如何使用 Terraform 定义 cloundwatch 事件规则来触发 StepFunction 状态机

Question

我已经在 Terraform 中定义了 StepFunction 状态机的创建，现在我想设置一个定时器来每天触发状态机，我想可能使用 cloudwatch 事件规则是一个不错的选择，我知道如何将事件规则设置为触发 Lambda：

resource "aws_cloudwatch_event_rule" "lambda_event_rule" {
  name                = xxx
  schedule_expression = xxx
  description         = xxx
}

resource "aws_cloudwatch_event_target" "lambda_event_target" {
  target_id = xxx
  rule      = aws_cloudwatch_event_rule.lambda_event_rule.name
  arn       = xxx
}

#I must setup the right permissions using 'aws_lambda_permission' 
#see: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target

resource "aws_lambda_permission" "lambda_event_permission" {
  statement_id  = xxx
  action        = "lambda:InvokeFunction"
  function_name = xxx
  principal     = "events.amazonaws.com"
  source_arn    = aws_cloudwatch_event_rule.lambda_event_rule.name
}

但是如何设置触发状态机的权限部分？我找不到任何关于它的例子，我错过了什么吗？是因为我们不需要状态机的权限配置吗？有人可以帮忙吗？

以下是到目前为止我使用 cloudwatch 事件规则触发状态机的内容：

resource "aws_cloudwatch_event_rule" "step_function_event_rule" {
  name                = xxx
  schedule_expression = xxx
  description         = xxx
}

resource "aws_cloudwatch_event_target" "step_function_event_target" {
  target_id = xxx
  rule      = aws_cloudwatch_event_rule.step_function_event_rule.name
  arn       = xxx
}


?????What else should I add here?

PS：我发现有人问过类似的问题here，但还没有答案。

Answer 1

我不太熟悉 terraform，但它似乎遵循与官方文档类似的模式。对于目标； https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_PutTargets.html >> 请参阅“添加 Step Functions 状态机作为目标”部分

{
    "Rule": "testrule", 
    "Targets": [
           {
        "RoleArn": "arn:aws:iam::123456789012:role/MyRoleToAccessStepFunctions"
        "Arn":"arn:aws:states:us-east-1:123456789012:stateMachine:HelloWorld"
      }
    ]
}

这告诉我你需要传递角色和arn。因此，以您为例，这就是您可能需要填写的内容

resource "aws_cloudwatch_event_rule" "step_function_event_rule" {
  name                = <something unique>
  schedule_expression = <syntax described in https://docs.aws.amazon.com/eventbridge/latest/userguide/scheduled-events.html>
  description         = <something descriptive>
}

resource "aws_cloudwatch_event_target" "step_function_event_target" {
  target_id = <something unique>
  rule      = aws_cloudwatch_event_rule.step_function_event_rule.name
  arn       = <step function arn>
  role_arn  = <role that allows eventbridge to start execution on your behalf>
}

Answer 2

    resource "aws_lambda_permission" "lambda_event_permission" {
     statement_id  = xxx
     action        = "lambda:InvokeFunction"
     function_name = xxx
     principal     = "events.amazonaws.com"
     source_arn    = aws_cloudwatch_event_rule.lambda_event_rule.name
    }

在您的情况下根本不需要部分，只需要按照“为了能够让 EventBridge 规则调用您的 AWS Lambda 函数或 SNS 主题”所述。

正如 blr 在他的回答中所说，您需要在 aws_cloudwatch_event_target 中添加 role_arn，使用授予访问权限的 assume_role_policy 设置角色到 states.amazonaws.com 和 events.amazonaws.com，并为此角色附加如下额外政策：

    data "aws_iam_policy_document" "CW2SF_allowexec" {
      statement {
        actions = [
          "sts:AssumeRole"
        ]

        principals {
          type = "Service"
          identifiers = [
            "states.amazonaws.com",
            "events.amazonaws.com"
          ]
        }
      }
    }

    resource "aws_iam_role" "CW2SF_allowexec" {
      name               = "AWS_Events_Invoke-StepFunc"
      assume_role_policy = data.aws_iam_policy_document.CW2SF_allowexec.json
    }

    resource "aws_iam_role_policy" "state-execution" {
      name        = "CW2SF_allowexec"
      role   = aws_iam_role.CW2SF_allowexec.id

      policy = <<EOF
    {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "states:StartExecution"
              ],
              "Resource": [          
"arn:aws:states:${var.region}:${data.aws_caller_identity.current.account_id}:stateMachine:data-pipeline-incremental"
          ]
      }
  ]
}
EOF
} 

您需要使用 AssumeRole 在 CloudWatch 和 StepFunctions 之间建立信任，然后将内联或托管策略附加到该角色，专门允许该角色启动状态机的执行。