Amazon web services CloudWatch事件规则未使用标记查找EC2目标
我有一个Amazon web services CloudWatch事件规则未使用标记查找EC2目标,amazon-web-services,amazon-cloudwatch,ssm,amazon-systems-manager,amazon-cloudwatch-events,Amazon Web Services,Amazon Cloudwatch,Ssm,Amazon Systems Manager,Amazon Cloudwatch Events,我有一个CloudWatch事件规则,它将触发SSM运行命令文档。将使用标签识别目标。我的资源是根据以下CloudFormation模板定义的: SSMRunCommandDocument: Type: AWS::SSM::Document Properties: DocumentType: 'Command' Content: schemaVersion: '2.2' description: "Some description" m
CloudWatch事件规则
,它将触发SSM运行命令文档
。将使用标签识别目标。我的资源是根据以下CloudFormation模板定义的:
SSMRunCommandDocument:
Type: AWS::SSM::Document
Properties:
DocumentType: 'Command'
Content:
schemaVersion: '2.2'
description: "Some description"
mainSteps:
- action: "aws:runShellScript"
name: runShellScript
inputs:
runCommand:
- !Sub |
#!/bin/bash -e
echo "Hello StackOverflow!" > test.log
Tags:
- Key: Name
Value: EC2Name
- Key: Environment
Value: DEV
CloudWatchEventRule:
Type: AWS::Events::Rule
Properties:
Description: "The ARN from the eventbridge role resource"
EventPattern:
source:
- "aws.autoscaling"
detail-type:
- "EC2 Instance-terminate Lifecycle Action"
detail:
AutoScalingGroupName:
- !Ref 'MyAutoScalingGroup'
State: "ENABLED"
Targets:
- Id: "Some target ID."
Arn: !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:document/${SSMRunCommandDocument}"
RoleArn: "The ARN from the eventbridge role resource"
RunCommandParameters:
RunCommandTargets:
- Key: "tag: Name"
Values:
- EC2Name
- Key: "tag: Environment"
Values:
- DEV
我有以下角色,在上面的CloudFormation模板中使用ARN
:
AutoScalingLifecycleHookEventRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: ''
Effect: Allow
Principal:
Service:
- events.amazonaws.com
Action: 'sts:AssumeRole'
Description: "The role that will be used by AWS EventBridge to start an SSM Run Command document."
AutoScalingLifecycleHookEventManagedPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- 'ssm:StartAutomationExecution'
Resource:
- "arn:*:ssm:*:*:automation-definition/AWS-RunShellScript*"
Effect: Allow
- Action:
- "iam:PassRole"
Resource:
- "arn:*:ssm:*:*:role/*"
Effect: Allow
- Action:
- 'ssm:*'
Resource:
- "arn:*:ssm:*:*:*"
Effect: Allow
- Action:
- "ssm:SendCommand"
Resource:
- !Sub "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/*"
- !Sub "arn:aws:ssm:${AWS::Region}:*:document/*"
Effect: Allow
Roles:
- !Ref AutoScalingLifecycleHookEventRole
我可以使用CloudFormation模板中指定的相同标记手动触发RunCommand
。但是当RunCommand
由事件规则触发时,RunCommand
页面上的历史记录告诉我们,这次没有找到目标:
我缺少哪些权限或配置?结果是,标记:标记键
字段中不应该有空格:
RunCommandParameters:
RunCommandTargets:
- Key: "tag:Name"
Values:
- EC2Name
- Key: "tag:Environment"
Values:
- DEV