在 CodeBuild 中使用自定义转换时运行 cloudformation 模板失败答案

【问题标题】：Running cloudformation template fails when using custom Transform in CodeBuild在 CodeBuild 中使用自定义转换时运行 cloudformation 模板失败
【发布时间】：2019-12-28 03:25:34
【问题描述】：

我的一个构建步骤运行一个具有自定义转换的 cloudformation 模板。转换在 us-east-1 中可用，这是运行代码构建的同一区域。当我使用本地 cli 运行相同的 cloudformation 模板时，它可以工作。您能否提供如何让这种转换在代码构建容器中工作。

我的本地cli是aws-cli/1.16.223 Python/3.6.0 Windows/10 botocore/1.12.213

During handling of the above exception, another exception occurred: 

Traceback (most recent call last): 
  File "/usr/local/lib/python3.6/dist-packages/awscli/clidriver.py", line 207, in main 
    return command_table[parsed_args.command](remaining, parsed_args) 
  File "/usr/local/lib/python3.6/dist-packages/awscli/clidriver.py", line 348, in __call__ 
    return command_table[parsed_args.operation](remaining, parsed_globals) 

  File "/usr/local/lib/python3.6/dist-packages/awscli/customizations/commands.py", line 187, in __call__ 
    return self._run_main(parsed_args, parsed_globals) 
  File "/usr/local/lib/python3.6/dist-packages/awscli/customizations/cloudformation/deploy.py", line 295, in _run_main 
    parsed_args.fail_on_empty_changeset) 
  File "/usr/local/lib/python3.6/dist-packages/awscli/customizations/cloudformation/deploy.py", line 310, in deploy 
    tags=tags 
  File "/usr/local/lib/python3.6/dist-packages/awscli/customizations/cloudformation/deployer.py", line 227, in create_and_wait_for_changeset 
    self.wait_for_changeset(result.changeset_id, stack_name) 
  File "/usr/local/lib/python3.6/dist-packages/awscli/customizations/cloudformation/deployer.py", line 178, in wait_for_changeset 
    .format(ex, status, reason)) 
RuntimeError: Failed to create the changeset: Waiter ChangeSetCreateComplete failed: Waiter encountered a terminal failure state Status: FAILED. Reason: Failed to execute transform REDACTED::ALKSify 
2019-08-21 17:03:42,717 - MainThread - awscli.clidriver - DEBUG - Exiting with rc 255 

Failed to create the changeset: Waiter ChangeSetCreateComplete failed: Waiter encountered a terminal failure state Status: FAILED. Reason: Failed to execute transform REDACTED::ALKSify

【问题讨论】：

您可能有更多关于 CloudFormation 控制台中的故障的详细信息。如果调用了转换 lambda，您还可以在 CloudWatch 中获得更多详细信息。
@LaurentJalbertSimard CloudFormation 或 CloudWatch 中没有任何其他信息

标签： amazon-cloudformation aws-cli aws-codebuild

【解决方案1】：

我刚遇到同样的问题，可以如下解决。

您需要将以下 2 个权限添加到您的 CodeBuild 项目的 IAM 角色。

在宏资源本身上允许"cloudformation:CreateChangeSet" !Sub ${AWS::AccountId}::ALKSify
在实现宏的 lambda 函数上允许 "lambda:InvokeFunction"。

所以它看起来像：

  BuildProjectRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service: codebuild.amazonaws.com
            Action:
              - "sts:AssumeRole"
      Policies:
        - PolicyName: codebuild
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Sid: lambda
                Effect: Allow
                Action:
                  - "lambda:InvokeFunction"
                Resource:
                  - !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:<MACRO FUNCTION NAME>"
              - Sid: macro
                Effect: Allow
                Action:
                  - "cloudformation:CreateChangeSet"
                Resource:
                  - !Sub "${AWS::AccountId}::<MACRO NAME>"

              .... <Other Permissions>

干杯，斯坦

【讨论】：