EventBridge目标角色ARN是目标所必需的。

Question

EventBridge目标角色ARN是目标所必需的。

amazon-web-servicesterraformterraform-provider-aws

4

我正在使用Terraform 1.3.5，这个模块之前一直运行得很好，直到我重命名了这个模块。现在我遇到了这个错误：

Error: creating EventBridge Target (cleanup-terraform-20221130175229684800000001): ValidationException: RoleArn is required for target arn:aws:events:us-east-1:123456789012:api-destination/services-destination/c187090f-268b-4d9b-b09d-f9b077e0c0cf.
│       status code: 400, request id: 63dc6425-2a94-4f66-b7c2-106b0607d964
│
│   with module.a-eventbridge-trigger.aws_cloudwatch_event_target.api_destination,
│   on ..\a-eventbridge-trigger\main.tf line 61, in resource "aws_cloudwatch_event_target" "api_destination":
│   61: resource "aws_cloudwatch_event_target" "api_destination" {

以下是该模块中 main.tf 的完整内容：

# configures api connection
resource "aws_cloudwatch_event_connection" "auth" {
  name               = "services-token"
  description        = "Gets oauth bearer token"
  authorization_type = "OAUTH_CLIENT_CREDENTIALS"

  auth_parameters {
    oauth {
      authorization_endpoint = "${var.vars.apiBaseUrl}${var.vars.auth}"
      http_method            = "POST"

      client_parameters {
        client_id     = var.secretContent.Client_Id
        client_secret = var.secretContent.Client_Secret
      }

      oauth_http_parameters {
        body {
          key             = "grant_type"
          value           = "client_credentials"
          is_value_secret = true
        }
        
        body {
          key             = "client_id"
          value           = var.secretContent.Client_Id
          is_value_secret = true
        }
        
        body {
          key             = "client_secret"
          value           = var.secretContent.Client_Secret
          is_value_secret = true
        }
      }
    }
  }
}

# configures api destination
resource "aws_cloudwatch_event_api_destination" "request" {
  name                             = "services-destination"
  description                      = "Requests clean up"
  invocation_endpoint              = "${var.vars.apiBaseUrl}${var.vars.endpoint}"
  http_method                      = "POST"
  invocation_rate_limit_per_second = 20
  connection_arn                   = aws_cloudwatch_event_connection.auth.arn
}

# sets up the scheduling
resource "aws_cloudwatch_event_rule" "every_midnight" {
  name                = "${var.name}-services-cleanup"
  description         = "Fires on every day at midnight of UTC+0"
  schedule_expression = "cron(0 0 * * ? *)"
  is_enabled          = true
}

# tells the scheduler to call the api destination
resource "aws_cloudwatch_event_target" "api_destination" {
  rule                = aws_cloudwatch_event_rule.every_midnight.name
  arn                 = aws_cloudwatch_event_api_destination.request.arn
}

而且从根模块调用该模块的方式如下：

module "a-eventbridge-trigger" {
    source          = "../a-eventbridge-trigger"
    
    name            = local.prefixName
    resourceTags    = local.commonTags

    vars        = var.vars
    secretContent   = var.secrets
}

这里是 providers.tf 文件：

terraform {
    required_providers {
        aws = {
            source = "hashicorp/aws"
            version = "4.43.0"
        }
    }

    backend "s3" {}
}

我错过了什么，为什么它会突然停止工作？

我已经运行了完整的destroy和新的apply，但我仍然遇到这个问题。

- Matt W

1

目的地是什么？API网关还是自定义API？不确定为什么会发生这种情况。您使用的是哪个提供程序版本？ - Marko E

AWS提供商。API目的地。自定义URL。 - Matt W

1

我知道这是AWS提供商。我在询问提供商的版本。 - Marko E

hashicorp/aws v4.41.0 - Matt W

我对这些服务了解不够，也没有发现任何错误，但是或许可以尝试更新提供者的最新版本。如果这样还不行，可以在 Github 上提交一个 bug。 - Marko E

我将提供程序版本从4.41.0升级到4.43.0 - apply输出没有任何变化。 - Matt W

1个回答

网页内容由stack overflow 提供, 点击上面的

可以查看英文原文，
原文链接

- cudiaco · Accepted Answer

我最近遇到了类似的情况，以下是我解决它的方法。


# trust relationship document for role
data "aws_iam_policy_document" "assume_role" {
  statement {
    effect  = "Allow"
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["events.amazonaws.com"]
    }
  }
}

# iam permission to allow API invocation for API destinations
resource "aws_iam_policy" "invoke_api_policy" {

  name        = "invoke-api-policy"
  path        = "/"
  description = "Allows invocation of target http api"

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "events:InvokeApiDestination"
        ]
        Effect = "Allow"
        Resource = [
          "arn:aws:events:YOUR_REGION:YOUR_ACCOUNT_ID:api-destination/YOUR_API_DESTINATION_NAME/*"
        ]
      },
    ]
  })
}

# create the IAM role
resource "aws_iam_role" "api_dest_role" {
  name               = "ApiDestinationRole"
  assume_role_policy = data.aws_iam_policy_document.assume_role.json
}

# attach the invoke api policy
resource "aws_iam_role_policy_attachment" "invoke_api" {
  role       = aws_iam_role.api_dest_role.id
  policy_arn = aws_iam_policy.invoke_api_policy.arn
}

resource "aws_cloudwatch_event_target" "api_destination" {
  rule                = aws_cloudwatch_event_rule.every_midnight.name
  arn                 = aws_cloudwatch_event_api_destination.request.arn
  # you need this here, which grants the permissions necessary for the 
  # api destination
  role_arn            = aws_iam_role.api_dest_role.arn
}