Terraform:通知SNS的CloudWatch事件

时间:2019-11-25 12:44:37

标签: aws-lambda terraform amazon-sns amazon-cloudwatch terraform-provider-aws

我正在学习TF,并尝试应用可创建以下内容的基础架构:

  1. 一个简单的lambda函数
  2. 一个SNS主题
  3. 获取该lambda订阅SNS主题
  4. 一个Cloud Watch Event,它以一定的时间间隔向该主题发布消息
  5. 一个云监视日志组,以检查lambda是否已由SNS通知
  6. 允许来自SNS呼叫的lambda权限

我能够成功地应用它。基础架构看起来非常好(当我通过可视化的aws控制台创建自己时,它具有相同的外观)

但是云监视事件不会触发(从TF构建时),因此不会将消息发布到SNS,也不会调用lambda。我不知道为什么

谁知道我该怎么做?吼叫我的.tf脚本:

provider "aws" {
  region = "us-east-1"
}

//lambda function handler & code file
resource "aws_lambda_function" "lambda-function" {
  function_name = "Function01"
  handler = "com.rafael.lambda.Function01"
  role = "arn:aws:iam::12345:role/LambdaRoleTest"
  runtime = "java8"
  s3_bucket = aws_s3_bucket.sns-test.id
  s3_key = aws_s3_bucket_object.file_upload.id
  source_code_hash = filebase64sha256("../target/sns-cw-lambda-poc.jar")
}

//allow sns to call lambda
resource "aws_lambda_permission" "allow-sns-to-lambda" {
  function_name = aws_lambda_function.lambda-function.function_name
  action = "lambda:InvokeFunction"
  principal = "sns.amazonaws.com"
  source_arn = aws_sns_topic.call-lambdas-topic.arn
  statement_id = "AllowExecutionFromSNS"
}

//app s3 repository
resource "aws_s3_bucket" "sns-test" {
  bucket = "app-bucket-12345"
  region = "us-east-1"
}

//app jar file
resource "aws_s3_bucket_object" "file_upload" {
  depends_on = [
    aws_s3_bucket.sns-test
  ]
  bucket = aws_s3_bucket.sns-test.id
  key = "sns-cw-lambda-poc.jar"
  source = "../target/sns-cw-lambda-poc.jar"
  server_side_encryption = "AES256"
  etag = filebase64sha256("../target/sns-cw-lambda-poc.jar")
}

//to check lambda exec logs
resource "aws_cloudwatch_log_group" "lambda-cloudwatch-logs" {
  name = "/aws/lambda/${aws_lambda_function.lambda-function.function_name}"
  retention_in_days = 1
}

//rule to trigger SNS
resource "aws_cloudwatch_event_rule" "publish-sns-rule" {
  name = "publish-sns-rule"
  schedule_expression = "rate(1 minute)"
}

//cloud watch event targets SNS
resource "aws_cloudwatch_event_target" "sns-publish" {
  count = "1"
  rule = aws_cloudwatch_event_rule.publish-sns-rule.name
  target_id = aws_sns_topic.call-lambdas-topic.name
  arn = aws_sns_topic.call-lambdas-topic.arn
}

//SNS topic to subscribe
resource "aws_sns_topic" "call-lambdas-topic" {
  name = "call-lambdas-topic"
}

//lambda subscribes the topic, so it should be nofied when other resource publishes to the topic
resource "aws_sns_topic_subscription" "sns-lambda-subscritption" {
  topic_arn = aws_sns_topic.call-lambdas-topic.arn
  protocol = "lambda"
  endpoint = aws_lambda_function.lambda-function.arn
}

1 个答案:

答案 0 :(得分:1)

我发现,我忘记添加允许CloudWatch发布到SNS主题的SNS策略。要使上述脚本正常工作,只需添加以下内容:

resource "aws_sns_topic_policy" "default" {
  count  = 1
  arn    = aws_sns_topic.call-lambdas-topic.arn
  policy = "${data.aws_iam_policy_document.sns_topic_policy.0.json}"
}

data "aws_iam_policy_document" "sns_topic_policy" {
  count = "1"
  statement {
    sid       = "Allow CloudwatchEvents"
    actions   = ["sns:Publish"]
    resources = [aws_sns_topic.call-lambdas-topic.arn]

    principals {
      type        = "Service"
      identifiers = ["events.amazonaws.com"]
    }
  }
}
相关问题
最新问题