Terraform 多个 cloudwatch 事件触发相同的 lambda 函数

Question

我在 Terraform 中设置了以下内容。所以有两个事件规则，早上 8 点开始事件，下午 6 点停止事件。

# Create cloudwatch event rules
resource "aws_cloudwatch_event_rule" "stop_ec2_event_rule" {
  name        = "stop-ec2-event-rule"
  description = "Stop EC2 instance at a specified time each day"
  schedule_expression = var.cloudwatch_schedule_stop
}

resource "aws_cloudwatch_event_rule" "start_ec2_event_rule" {
  name        = "start-ec2-event-rule"
  description = "Start EC2 instance at a specified time each day"
  schedule_expression = var.cloudwatch_schedule_start
}

每个事件都将一个动作传递给 lambda

resource "aws_cloudwatch_event_target" "stop_ec2_event_rule_target" {
  rule      = aws_cloudwatch_event_rule.stop_ec2_event_rule.name
  target_id = "TriggerLambdaFunction"
  arn       = aws_lambda_function.lambda_rscheduler.arn
  input     = "{\"environment\":\"${var.environment}\", \"action\":\"stop\"}"
}

resource "aws_cloudwatch_event_target" "start_ec2_event_rule_target" {
  rule      = aws_cloudwatch_event_rule.start_ec2_event_rule.name
  target_id = "TriggerLambdaFunction"
  arn       = aws_lambda_function.lambda_rscheduler.arn
  input     = "{\"environment\":\"${var.environment}\", \"action\":\"start\"}"
}

这行得通

resource "aws_lambda_permission" "allow_cloudwatch" {
  statement_id  = "AllowExecutionFromCloudWatch"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.lambda_rscheduler.function_name
  principal     = "events.amazonaws.com"
  source_arn    = aws_cloudwatch_event_rule.stop_ec2_event_rule.arn

我面临的这个问题是我无法让 Terraform 将 start_event 与 lambda 函数相关联。我进入 AWS 控制台，可以手动将 CloudWatch start_event 触发器添加到 lambda 函数。

如果我有 start_event 资源

resource "aws_lambda_permission" "allow_cloudwatch" {
  statement_id  = "AllowExecutionFromCloudWatch"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.lambda_rscheduler.function_name
  principal     = "events.amazonaws.com"
  source_arn    = aws_cloudwatch_event_rule.start_ec2_event_rule.arn

它会抱怨 statement_id 重复。

我需要类似 terraform aws_lambda_event_source_mapping 之类的东西，但它只允许 Lambda 函数从 Kinesis、DynamoDB 和 SQS 获取事件；而不是 CloudWatch 事件。

如何告诉 terraform 将多个 cloudwatch 事件关联到同一个 lambda 函数；什么时候可以从 AWS 控制台手动完成？

Answer 1

statement_id 不是强制性的，因此您可以放心地从您的aws_lambda_permission 中省略它，terraform 会自动为您生成唯一的 id。您还可以使用count 或for_each 为aws_lambda_permission 节省一些输入。

例如，使用for_each，您可以将aws_lambda_permission 定义为：

resource "aws_lambda_permission" "allow_cloudwatch" {
  
  for_each      = {for idx, v in [
      aws_cloudwatch_event_rule.stop_ec2_event_rule,
      aws_cloudwatch_event_rule.start_ec2_event_rule
  ]: idx => v}
  
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.lambda_rscheduler.function_name
  principal     = "events.amazonaws.com"
  source_arn    = each.value.arn
}

可以为aws_cloudwatch_event_rule 和aws_cloudwatch_event_target 编写类比版本，这样您的代码就可以基于for_each 或count，而无需重复复制粘贴。