【发布时间】:2021-11-26 00:14:28
【问题描述】:
我正在尝试设置一个 S3 存储桶,它会在创建新对象时通知 Lambda 函数。
下面的堆栈工作正常,但我想按照最佳实践将SourceArn 添加到 Lambda 权限。
有一些文献表明这样做的方法是通过字符串而不是Fn::GetAtt/Arn -
但如果我取消注释相关的 SourceArn 行并重新部署,我会得到 -
Unable to validate the following destination configurations (Service: Amazon S3; Status Code: 400; Error Code: InvalidArgument; Request ID: TBZDEVZ1HVD9EN0Q; S3 Extended Request ID: gL3CRz6UayvHup5i5oC4+/RMm0p1oRaRrPVtfZrykeAaJ1BVuhNSKkqxQ8TL5sy749d9PtbMOEQ=; Proxy: null)
哼哼。再次查看文章,我看到 MyBucket 需要依赖于 MyBucketFunctionPermission - 但如果我取消注释并重新部署,我现在得到 -
An error occurred (ValidationError) when calling the CreateChangeSet operation: Circular dependency between resources: [MyBucketFunctionPermission, MyBucket]
这是一个新鲜的地狱圈。我是否遗漏了文章中的某些内容,或者是否有其他 SourceArn 格式 + DependsOn 的组合可以使其正常工作?
TIA。
AWSTemplateFormatVersion: '2010-09-09'
Outputs: {}
Parameters: {}
Resources:
MyBucket:
# DependsOn:
# - MyBucketFunctionPermission
Properties:
NotificationConfiguration:
LambdaConfigurations:
- Event: s3:ObjectCreated:*
Function:
Fn::GetAtt:
- MyBucketFunction
- Arn
Type: AWS::S3::Bucket
MyBucketFunction:
Properties:
Code:
ZipFile: "def handler(event, context):\n print (event)"
Handler: index.handler
Role:
Fn::GetAtt:
- MyBucketRole
- Arn
Runtime: "python3.8"
Type: AWS::Lambda::Function
MyBucketFunctionPermission:
Properties:
Action: lambda:InvokeFunction
FunctionName:
Ref: MyBucketFunction
Principal: s3.amazonaws.com
# SourceArn:
# Fn::Sub: arn:aws:s3:::${MyBucket}
Type: AWS::Lambda::Permission
MyBucketRole:
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: '2012-10-17'
Policies:
- PolicyDocument:
Statement:
- Action: logs:*
Effect: Allow
Resource: '*'
Version: '2012-10-17'
PolicyName:
Fn::Sub: my-bucket-role-policy-1234567890
Type: AWS::IAM::Role
【问题讨论】:
标签: amazon-web-services amazon-s3 amazon-cloudformation