Pulumi - 为 CloudTrail 日志创建 S3 存储桶策略 - 资源无效
Pulumi - Creating S3 bucket policy for CloudTrail logs - Invalid resource
我正在使用 Pulumi (Python) 并尝试为 AWS CloudTrail 日志创建一个存储桶。我的代码基于 this 示例。我不断收到以下错误:Error putting S3 policy: MalformedPolicy: Policy has invalid resource
import pulumi
import pulumi_aws as aws
# create a bucket to store CloudTrail logs
cloudtrail_bucket = aws.s3.Bucket("CloudTrailLogs")
# assign policy to bucket
aws_account_id = aws.get_caller_identity().account_id
bucket_policy = aws.s3.BucketPolicy(
"CloudTrailLogsBucketPolicy",
bucket=cloudtrail_bucket.id,
policy=pulumi.Output.all(cloudtrail_bucket.id).apply(
lambda bucket_id: f"""{{
"Version": "2012-10-17",
"Statement": [
{{
"Sid": "AWSCloudTrailAclCheck20150319",
"Effect": "Allow",
"Principal": {{"Service": "cloudtrail.amazonaws.com"}},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::{bucket_id}"
}},
{{
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {{"Service": "cloudtrail.amazonaws.com"}},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::{bucket_id}/AWSLogs/{aws_account_id}/*",
"Condition": {{
"StringEquals": {{"s3:x-amz-acl": "bucket-owner-full-control"}}
}}
}}
]
}}
"""
),
)
有人知道问题出在哪里吗?
我当前的环境使用的是:
pulumi==3.9.1
pulumi-aws==4.15.0
您在引用帐户 ID 时并未将其作为 apply/all 语句的一部分。
试试这个:
policy=pulumi.Output.all(cloudtrail_bucket.id, aws_account_id).apply(
lambda args: f"""{{
"Version": "2012-10-17",
"Statement": [
{{
"Sid": "AWSCloudTrailAclCheck20150319",
"Effect": "Allow",
"Principal": {{"Service": "cloudtrail.amazonaws.com"}},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::{args[0]}"
}},
{{
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {{"Service": "cloudtrail.amazonaws.com"}},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::{args[0]}/AWSLogs/{args[1]}/*",
"Condition": {{
"StringEquals": {{"s3:x-amz-acl": "bucket-owner-full-control"}}
}}
}}
]
}}
"""
)
我正在使用 Pulumi (Python) 并尝试为 AWS CloudTrail 日志创建一个存储桶。我的代码基于 this 示例。我不断收到以下错误:Error putting S3 policy: MalformedPolicy: Policy has invalid resource
import pulumi
import pulumi_aws as aws
# create a bucket to store CloudTrail logs
cloudtrail_bucket = aws.s3.Bucket("CloudTrailLogs")
# assign policy to bucket
aws_account_id = aws.get_caller_identity().account_id
bucket_policy = aws.s3.BucketPolicy(
"CloudTrailLogsBucketPolicy",
bucket=cloudtrail_bucket.id,
policy=pulumi.Output.all(cloudtrail_bucket.id).apply(
lambda bucket_id: f"""{{
"Version": "2012-10-17",
"Statement": [
{{
"Sid": "AWSCloudTrailAclCheck20150319",
"Effect": "Allow",
"Principal": {{"Service": "cloudtrail.amazonaws.com"}},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::{bucket_id}"
}},
{{
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {{"Service": "cloudtrail.amazonaws.com"}},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::{bucket_id}/AWSLogs/{aws_account_id}/*",
"Condition": {{
"StringEquals": {{"s3:x-amz-acl": "bucket-owner-full-control"}}
}}
}}
]
}}
"""
),
)
有人知道问题出在哪里吗?
我当前的环境使用的是:
pulumi==3.9.1
pulumi-aws==4.15.0
您在引用帐户 ID 时并未将其作为 apply/all 语句的一部分。
试试这个:
policy=pulumi.Output.all(cloudtrail_bucket.id, aws_account_id).apply(
lambda args: f"""{{
"Version": "2012-10-17",
"Statement": [
{{
"Sid": "AWSCloudTrailAclCheck20150319",
"Effect": "Allow",
"Principal": {{"Service": "cloudtrail.amazonaws.com"}},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::{args[0]}"
}},
{{
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {{"Service": "cloudtrail.amazonaws.com"}},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::{args[0]}/AWSLogs/{args[1]}/*",
"Condition": {{
"StringEquals": {{"s3:x-amz-acl": "bucket-owner-full-control"}}
}}
}}
]
}}
"""
)