如何解决如何使用CloudFormation或CDK将另一个AWS账户的事件总线指定为EventBridge规则的目标? 1 Acc2-EventBusPolicy 2 Acc1-CW的Iam角色 3 Acc1-CW事件规则,将事件依赖于Acc2的总线
如何使用CloudFormation或CDK将另一个AES帐户事件总线指定为CloudWatch规则的目标?
这是使用CDK的示例规则,在该示例中,我尝试将CodeDeploy事件发送到另一个帐户:
Rule codedeployCreateDeploymentEventRule = Rule.Builder.create(this,"CodedeployCreateDeploymentEventRule")
.description("CloudWatch event rule covering CodeDeploy CreateDeployment notifications.")
.ruleName("MyRule")
.enabled(true)
.targets(List.of(...something here...))
.eventPattern(EventPattern.builder()
.source(List.of("aws.codedeploy"))
.detail(Map.of("eventName",List.of("CreateDeployment")))
.build())
.build();
如何将另一个帐户的EventBus指定为目标?语法是什么-是ARN还是什么?
解决方法
要将CW事件从Acc1中继到CloudFormation中的Acc2,需要三件事:
1。 Acc2-EventBusPolicy
AWS::Events::EventBusPolicy,允许Acc1提交事件。例如:
MyEventBusPolicy:
Type: AWS::Events::EventBusPolicy
Properties:
Action: events:PutEvents
EventBusName: default
Principal: 2234322123 # Account1 Id
StatementId: AcceptEventsFromAcc1
2。 Acc1-CW的Iam角色
IAM角色,允许Acc1中的CW事件将事件发布到Acc2。示例:
MyCWEventsRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: [events.amazonaws.com]
Action: ["sts:AssumeRole"]
Description: Role for CW event to be able to publish events to acc2
Policies:
- PolicyName: MyEventPolicy
PolicyDocument: !Sub |
{
"Version": "2012-10-17","Statement": [
{
"Effect": "Allow","Action": [
"events:PutEvents"
],"Resource": [
"arn:aws:events:${RegionId}:${AccountId}:event-bus/default"
]
}
]
}
其中AccountId
和RegionId
是Acc2值,而不是Acc1。
3。 Acc1-CW事件规则,将事件依赖于Acc2的总线
它将使用步骤2中的IAM角色。例如,依赖CodeCommits事件(我之前进行过设置,因此我知道它可以工作):
MyRule:
Type: AWS::Events::Rule
Properties:
Description: Monitor master branch of our repo and rely to Acc2
EventPattern: !Sub |
{
"source": [
"aws.codecommit"
],"detail-type": [
"CodeCommit Repository State Change"
],"resources": [
"${GitRepoArn}"
],"detail": {
"event": [
"referenceCreated","referenceUpdated"
],"referenceType": [
"branch"
],"referenceName": [
"master"
]
}
}
State: ENABLED
Targets:
- Arn: !Sub "arn:aws:events:${RegionId}:${AccountId}:event-bus/default"
Id: MyEventToAcc2
RoleArn: !GetAtt MyCWEventsRole.Arn
其中AccountId
和RegionId
是Acc2值,而不是Acc1。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。