Amazon web services Cloudwatch自定义事件SQS无法工作
我使用terraform创建队列,同时创建Cloudwatch事件规则,并将其中一个队列设置为规则的目标 总之,我有一个队列,它是3个单独的cloudwatch事件的目标。问题是,尽管cloudwatch事件规则是相同的,但只有一个规则在通过terraform创建时有效,其他规则在控制台中以调用失败告终,没有日志或任何类型的可调试信息。如果自定义事件是从aws控制台创建的,那么所有这些都可以正常工作 在terraform中创建队列 唯一的工作区Amazon web services Cloudwatch自定义事件SQS无法工作,amazon-web-services,terraform,amazon-cloudwatch,terraform-provider-aws,amazon-cloudwatch-events,Amazon Web Services,Terraform,Amazon Cloudwatch,Terraform Provider Aws,Amazon Cloudwatch Events,我使用terraform创建队列,同时创建Cloudwatch事件规则,并将其中一个队列设置为规则的目标 总之,我有一个队列,它是3个单独的cloudwatch事件的目标。问题是,尽管cloudwatch事件规则是相同的,但只有一个规则在通过terraform创建时有效,其他规则在控制台中以调用失败告终,没有日志或任何类型的可调试信息。如果自定义事件是从aws控制台创建的,那么所有这些都可以正常工作 在terraform中创建队列 唯一的工作区 我认为您对SQS队列的权限缺失或不正确。假设您正在
我认为您对SQS队列的权限缺失或不正确。假设您正在terraform(问题中未显示)中创建
队列\u cron
,队列及其允许CW事件向其发送消息的策略将是:
data "aws_caller_identity" "current" {}
data "aws_region" "current" {}
resource "aws_sqs_queue" "queue_cron" {
name = "queue_cron"
}
resource "aws_sqs_queue_policy" "test" {
queue_url = aws_sqs_queue.queue_cron.id
policy = <<POLICY
{
"Version": "2012-10-17",
"Id": "sqspolicy",
"Statement": [
{
"Sid": "First",
"Effect": "Allow",
"Principal": {
"AWS": "${data.aws_caller_identity.current.account_id}"
},
"Action": "sqs:*",
"Resource": "${aws_sqs_queue.queue_cron.arn}"
},
{
"Sid": "AWSEvents_",
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "sqs:SendMessage",
"Resource": "${aws_sqs_queue.queue_cron.arn}",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:events:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:rule/*"
}
}
}
]
}
POLICY
}
data“aws\u caller\u identity”当前“{}
数据“aws_区域”“当前”{}
资源“aws_sqs_queue”“queue_cron”{
name=“queue\u cron”
}
资源“aws_sqs_队列_策略”“测试”{
queue\u url=aws\u sqs\u queue.queue\u cron.id
policy=您是否设置了SQS策略来授予CW events发布到SQS的权限?@Marchin我已经更新了这个问题,以包括队列的创建,并且我确实没有附加任何特定的策略。我将尝试上面的代码,但是如果e策略不正确,它们都不应该起作用。@JudeFernandes这是正确的。但由于您没有显示队列创建或其策略,可能的情况是,它是在AWS控制台中创建的,并且只为一个队列设置了策略。@Marchin这确实是策略,非常感谢。整个infra完全是使用te构建的直到事件失败时,我才尝试通过控制台执行。奇怪的是,其中一个有效,而另一个无效,但它们现在都有效,因为策略已附加。
resource "aws_cloudwatch_event_rule" "eve_vendors_bot_sync" {
name = "vendors-bot-sync"
schedule_expression = "rate(1 minute)"
description = "Notify cron queue for vendors bot sync"
is_enabled = true
}
resource "aws_cloudwatch_event_target" "sqs_cron_vendors_bot_sync" {
rule = aws_cloudwatch_event_rule.eve_vendors_bot_sync.name
arn = var.queue_cron_arn
target_id = "sqsCronVendorBotSync"
input_transformer {
input_template = <<EOF
{
"messageType":"cron",
"cronType":"vendors-bot-sync"
}
EOF
}
}
resource "aws_cloudwatch_event_rule" "eve_restos_sync" {
name = "restos-sync"
schedule_expression = "rate(1 minute)"
description = "Notify cron queue for restos sync"
is_enabled = true
}
resource "aws_cloudwatch_event_target" "sqs_cron_restos_sync" {
rule = aws_cloudwatch_event_rule.eve_restos_sync.name
arn = var.queue_cron_arn
target_id = "sqsCronRestosSync"
input_transformer {
input_template = <<EOF
{
"messageType":"cron",
"cronType":"restaurant-hours-open-close-management"
}
EOF
}
}
resource "aws_cloudwatch_event_rule" "eve_vendors_orders_sync" {
name = "vendors-orders-sync"
schedule_expression = "rate(1 minute)"
description = "Notify cron queue for vendors orders sync"
is_enabled = true
}
resource "aws_cloudwatch_event_target" "target_cron_vendors_sync" {
rule = aws_cloudwatch_event_rule.eve_vendors_orders_sync.name
arn = var.queue_cron_arn
target_id = "sqsCronVendorsOrderSync"
input_transformer {
input_template = <<EOF
{
"messageType":"cron",
"cronType":"vendors-orders-sync"
}
EOF
}
}
resource "aws_sqs_queue" "queue_cron" {
name = "cron"
visibility_timeout_seconds = 300 # 5 minutes
delay_seconds = 0
message_retention_seconds = 1800 # 30 minutes
receive_wait_time_seconds = 20
}
data "aws_iam_policy_document" "policy_sqs" {
statement {
sid = "AWSEvents_"
effect = "Allow"
actions = [
"sqs:SendMessage",
]
principals {
type = "Service"
identifiers = ["events.amazonaws.com"]
}
resources = [aws_sqs_queue.queue_cron.arn]
}
}
resource "aws_sqs_queue_policy" "cron_sqs_policy" {
queue_url = aws_sqs_queue.queue_cron.id
policy = data.aws_iam_policy_document.policy_sqs.json
}
data "aws_caller_identity" "current" {}
data "aws_region" "current" {}
resource "aws_sqs_queue" "queue_cron" {
name = "queue_cron"
}
resource "aws_sqs_queue_policy" "test" {
queue_url = aws_sqs_queue.queue_cron.id
policy = <<POLICY
{
"Version": "2012-10-17",
"Id": "sqspolicy",
"Statement": [
{
"Sid": "First",
"Effect": "Allow",
"Principal": {
"AWS": "${data.aws_caller_identity.current.account_id}"
},
"Action": "sqs:*",
"Resource": "${aws_sqs_queue.queue_cron.arn}"
},
{
"Sid": "AWSEvents_",
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "sqs:SendMessage",
"Resource": "${aws_sqs_queue.queue_cron.arn}",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:events:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:rule/*"
}
}
}
]
}
POLICY
}