Ansible Cloudwatch规则报告调用失败 [英] Ansible Cloudwatch rule reports failed invocations
问题描述
我创建了一个AWS lambda,它在测试时以及通过cloudwatch规则手动创建cron作业时都能很好地工作。
I have created an AWS lambda that works well when I test it and when I create a cron job manually through a cloudwatch rule.
它将指标报告为调用(
It reports metrics as invocations (not failed) and also logs with details about the execution.
然后我决定删除该手动创建的cloudwatch规则,以创建一个具有ansible的规则。
Then I decided to remove that manually created cloudwatch rule in order to create one with ansible.
- name: Create lambda service.
lambda:
name: "{{ item.name }}"
state: present
zip_file: "{{ item.zip_file }}"
runtime: 'python2.7'
role: 'arn:aws:iam::12345678901:role/lambda_ecr_delete'
handler: 'main.handler'
region: 'eu-west-2'
environment_variables: "{{ item.env_vars }}"
with_items:
- name: lamda_ecr_cleaner
zip_file: assets/scripts/ecr-cleaner.zip
env_vars:
'DRYRUN': '0'
'IMAGES_TO_KEEP': '20'
'REGION': 'eu-west-2'
register: new_lambda
- name: Schedule a cloudwatch event.
cloudwatchevent_rule:
name: ecr_delete
schedule_expression: "rate(1 day)"
description: Delete old images in ecr repo.
targets:
- id: ecr_delete
arn: "{{ item.configuration.function_arn }}"
with_items: "{{ new_lambda.results }}"
这几乎创建了完全相同的cloudwatch规则。我与手动创建的唯一的区别是在目标中,当lambda版本/别名设置为version时,手动创建的lambda版本/别名设置为Default,使用ansible创建时,具有相应的版本号。
That creates almost the exact same cloudwatch rule. The only difference I can see with the manually created one is in the targets, the lambda version / alias is set to Default when created manually while it is set to version, with a corresponding version number when created with ansible.
使用ansible创建的cloudwatch规则仅调用失败。
The cloudwatch rule created with ansible has only failed invocations.
知道这是为什么吗?我看不到任何日志。是否可以通过ansible中的cloudwatchevent_rule模块将版本设置为默认?
Any idea why this is? I can't see any logs. Is there a way I can set the version to Default as well with the cloudwatchevent_rule module in ansible?
推荐答案
我已经浪费了几个小时同样,同样的错误和困惑(为什么没有失败发票的日志?),我将分享我的解决方案,它将解决问题并帮助其他人进行调试并找到最终的解决方案。
I've lost hours with this too, same error and same confusion (Why there isn't a log for failed invokations?), I'm going to share my ""solution"", it will solve the problem to someone, and will help others to debug and find the ultimate solution.
注意:请小心,这可能允许任何AWS账户执行您的lambda函数
由于您是通过手动创建规则目标来调用函数的,因此我假设您已从CloudWatch向lambda添加了调用权限,但是当通过以下方式创建事件时,看起来源帐户ID是不同的cli / api和何时由de AWS仪表板/控制台创建
Since you got invoke the function by creating the rule target manually, I assume you added the invoke permission to the lambda from CloudWatch, however it looks like the Source Account ID is different when the event is created by cli/api and when is created by de AWS dashboard/console
如果您要在lambda中添加源帐户条件,则可以从主体 events.amazonaws.com调用权限防止任何AWS账户执行您的lambdas j
If you are adding the Source Account condition in the lambda invoke permission from principal "events.amazonaws.com" to prevent any AWS account execute your lambdas just remove it (under your responsability!).
因此,如果您的lambda政策如下所示:
So, if your lambda policy looks like this:
{
"Sid": "<sid>",
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "lambda:InvokeFunction",,
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "<account-id>"
}
},
"Resource": "arn:aws:lambda:<region>:<account-id>:function:<lambda-function>"
}
删除条件字段
{
"Sid": "sid",
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "lambda:InvokeFunction",,
"Resource": "arn:aws:lambda:<region>:<account-id>:function:<lambda-function>"
}
也许它将为您工作。
我认为当cli / api创建事件时,cloudwatch事件所有者/创建者数据正在发生一些奇怪的事情……也许是错误?不确定。我会继续努力
I think something weird it is happening with the cloudwatch event owner/creator data when the event is created by cli/api... maybe a bug? Not sure. I will keep working on it
这篇关于Ansible Cloudwatch规则报告调用失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!