在blog post启用在每个ecs主机上运行任务之后,我创建了一个Ansible角色,该角色成功创建了一个触发Lambda函数的Cloudwatch事件规则。
事件规则在AWS控制台中看起来很好,似乎在指标中触发,但lambda函数未运行(ecs服务未更改)。
当简单地编辑规则并保存而没有更改时规则开始起作用,并且ecs服务按预期更改。
这是我原来的剧本和角色,如果需要,我可以创建一个更简单的例子。
Playbook:
- name: "create lambda and cloudwatch event rules"
hosts: localhost
roles:
- {
role: aws/lambda/lookup,
lambda: ecs-task-on-all-hosts,
lambda_lookup_register_as: lambda_lookup
}
- {
role: aws/cloudwatch/event/rule/create,
event_rule: ecs-task-on-all-hosts,
cluster: "{{ cluster }}",
lambda_ecs_task_on_all_hosts_arn: "{{ lambda_lookup.arn }}"
}
角色aws/lambda/lookup:
- name: "lookup lambda {{ lambda }}"
lambda_facts:
region: "{{ region }}"
query: config #right now everything we need is given here
function_name: "{{ lambda }}"
register: _lambda_function_details
- name: "set lambda lookup result facts"
set_fact:
"{{ lambda_lookup_register_as }}":
arn: "{{ _lambda_function_details.ansible_facts.lambda_facts.function[lambda].function_arn }}"
name: "{{ _lambda_function_details.ansible_facts.lambda_facts.function[lambda].function_name }}"
角色aws/cloudwatch/event/rule/create:
tasks/main.yml
- name: "include variables in file {{ event_rule }}.yml"
include_vars: "files/{{ event_rule }}.yml"
- name: "verify mandatory parameters were provided"
include_role:
name: utilities/verify-parameters
vars:
mandatory: "{{ event_mandatory_parameters }}"
when: event_mandatory_parameters is defined
- name: "create cloudwatch event rule"
cloudwatchevent_rule:
region: "{{ region }}"
name: "{{ event_definition.name }}"
description: "{{ event_definition.description }}"
event_pattern: "{{ event_definition.event_pattern | to_json }}"
targets: "{{ event_definition.targets }}"
正在使用的文件files/ecs-task-on-all-hosts:
event_mandatory_parameters: [ "cluster", "lambda_ecs_task_on_all_hosts_arn" ]
event_definition:
name: ecs-task-on-all-hosts
description: Ensure a task is running on all hosts in the cluster
event_pattern: |-
{
"source": [
"aws.ecs"
],
"detail-type": [
"ECS Container Instance State Change"
],
"detail": {
"clusterArn": [
"arn:aws:ecs:{{ region }}:{{ account_id }}:cluster/{{ cluster }}"
]
}
}
targets:
- id: lambda_ecs_task_on_all_hosts
arn: "{{ lambda_ecs_task_on_all_hosts_arn }}"
提出了一个类似的问题here,但它有点不同,仍然没有答案,所以我提供了我可以在这里提供的所有细节。如果需要更多信息,请告诉我。
答案 0 :(得分:0)
您需要添加Lambda函数策略,以允许CloudWatch Events调用您的Lambda函数。编辑CloudWatch Event的原因是它在后台添加了Lambda函数策略。
您可以使用aws lambda get-policy检查功能的政策。在编辑事件之前,您应该看不到任何策略,在编辑之后,您将看到允许CloudWatch Events调用该函数的策略。
您可以使用Ansible模块lambda_policy在Ansible中设置策略,例如
- name: allow CloudWatch to invoke the Lambda function
lambda_policy:
region: "{{ aws_region }}"
function_name: ecs-task-on-all-hosts
state: present
statement_id: lambda-cloudwatch-event-rule
action: lambda:InvokeFunction
principal: events.amazonaws.com
source_arn: "{{ event.rule.arn }}"
其中event是cloudwatchevent_rule的返回值。
来源:
AWS Lambda权限模型:“对于事件源,除了基于流的服务(Amazon Kinesis Data Streams和DynamoDB流),您必须授予事件源权限以调用您的AWS Lambda功能。“ https://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html
教程:使用CloudWatch事件计划AWS Lambda函数:“使用以下add-permission命令信任CloudWatch Events服务主体(events.amazonaws.com)和范围权限到具有指定的亚马逊资源名称(ARN)的规则“
https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/RunLambdaSchedule.html
我的规则被触发但我的Lambda函数未被调用:“确保您为Lambda函数设置了正确的权限。[...]您还可以编辑规则在CloudWatch Events控制台中删除然后将其添加回规则.CloudWatch Events控制台将在目标上设置正确的权限。 https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CWE_Troubleshooting.html#LAMfunctionNotInvoked
使用Lambda目标创建CloudWatch事件规则的Ansible Playbook :https://gist.github.com/danvaida/e369838ceaa65a7a6f57de7d08af805f