Ansible Cloudwatch 规则报告调用失败 [英] Ansible Cloudwatch rule reports failed invocations
问题描述
我创建了一个 AWS lambda,当我测试它时以及当我通过 cloudwatch 规则手动创建一个 cron 作业时,它都能很好地工作.
I have created an AWS lambda that works well when I test it and when I create a cron job manually through a cloudwatch rule.
它将指标报告为调用(未失败),并记录有关执行的详细信息.
It reports metrics as invocations (not failed) and also logs with details about the execution.
然后我决定删除手动创建的 cloudwatch 规则,以便创建一个具有 ansible 的规则.
Then I decided to remove that manually created cloudwatch rule in order to create one with ansible.
- name: Create lambda service.
lambda:
name: "{{ item.name }}"
state: present
zip_file: "{{ item.zip_file }}"
runtime: 'python2.7'
role: 'arn:aws:iam::12345678901:role/lambda_ecr_delete'
handler: 'main.handler'
region: 'eu-west-2'
environment_variables: "{{ item.env_vars }}"
with_items:
- name: lamda_ecr_cleaner
zip_file: assets/scripts/ecr-cleaner.zip
env_vars:
'DRYRUN': '0'
'IMAGES_TO_KEEP': '20'
'REGION': 'eu-west-2'
register: new_lambda
- name: Schedule a cloudwatch event.
cloudwatchevent_rule:
name: ecr_delete
schedule_expression: "rate(1 day)"
description: Delete old images in ecr repo.
targets:
- id: ecr_delete
arn: "{{ item.configuration.function_arn }}"
with_items: "{{ new_lambda.results }}"
这创建了几乎完全相同的 cloudwatch 规则.我能看到与手动创建的唯一区别是在目标中,lambda 版本/别名在手动创建时设置为 Default,而在设置为 version 时,使用 ansible 创建时具有相应的版本号.
That creates almost the exact same cloudwatch rule. The only difference I can see with the manually created one is in the targets, the lambda version / alias is set to Default when created manually while it is set to version, with a corresponding version number when created with ansible.
使用 ansible 创建的 cloudwatch 规则只有失败的调用.
The cloudwatch rule created with ansible has only failed invocations.
知道这是为什么吗?我看不到任何日志.有没有一种方法可以使用 ansible 中的 cloudwatchevent_rule 模块将版本设置为默认?
Any idea why this is? I can't see any logs. Is there a way I can set the version to Default as well with the cloudwatchevent_rule module in ansible?
推荐答案
我也为此浪费了几个小时,同样的错误和同样的困惑(为什么没有失败调用的日志?),我要去分享我的解决方案",它会将问题解决给某人,并帮助其他人调试并找到最终解决方案.
I've lost hours with this too, same error and same confusion (Why there isn't a log for failed invokations?), I'm going to share my ""solution"", it will solve the problem to someone, and will help others to debug and find the ultimate solution.
注意:小心,这可能允许任何 AWS 账户执行您的 lambda 函数
由于您通过手动创建规则目标来调用函数,因此我假设您已从 CloudWatch 向 lambda 添加了调用权限,但是当事件由 cli/api 创建时,源帐户 ID 看起来不同,当由 AWS 仪表板/控制台创建
Since you got invoke the function by creating the rule target manually, I assume you added the invoke permission to the lambda from CloudWatch, however it looks like the Source Account ID is different when the event is created by cli/api and when is created by de AWS dashboard/console
如果您在 lambda 调用权限中添加来自委托人events.amazonaws.com"的源账户条件以防止任何 AWS 账户执行您的 lambda,只需将其删除(由您负责!).
If you are adding the Source Account condition in the lambda invoke permission from principal "events.amazonaws.com" to prevent any AWS account execute your lambdas just remove it (under your responsability!).
因此,如果您的 lambda 策略如下所示:
So, if your lambda policy looks like this:
{
"Sid": "<sid>",
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "lambda:InvokeFunction",,
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "<account-id>"
}
},
"Resource": "arn:aws:lambda:<region>:<account-id>:function:<lambda-function>"
}
删除条件"字段
{
"Sid": "sid",
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "lambda:InvokeFunction",,
"Resource": "arn:aws:lambda:<region>:<account-id>:function:<lambda-function>"
}
也许"它对你有用.
我认为当事件由 cli/api 创建时,cloudwatch 事件所有者/创建者数据发生了一些奇怪的事情......也许是一个错误?没有把握.我会继续努力的
I think something weird it is happening with the cloudwatch event owner/creator data when the event is created by cli/api... maybe a bug? Not sure. I will keep working on it
这篇关于Ansible Cloudwatch 规则报告调用失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
