Question

我的构建步骤之一是运行带有自定义转换的cloudformation模板。转换在us-east-1中可用，这是运行代码构建的区域。当我在本地cli中运行它时，也可以使用相同的cloudformation模板。您能否提供如何在代码构建容器中运行此转换的方法。

我的本地cli是aws-cli/1.16.223 Python/3.6.0 Windows/10 botocore/1.12.213

During handling of the above exception, another exception occurred: 

Traceback (most recent call last): 
  File "/usr/local/lib/python3.6/dist-packages/awscli/clidriver.py", line 207, in main 
    return command_table[parsed_args.command](remaining, parsed_args) 
  File "/usr/local/lib/python3.6/dist-packages/awscli/clidriver.py", line 348, in __call__ 
    return command_table[parsed_args.operation](remaining, parsed_globals) 

  File "/usr/local/lib/python3.6/dist-packages/awscli/customizations/commands.py", line 187, in __call__ 
    return self._run_main(parsed_args, parsed_globals) 
  File "/usr/local/lib/python3.6/dist-packages/awscli/customizations/cloudformation/deploy.py", line 295, in _run_main 
    parsed_args.fail_on_empty_changeset) 
  File "/usr/local/lib/python3.6/dist-packages/awscli/customizations/cloudformation/deploy.py", line 310, in deploy 
    tags=tags 
  File "/usr/local/lib/python3.6/dist-packages/awscli/customizations/cloudformation/deployer.py", line 227, in create_and_wait_for_changeset 
    self.wait_for_changeset(result.changeset_id, stack_name) 
  File "/usr/local/lib/python3.6/dist-packages/awscli/customizations/cloudformation/deployer.py", line 178, in wait_for_changeset 
    .format(ex, status, reason)) 
RuntimeError: Failed to create the changeset: Waiter ChangeSetCreateComplete failed: Waiter encountered a terminal failure state Status: FAILED. Reason: Failed to execute transform REDACTED::ALKSify 
2019-08-21 17:03:42,717 - MainThread - awscli.clidriver - DEBUG - Exiting with rc 255 

Failed to create the changeset: Waiter ChangeSetCreateComplete failed: Waiter encountered a terminal failure state Status: FAILED. Reason: Failed to execute transform REDACTED::ALKSify

Answer 1

我只是遇到了同样的问题，可以按照以下方法解决。

您需要向CodeBuild项目的IAM角色添加以下2个权限。

允许"cloudformation:CreateChangeSet"使用宏资源本身!Sub ${AWS::AccountId}::ALKSify
允许"lambda:InvokeFunction"使用实现宏的lambda函数。

所以它看起来像：

  BuildProjectRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service: codebuild.amazonaws.com
            Action:
              - "sts:AssumeRole"
      Policies:
        - PolicyName: codebuild
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Sid: lambda
                Effect: Allow
                Action:
                  - "lambda:InvokeFunction"
                Resource:
                  - !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:<MACRO FUNCTION NAME>"
              - Sid: macro
                Effect: Allow
                Action:
                  - "cloudformation:CreateChangeSet"
                Resource:
                  - !Sub "${AWS::AccountId}::<MACRO NAME>"

              .... <Other Permissions>

干杯，斯坦

在CodeBuild中使用自定义转换时，运行cloudformation模板失败

1 个答案: