问题描述
我正在使用 terraform 创建队列,同时还创建 Cloudwatch 事件规则并将其中一个队列设置为规则的目标。
总而言之,我有一个队列,它是 3 个单独的 cloudwatch 事件的目标。问题是,即使 cloudwatch 事件规则是相同的,当通过 terraform 创建时,只有其中一个可以工作,其他人最终在控制台中调用失败,没有日志或任何类型的可调试信息。如果自定义事件是从 aws 控制台创建的,则一切正常。
在terraform中创建队列
resource "aws_sqs_queue" "queue_cron" {
name = "cron"
visibility_timeout_seconds = 300 # 5 minutes
delay_seconds = 0
message_retention_seconds = 1800 # 30 minutes
receive_wait_time_seconds = 20
}
唯一的工作块
resource "aws_cloudwatch_event_rule" "eve_vendors_bot_sync" {
name = "vendors-bot-sync"
schedule_expression = "rate(1 minute)"
description = "Notify cron queue for vendors bot sync"
is_enabled = true
}
resource "aws_cloudwatch_event_target" "sqs_cron_vendors_bot_sync" {
rule = aws_cloudwatch_event_rule.eve_vendors_bot_sync.name
arn = var.queue_cron_arn
target_id = "sqsCronvendorBotSync"
input_transformer {
input_template = <<EOF
{
"messageType":"cron","cronType":"vendors-bot-sync"
}
EOF
}
}
即使结构与上述相同,也不起作用。
resource "aws_cloudwatch_event_rule" "eve_restos_sync" {
name = "restos-sync"
schedule_expression = "rate(1 minute)"
description = "Notify cron queue for restos sync"
is_enabled = true
}
resource "aws_cloudwatch_event_target" "sqs_cron_restos_sync" {
rule = aws_cloudwatch_event_rule.eve_restos_sync.name
arn = var.queue_cron_arn
target_id = "sqsCronRestosSync"
input_transformer {
input_template = <<EOF
{
"messageType":"cron","cronType":"restaurant-hours-open-close-management"
}
EOF
}
}
类似上面那个,不起作用
resource "aws_cloudwatch_event_rule" "eve_vendors_orders_sync" {
name = "vendors-orders-sync"
schedule_expression = "rate(1 minute)"
description = "Notify cron queue for vendors orders sync"
is_enabled = true
}
resource "aws_cloudwatch_event_target" "target_cron_vendors_sync" {
rule = aws_cloudwatch_event_rule.eve_vendors_orders_sync.name
arn = var.queue_cron_arn
target_id = "sqsCronvendorsOrderSync"
input_transformer {
input_template = <<EOF
{
"messageType":"cron","cronType":"vendors-orders-sync"
}
EOF
}
}
答案
@marchin 正确指出的拼图中缺失的部分确实是阻止 cloudwatch 向 SQS 发送消息的策略。 这是使其正常工作的更新配置。
- 创建队列
- 创建一个策略,允许 cloudwatch 能够向队列发送消息
- 将策略附加到队列
resource "aws_sqs_queue" "queue_cron" {
name = "cron"
visibility_timeout_seconds = 300 # 5 minutes
delay_seconds = 0
message_retention_seconds = 1800 # 30 minutes
receive_wait_time_seconds = 20
}
data "aws_iam_policy_document" "policy_sqs" {
statement {
sid = "AWSEvents_"
effect = "Allow"
actions = [
"sqs:SendMessage",]
principals {
type = "Service"
identifiers = ["events.amazonaws.com"]
}
resources = [aws_sqs_queue.queue_cron.arn]
}
}
resource "aws_sqs_queue_policy" "cron_sqs_policy" {
queue_url = aws_sqs_queue.queue_cron.id
policy = data.aws_iam_policy_document.policy_sqs.json
}
解决方法
我认为您对 SQS 队列的权限缺失或不正确。假设您在 terraform 中创建 firebase
.firestore()
.collection('projects') // Collection
.doc(project.id) // ID string
.delete() // Promise
(问题中未显示),队列及其允许 CW 事件向其发送消息的策略将是:
queue_cron