us-east-1中可用,us-east-1是运行代码构建的同一区域。当我使用本地cli运行该cloudformation模板时,它也可以工作。您能否提供如何使此转换在代码生成容器中工作 我的本地cli是aws cli/1.16.223 Python/3.6.0 Windows/10 botocore/1.12.213 During handling of the above exception, anoth

我的构建步骤之一是运行一个cloudformation模板,该模板具有自定义转换。转换在us-east-1中可用,us-east-1是运行代码构建的同一区域。当我使用本地cli运行该cloudformation模板时,它也可以工作。您能否提供如何使此转换在代码生成容器中工作

我的本地cli是aws cli/1.16.223 Python/3.6.0 Windows/10 botocore/1.12.213

During handling of the above exception, another exception occurred: 

Traceback (most recent call last): 
  File "/usr/local/lib/python3.6/dist-packages/awscli/clidriver.py", line 207, in main 
    return command_table[parsed_args.command](remaining, parsed_args) 
  File "/usr/local/lib/python3.6/dist-packages/awscli/clidriver.py", line 348, in __call__ 
    return command_table[parsed_args.operation](remaining, parsed_globals) 

  File "/usr/local/lib/python3.6/dist-packages/awscli/customizations/commands.py", line 187, in __call__ 
    return self._run_main(parsed_args, parsed_globals) 
  File "/usr/local/lib/python3.6/dist-packages/awscli/customizations/cloudformation/deploy.py", line 295, in _run_main 
    parsed_args.fail_on_empty_changeset) 
  File "/usr/local/lib/python3.6/dist-packages/awscli/customizations/cloudformation/deploy.py", line 310, in deploy 
    tags=tags 
  File "/usr/local/lib/python3.6/dist-packages/awscli/customizations/cloudformation/deployer.py", line 227, in create_and_wait_for_changeset 
    self.wait_for_changeset(result.changeset_id, stack_name) 
  File "/usr/local/lib/python3.6/dist-packages/awscli/customizations/cloudformation/deployer.py", line 178, in wait_for_changeset 
    .format(ex, status, reason)) 
RuntimeError: Failed to create the changeset: Waiter ChangeSetCreateComplete failed: Waiter encountered a terminal failure state Status: FAILED. Reason: Failed to execute transform REDACTED::ALKSify 
2019-08-21 17:03:42,717 - MainThread - awscli.clidriver - DEBUG - Exiting with rc 255 

Failed to create the changeset: Waiter ChangeSetCreateComplete failed: Waiter encountered a terminal failure state Status: FAILED. Reason: Failed to execute transform REDACTED::ALKSify
我只是遇到了同样的问题,可以如下解决

您需要向CodeBuild项目的IAM角色添加以下2个权限

  • 在宏资源本身上允许
    “cloudformation:CreateChangeSet”
    !Sub${AWS::AccountId}::ALKSify
  • 允许对实现宏的lambda函数执行
    “lambda:InvokeFunction”
    • 所以它看起来像:

      BuildProjectRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service: codebuild.amazonaws.com
            Action:
              - "sts:AssumeRole"
      Policies:
        - PolicyName: codebuild
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Sid: lambda
                Effect: Allow
                Action:
                  - "lambda:InvokeFunction"
                Resource:
                  - !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:<MACRO FUNCTION NAME>"
              - Sid: macro
                Effect: Allow
                Action:
                  - "cloudformation:CreateChangeSet"
                Resource:
                  - !Sub "${AWS::AccountId}::<MACRO NAME>"

              .... <Other Permissions>

    BuildProjectRole:
类型:AWS::IAM::角色
特性:
假设政策文件:
版本:“2012-10-17”
声明:
-效果:“允许”
负责人:
服务:codebuild.amazonaws.com
行动:
-“sts:假设角色”
政策:
-策略名称:代码构建
政策文件:
版本:“2012-10-17”
声明:
-希德:拉姆达
效果:允许
行动:
-“lambda:InvokeFunction”
资源:
- !Sub“arn:aws:lambda:${aws::Region}:${aws::AccountId}:函数:”
-Sid:宏
效果:允许
行动:
-“cloudformation:CreateChangeSet”
资源:
- !子“${AWS::AccountId}:”
....
    干杯,
    斯坦

    我遇到了同样的问题,可以按如下方式解决

    您需要向CodeBuild项目的IAM角色添加以下2个权限

  • 在宏资源本身上允许
    “cloudformation:CreateChangeSet”
    !Sub${AWS::AccountId}::ALKSify
  • 允许对实现宏的lambda函数执行
    “lambda:InvokeFunction”
    • 所以它看起来像:

      BuildProjectRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service: codebuild.amazonaws.com
            Action:
              - "sts:AssumeRole"
      Policies:
        - PolicyName: codebuild
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Sid: lambda
                Effect: Allow
                Action:
                  - "lambda:InvokeFunction"
                Resource:
                  - !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:<MACRO FUNCTION NAME>"
              - Sid: macro
                Effect: Allow
                Action:
                  - "cloudformation:CreateChangeSet"
                Resource:
                  - !Sub "${AWS::AccountId}::<MACRO NAME>"

              .... <Other Permissions>

    BuildProjectRole:
类型:AWS::IAM::角色
特性:
假设政策文件:
版本:“2012-10-17”
声明:
-效果:“允许”
负责人:
服务:codebuild.amazonaws.com
行动:
-“sts:假设角色”
政策:
-策略名称:代码构建
政策文件:
版本:“2012-10-17”
声明:
-希德:拉姆达
效果:允许
行动:
-“lambda:InvokeFunction”
资源:
- !Sub“arn:aws:lambda:${aws::Region}:${aws::AccountId}:函数:”
-Sid:宏
效果:允许
行动:
-“cloudformation:CreateChangeSet”
资源:
- !子“${AWS::AccountId}:”
....
    干杯,
    Stan

    您可能在CloudFormation控制台中获得了有关故障的更多详细信息。如果调用了转换lambda,您还可以在CloudWatch中获得更多详细信息。@LaurentJalbertSimard在CloudFormation或CloudWatch中没有任何附加信息您可能在CloudFormation控制台中获得有关失败的更多详细信息。如果调用了转换lambda,您还可以在CloudWatch中获得更多详细信息。@LaurentJalbertSimard在CloudFormation或CloudWatch中没有任何附加信息