使用2个单独的策略时出现格式错误的策略错误

时间:2020-07-14 13:18:04

标签: json amazon-web-services terraform amazon-iam terraform-provider-aws

我有以下与terraform一起使用的json文件,用于执行以下操作:

  1. 允许部署我的Lambda函数
  2. 在调用lambda函数时,允许创建日志组。
  3. 允许创建根据lambda函数的日期命名的日志记录 鼓动。

这个想法是要自动创建这些日志组/记录,这样我就不必每天进入CloudWatch并创建一个新的日志了。

main.tf:

provider "aws" {
  access_key = "foo"
  secret_key = "foo"
  region = "us-east-1"
}

resource "aws_lambda_function" "greet_lambda" {
  filename = "greet_lambda.py.zip"
  function_name = "greet_lambda"
  role = aws_iam_role.iam_for_lambda.arn
  handler = "greet_lambda.lambda_handler"
  depends_on = [aws_iam_role_policy_attachment.lambda_logs]
  runtime = "python3.7"
  environment {
    variables = {greeting = "Hi"}
  }
}

resource "aws_cloudwatch_log_group" "greet_lambda" {
  name = "/aws/lambda/greet_lambda"
}

resource "aws_iam_role" "iam_for_lambda" {
  name = "iam_for_lambda"
  assume_role_policy = file("iam_for_lambda.json")
}

resource "aws_iam_policy" "lambda_logging" {
  name = "lambda_logging"
  path = "/"
  description = "IAM policy for logging from a lambda"
  policy = file("lambda_policy.json")
}

resource "aws_iam_role_policy_attachment" "lambda_logs" {
  role = aws_iam_role.iam_for_lambda.name
  policy_arn = aws_iam_policy.lambda_logging.arn
  depends_on = [aws_iam_role.iam_for_lambda, aws_iam_policy.lambda_logging]
}

lambda_policy.json 

{
    "Version": "2012-10-17",
    "Statement": [{
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "arn:aws:logs:us-east-1:003618259171:log-group:/aws/lambda/greet_lambda:*",
      "Effect": "Allow"
      }
    ]
  }

iam_for_lambda:

{
    "Version": "2012-10-17",
    "Statement": [{
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
    "Effect": "Allow",
    "Sid": "" 
  }
  ]
}

问题:一切似乎都正确部署,但是当调用lambda函数时,不会在日志组内自动创建日志流。

1 个答案:

答案 0 :(得分:0)

这是我最终制作的有效代码:

main.tf:

provider "aws" {
  access_key = ""
  secret_key = ""
  region = ""
}

resource "aws_lambda_function" "greet_lambda" {
  filename      = "greet_lambda.py.zip"
  function_name = "greet_lambda"
  role          = "${aws_iam_role.iam_for_lambda.arn}"
  handler       = "greet_lambda.lambda_handler"
  depends_on = ["aws_iam_role_policy_attachment.lambda_logs", "aws_cloudwatch_log_group.example"]
  source_code_hash = "${filebase64sha256("greet_lambda.py.zip")}"
  runtime = "python3.7"
  environment {
    variables = {greeting = "Hi"}
  }
}

resource "aws_iam_role" "iam_for_lambda" {
  name = "iam_for_lambda"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}


resource "aws_cloudwatch_log_group" "example" {
  name              = "/aws/lambda/greet_lambda"
  retention_in_days = 14
}


resource "aws_iam_policy" "lambda_logging" {
  name        = "lambda_logging"
  path        = "/"
  description = "IAM policy for logging from a lambda"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "arn:aws:logs:*:*:*",
      "Effect": "Allow"
    }
  ]
}
EOF
}

resource "aws_iam_role_policy_attachment" "lambda_logs" {
  role       = "${aws_iam_role.iam_for_lambda.name}"
  policy_arn = "${aws_iam_policy.lambda_logging.arn}"
}
相关问题
最新问题