背景
我正在尝试通过云形成为代码构建添加服务角色。 我不断收到以下错误,但不确定如何解决。
无法创建变更集:服务员ChangeSetCreateComplete失败: 服务员遇到终端故障状态,状态:FAILED。原因: 模板错误:Fn :: GetAtt实例引用未定义的资源 CodeBuildServiceRole
我有以下具有我的代码构建配置的文件
Mappings:
'Fn::Transform':
Name: 'AWS::Include'
Parameters:
Location: s3://source-code-for-download-by-ec2s/include.yaml
Parameters:
RepositoryBranch:
Type: String
Description: git branch to test and deploy
OAuthToken:
Type: String
Description: >
OAuth Token for this code pipeline to connect to GitHub to download the source code
when the webhook publishes a push event
NoEcho: true
Resources:
CodeBuildProject:
Type: AWS::CodeBuild::Project
Properties:
Name: !Sub 'xxxxxxx-dev-branch-${XXXXXXXXX}-xxxx'
Artifacts:
Type: S3
Location: 'xxxxxxxxx'
Path: !Sub 'XXXXXXXXXX/${XXXXXXXX}'
Name: 'repo.zip'
Packaging: ZIP
BadgeEnabled: true
Environment:
ComputeType: BUILD_GENERAL1_SMALL
Image: 'abcxxxxxxxxxxxxxxxxabcxxxxxxxxxxxxxxxxxxabcxxxxxxxxxx'
ImagePullCredentialsType: SERVICE_ROLE
Type: LINUX_CONTAINER
PrivilegedMode: true
LogsConfig:
CloudWatchLogs:
Status: ENABLED
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
Source:
Type: GITHUB
Auth:
Type: OAUTH
Resource: !Sub '${OAuthToken}'
Location: 'https://github.com/xxxxxxxxxx/xxxxxxxxxxxxxxxx-xxxxxxxxxx.git'
GitCloneDepth: 0 # no need to download git version history with the repo, just grab the latest version of this branch
ReportBuildStatus: true
SourceVersion: !Ref RepositoryBranch
TimeoutInMinutes: 60
我还有另外一个文件,用于创建服务角色策略并添加codebuild作为操作。
AWSTemplateFormatVersion: 2010-09-09
Resources:
CodeBuildServiceRole:
Type: AWS::IAM::Role
Properties:
RoleName: AWSCodeBuildServiceRole-role-created-by-cloudformation
AssumeRolePolicyDocument: '{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
}
}
]
}'
ManagedPolicyArns: [!Ref CodeBuildServiceRolePolicy]
Path: /service-role/
CodeBuildServiceRolePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: AWSCodeBuildServiceRole-policy-created-by-cloudformation
Description: 'Policy meant for CodeBuild service role that CodeBuild runs-as to deploy code from Github to S3'
PolicyDocument: '{
"Statement": [
{
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": [
"cloudformation.amazonaws.com",
"elasticbeanstalk.amazonaws.com",
"ec2.amazonaws.com",
"ecs-tasks.amazonaws.com"
]
}
}
},
{
"Action": [
"codebuild:*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"codedeploy:CreateDeployment",
"codedeploy:GetApplication",
"codedeploy:GetApplicationRevision",
"codedeploy:GetDeployment",
"codedeploy:GetDeploymentConfig",
"codedeploy:RegisterApplicationRevision"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"elasticbeanstalk:*",
"ec2:*",
"elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"s3:*",
"sns:*",
"cloudformation:*",
"rds:*",
"sqs:*",
"ecs:*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"lambda:InvokeFunction",
"lambda:ListFunctions"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"opsworks:CreateDeployment",
"opsworks:DescribeApps",
"opsworks:DescribeCommands",
"opsworks:DescribeDeployments",
"opsworks:DescribeInstances",
"opsworks:DescribeStacks",
"opsworks:UpdateApp",
"opsworks:UpdateStack"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:UpdateStack",
"cloudformation:CreateChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:SetStackPolicy",
"cloudformation:ValidateTemplate"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"devicefarm:ListProjects",
"devicefarm:ListDevicePools",
"devicefarm:GetRun",
"devicefarm:GetUpload",
"devicefarm:CreateUpload",
"devicefarm:ScheduleRun"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"servicecatalog:ListProvisioningArtifacts",
"servicecatalog:CreateProvisioningArtifact",
"servicecatalog:DescribeProvisioningArtifact",
"servicecatalog:DeleteProvisioningArtifact",
"servicecatalog:UpdateProduct"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudformation:ValidateTemplate"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecr:DescribeImages"
],
"Resource": "*"
}
],
"Version": "2012-10-17"
}'
Outputs:
CodeBuildServiceRoleExportThingArn:
Description: 'ARN of code-build service role, to be imported by CodeBuild stacks'
Value: !GetAtt CodeBuildServiceRole.Arn
Export:
Name: CodeBuildServiceRoleArn
问题
这两个文件都在同一目录中,所以我不确定为什么会收到此错误,因为我在此问题上停留了一段时间,所以我会喜欢一些输入。
答案 0 :(得分:0)
我看不到您在任何地方嵌套堆栈,因此我假设这是两个不同的堆栈?在这种情况下,您不能只引用另一个堆栈中的实体-它们彼此之间不知道。但是您可以使用CFN内在函数来获取堆栈输出。
请记住,必须首先运行带有CodeBuildServiceRole的堆栈。另外,我建议您为导出添加唯一的内容(可能是堆栈名称),以免发生命名冲突。
然后这应该工作:
Resources:
CodeBuildProject:
Type: AWS::CodeBuild::Project
Properties:
ServiceRole: !ImportValue CodeBuildServiceRoleArn