我有以下cloudformation模板来创建一个cloudwatch事件,一个SQS队列,一个SQSQueuepolicy,当s3对象更新时,允许cloudwatch将日志转发到SQS队列
然而;模板成功完成后 . 我没有看到登录SQS队列,除非我去(通过aws控制台)“cloudwatch” - >选择我的事件 - >点击直到step2事件详细信息'添加权限到SQS队列' - >更新事件
我认为缺少的部分可能是我需要在事件Target中使用“RoleArn”才能授予权限 . 然而; AWS:SQS:QUEUEPOLICY不返回ARN . 我如何使用cloudFormation执行此操作?
谢谢!
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"LucyQueue": {
"Type": "AWS::SQS::Queue",
"Properties": {
"QueueName": "LucySQS"
}
},
"LucyQueuePolicy": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"PolicyDocument": {
"Version": "2012-10-17",
"Id": "arn:aws:sqs:ca-central-1:805182230944:LucySQS/SQSDefaultPolicy",
"Statement": [
{
"Sid": "Sid1513273009724",
"Effect": "Allow",
"Principal": "*",
"Action": "SQS:SendMessage",
"Resource": {
"Ref": "LucyQueue"
},
"Condition": {
"ArnEquals": {
"aws:SourceArn": {
"Fn::GetAtt": [
"LucyEventRule",
"Arn"
]
}
}
}
}
]
},
"Queues": [
{
"Ref": "LucyQueue"
}
]
}
},
"LucyEventRule": {
"Type": "AWS::Events::Rule",
"Properties": {
"Description": "LucyEventRule",
"EventPattern": {
"source": [
"aws.s3"
],
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"s3.amazonaws.com"
],
"eventName": [
"PutObject",
"UploadPart",
"CreateMultipartUpload"
]
}
},
"State": "ENABLED",
"Targets": [
{
"Arn": {
"Fn::GetAtt": [
"LucyQueue",
"Arn"
]
},
"Id": "lucy_event1",
***"RoleArn" : "Do i need this ? if yes, How to get the Arn"***
}
]
}
}
}
}
1 回答
我发现问题是我在QueuePolicy中放错了resourceID
工作模板:
}