首页 文章

使用terraform设置由计划事件源触发的lambda函数

提问于
浏览
29

我想每五分钟运行一次AWS lambda函数 . 在AWS管理控制台中,这很容易设置,在lambda函数的"Event Sources"选项卡下,但如何使用Terraform进行设置?

我尝试使用an aws_lambda_event_source_mapping resource,但事实证明the API it uses仅支持来自Kinesis和DynamoDB的事件 . 当我尝试将它与预定的事件源一起使用时,创建超时 .

amazon-web-services terraform

2 回答

  • 51

    您可以使用 aws_cloudwatch_event_target 资源将计划的事件源(事件规则)绑定到lambda函数 . 您需要授予它调用lambda函数的权限;你可以使用 aws_lambda_permission 资源 .

    例:

    resource "aws_lambda_function" "check_foo" {
    filename = "check_foo.zip"
    function_name = "checkFoo"
    role = "arn:aws:iam::424242:role/something"
    handler = "index.handler"
}

resource "aws_cloudwatch_event_rule" "every_five_minutes" {
    name = "every-five-minutes"
    description = "Fires every five minutes"
    schedule_expression = "rate(5 minutes)"
}

resource "aws_cloudwatch_event_target" "check_foo_every_five_minutes" {
    rule = "${aws_cloudwatch_event_rule.every_five_minutes.name}"
    target_id = "check_foo"
    arn = "${aws_lambda_function.check_foo.arn}"
}

resource "aws_lambda_permission" "allow_cloudwatch_to_call_check_foo" {
    statement_id = "AllowExecutionFromCloudWatch"
    action = "lambda:InvokeFunction"
    function_name = "${aws_lambda_function.check_foo.function_name}"
    principal = "events.amazonaws.com"
    source_arn = "${aws_cloudwatch_event_rule.every_five_minutes.arn}"
}
    回复于
  • 0

    Verbjorns Ljosa的回答仅包括cloudwatch调用lambda的权限 . 您是否指定了允许lambda执行其操作的正确策略和iam角色?

    resource "aws_iam_role" "check_foo_role" {
  name="check-foo-assume-role"
  assume_role_policy="assume_role_policy.json"
}

    with assume_role_policy.json

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}

    以及引用上述资源的策略I.e.就像是

    resource "iam_role_policy" "check-foo-policy" {
  name="check-foo-lambda-policy"
  # referencing the iam role above
  role="${aws_iam_role.check_foo_role.id}"
  policy="check-foo-policy.json"
}

    最后指定策略的json,check-foo-policy.json .

    {
  "Version": "2012-10-17",
  "Statement": [
    {
  "Effect": "Allow",
  "Action": [
    "logs:CreateLogGroup",
    "logs:CreateLogStream",
    "logs:PutLogEvents"
  ],
  "Resource": ["*"]
},
{
  "Effect": "Allow",
  "Action": [
    "abc:SomeAction",
    "abc:AnotherAction",
  ],
  "Resource": "some-arn-matching-the-actions"
}

    请注意,您无法为与日志相关的操作指定资源限制 . abc:SomeAction可能是ssm:GetParameter,附带的资源类似 "arn:aws:ssm:us-east-1:${your-aws-account-id}:parameter/some/parameter/path/*

    回复于

相关问题