CloudWatch Events 规则未使用标签查找 EC2 目标
CloudWatch Events Rule not finding EC2 targets using tags
我有一个 CloudWatch Event Rule 会触发 SSM Run Command Document。目标将使用标签来识别。我的资源是根据以下 CloudFormation 模板定义的:
SSMRunCommandDocument:
Type: AWS::SSM::Document
Properties:
DocumentType: 'Command'
Content:
schemaVersion: '2.2'
description: "Some description"
mainSteps:
- action: "aws:runShellScript"
name: runShellScript
inputs:
runCommand:
- !Sub |
#!/bin/bash -e
echo "Hello Whosebug!" > test.log
Tags:
- Key: Name
Value: EC2Name
- Key: Environment
Value: DEV
CloudWatchEventRule:
Type: AWS::Events::Rule
Properties:
Description: "The ARN from the eventbridge role resource"
EventPattern:
source:
- "aws.autoscaling"
detail-type:
- "EC2 Instance-terminate Lifecycle Action"
detail:
AutoScalingGroupName:
- !Ref 'MyAutoScalingGroup'
State: "ENABLED"
Targets:
- Id: "Some target ID."
Arn: !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:document/${SSMRunCommandDocument}"
RoleArn: "The ARN from the eventbridge role resource"
RunCommandParameters:
RunCommandTargets:
- Key: "tag: Name"
Values:
- EC2Name
- Key: "tag: Environment"
Values:
- DEV
我有以下角色,ARN用于上面的CloudFormation模板:
AutoScalingLifecycleHookEventRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: ''
Effect: Allow
Principal:
Service:
- events.amazonaws.com
Action: 'sts:AssumeRole'
Description: "The role that will be used by AWS EventBridge to start an SSM Run Command document."
AutoScalingLifecycleHookEventManagedPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- 'ssm:StartAutomationExecution'
Resource:
- "arn:*:ssm:*:*:automation-definition/AWS-RunShellScript*"
Effect: Allow
- Action:
- "iam:PassRole"
Resource:
- "arn:*:ssm:*:*:role/*"
Effect: Allow
- Action:
- 'ssm:*'
Resource:
- "arn:*:ssm:*:*:*"
Effect: Allow
- Action:
- "ssm:SendCommand"
Resource:
- !Sub "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/*"
- !Sub "arn:aws:ssm:${AWS::Region}:*:document/*"
Effect: Allow
Roles:
- !Ref AutoScalingLifecycleHookEventRole
手动,我可以使用 CloudFormation 模板中指定的相同标签触发 RunCommand 就好了。但是当 RunCommand 被 Event Rule 触发时,RunCommand 页面上的历史记录告诉我们这次没有找到目标:
我缺少哪些权限或配置?
原来tag: tag-key字段中的space不应该存在:
RunCommandParameters:
RunCommandTargets:
- Key: "tag:Name"
Values:
- EC2Name
- Key: "tag:Environment"
Values:
- DEV
我有一个 CloudWatch Event Rule 会触发 SSM Run Command Document。目标将使用标签来识别。我的资源是根据以下 CloudFormation 模板定义的:
SSMRunCommandDocument:
Type: AWS::SSM::Document
Properties:
DocumentType: 'Command'
Content:
schemaVersion: '2.2'
description: "Some description"
mainSteps:
- action: "aws:runShellScript"
name: runShellScript
inputs:
runCommand:
- !Sub |
#!/bin/bash -e
echo "Hello Whosebug!" > test.log
Tags:
- Key: Name
Value: EC2Name
- Key: Environment
Value: DEV
CloudWatchEventRule:
Type: AWS::Events::Rule
Properties:
Description: "The ARN from the eventbridge role resource"
EventPattern:
source:
- "aws.autoscaling"
detail-type:
- "EC2 Instance-terminate Lifecycle Action"
detail:
AutoScalingGroupName:
- !Ref 'MyAutoScalingGroup'
State: "ENABLED"
Targets:
- Id: "Some target ID."
Arn: !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:document/${SSMRunCommandDocument}"
RoleArn: "The ARN from the eventbridge role resource"
RunCommandParameters:
RunCommandTargets:
- Key: "tag: Name"
Values:
- EC2Name
- Key: "tag: Environment"
Values:
- DEV
我有以下角色,ARN用于上面的CloudFormation模板:
AutoScalingLifecycleHookEventRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: ''
Effect: Allow
Principal:
Service:
- events.amazonaws.com
Action: 'sts:AssumeRole'
Description: "The role that will be used by AWS EventBridge to start an SSM Run Command document."
AutoScalingLifecycleHookEventManagedPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- 'ssm:StartAutomationExecution'
Resource:
- "arn:*:ssm:*:*:automation-definition/AWS-RunShellScript*"
Effect: Allow
- Action:
- "iam:PassRole"
Resource:
- "arn:*:ssm:*:*:role/*"
Effect: Allow
- Action:
- 'ssm:*'
Resource:
- "arn:*:ssm:*:*:*"
Effect: Allow
- Action:
- "ssm:SendCommand"
Resource:
- !Sub "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/*"
- !Sub "arn:aws:ssm:${AWS::Region}:*:document/*"
Effect: Allow
Roles:
- !Ref AutoScalingLifecycleHookEventRole
手动,我可以使用 CloudFormation 模板中指定的相同标签触发 RunCommand 就好了。但是当 RunCommand 被 Event Rule 触发时,RunCommand 页面上的历史记录告诉我们这次没有找到目标:
我缺少哪些权限或配置?
原来tag: tag-key字段中的space不应该存在:
RunCommandParameters:
RunCommandTargets:
- Key: "tag:Name"
Values:
- EC2Name
- Key: "tag:Environment"
Values:
- DEV