Amazon web services CloudWatch事件规则未使用标记查找EC2目标_Amazon Web Services_Amazon Cloudwatch_Ssm_Amazon Systems Manager_Amazon Cloudwatch Events

Amazon web services CloudWatch事件规则未使用标记查找EC2目标

amazon-web-services

Amazon web services CloudWatch事件规则未使用标记查找EC2目标,amazon-web-services,amazon-cloudwatch,ssm,amazon-systems-manager,amazon-cloudwatch-events,Amazon Web Services,Amazon Cloudwatch,Ssm,Amazon Systems Manager,Amazon Cloudwatch Events,我有一个CloudWatch事件规则，它将触发SSM运行命令文档。将使用标签识别目标。我的资源是根据以下CloudFormation模板定义的： SSMRunCommandDocument: Type: AWS::SSM::Document Properties: DocumentType: 'Command' Content: schemaVersion: '2.2' description: "Some description" m

我有一个

CloudWatch事件规则

，它将触发

SSM运行命令文档

。将使用标签识别目标。我的资源是根据以下CloudFormation模板定义的：

SSMRunCommandDocument:
  Type: AWS::SSM::Document
  Properties:
    DocumentType: 'Command'
    Content:
      schemaVersion: '2.2'
      description: "Some description"
      mainSteps:
        - action: "aws:runShellScript"
          name: runShellScript
          inputs:
            runCommand:
              - !Sub |
                  #!/bin/bash -e
                  echo "Hello StackOverflow!" > test.log
    Tags:
      - Key: Name
        Value: EC2Name
      - Key: Environment
        Value: DEV
CloudWatchEventRule:
  Type: AWS::Events::Rule
  Properties:
    Description: "The ARN from the eventbridge role resource"
    EventPattern: 
      source:
        - "aws.autoscaling"
      detail-type:
        - "EC2 Instance-terminate Lifecycle Action"
      detail:
        AutoScalingGroupName:
          - !Ref 'MyAutoScalingGroup'
    State: "ENABLED"
    Targets:
      - Id: "Some target ID."
        Arn: !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:document/${SSMRunCommandDocument}"
        RoleArn: "The ARN from the eventbridge role resource"
        RunCommandParameters:
          RunCommandTargets:
            - Key: "tag: Name"
              Values:
                - EC2Name
            - Key: "tag: Environment"
              Values:
                - DEV

我有以下角色，在上面的CloudFormation模板中使用

ARN

：

AutoScalingLifecycleHookEventRole:
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Version: '2012-10-17'
      Statement:
        - Sid: ''
          Effect: Allow
          Principal:
            Service:
              - events.amazonaws.com
          Action: 'sts:AssumeRole'
    Description: "The role that will be used by AWS EventBridge to start an SSM Run Command document."
AutoScalingLifecycleHookEventManagedPolicy:
  Type: AWS::IAM::ManagedPolicy
  Properties:
    PolicyDocument:
      Version: '2012-10-17'
      Statement:
        - Action:
            - 'ssm:StartAutomationExecution'
          Resource:
            - "arn:*:ssm:*:*:automation-definition/AWS-RunShellScript*"
          Effect: Allow
        - Action:
            - "iam:PassRole"
          Resource:
            - "arn:*:ssm:*:*:role/*"
          Effect: Allow
        - Action:
            - 'ssm:*'
          Resource:
            - "arn:*:ssm:*:*:*"
          Effect: Allow
        - Action:
            - "ssm:SendCommand"
          Resource:
            - !Sub "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/*"
            - !Sub "arn:aws:ssm:${AWS::Region}:*:document/*"
          Effect: Allow
    Roles:
      - !Ref AutoScalingLifecycleHookEventRole

我可以使用CloudFormation模板中指定的相同标记手动触发

RunCommand

。但是当

RunCommand

由

事件规则触发时，RunCommand
页面上的历史记录告诉我们，这次没有找到目标：

我缺少哪些权限或配置？
结果是，标记：标记键
字段中不应该有空格：
RunCommandParameters:
  RunCommandTargets:
    - Key: "tag:Name"
      Values:
        - EC2Name
    - Key: "tag:Environment"
      Values:
        - DEV