為 Amazon S3 來源 (AWS CloudFormation 範本) 建立 EventBridge 規則 - AWS CodePipeline

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

為 Amazon S3 來源 (AWS CloudFormation 範本) 建立 EventBridge 規則

若要用 AWS CloudFormation 來建立規則,請更新範本,如下所示。

使用 Amazon S3 做為事件來源和目標建立 EventBridge 規則 CodePipeline ,並套用許可政策
  1. 在範本中的下Resources,使用AWS::IAM::Role AWS CloudFormation 資源來配置允許事件啟動管道的IAM角色。此項目會建立一個使用兩個政策的角色:

    • 第一個政策允許要承擔的角色。

    • 第二個政策提供啟動管道的許可。

    為什麼我會做出此變更? 新增AWS::IAM::Role資源可 AWS CloudFormation 建立的權限 EventBridge。此資源會新增至您的 AWS CloudFormation 堆疊。

    YAML
    EventRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - events.amazonaws.com Action: sts:AssumeRole Path: / Policies: - PolicyName: eb-pipeline-execution PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: codepipeline:StartPipelineExecution Resource: !Join [ '', [ 'arn:aws:codepipeline:', !Ref 'AWS::Region', ':', !Ref 'AWS::AccountId', ':', !Ref AppPipeline ] ] ...
    JSON
    "EventRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "events.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }, "Path": "/", "Policies": [ { "PolicyName": "eb-pipeline-execution", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codepipeline:StartPipelineExecution", "Resource": { "Fn::Join": [ "", [ "arn:aws:codepipeline:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "AppPipeline" } ] ] ...
  2. 使用AWS::Events::Rule AWS CloudFormation 資源新增 EventBridge 規則。此事件模式會在您的 Amazon S3 來源儲存貯體CompleteMultipartUpload上建立監控CopyObject事件。PutObject此外,會包含您管道的目標。當 CopyObjectPutObjectCompleteMultipartUpload 發生時,此規則會在目標管道上呼叫 StartPipelineExecution

    為什麼我會做出此變更? 新增資AWS::Events::Rule源可 AWS CloudFormation 建立事件。此資源會新增至您的 AWS CloudFormation 堆疊。

    YAML
    EventRule: Type: AWS::Events::Rule Properties: EventPattern: source: - aws.s3 detail-type: - 'AWS API Call via CloudTrail' detail: eventSource: - s3.amazonaws.com eventName: - CopyObject - PutObject - CompleteMultipartUpload requestParameters: bucketName: - !Ref SourceBucket key: - !Ref SourceObjectKey Targets: - Arn: !Join [ '', [ 'arn:aws:codepipeline:', !Ref 'AWS::Region', ':', !Ref 'AWS::AccountId', ':', !Ref AppPipeline ] ] RoleArn: !GetAtt EventRole.Arn Id: codepipeline-AppPipeline ...
    JSON
    "EventRule": { "Type": "AWS::Events::Rule", "Properties": { "EventPattern": { "source": [ "aws.s3" ], "detail-type": [ "AWS API Call via CloudTrail" ], "detail": { "eventSource": [ "s3.amazonaws.com" ], "eventName": [ "CopyObject", "PutObject", "CompleteMultipartUpload" ], "requestParameters": { "bucketName": [ { "Ref": "SourceBucket" } ], "key": [ { "Ref": "SourceObjectKey" } ] } } }, "Targets": [ { "Arn": { "Fn::Join": [ "", [ "arn:aws:codepipeline:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "AppPipeline" } ] ] }, "RoleArn": { "Fn::GetAtt": [ "EventRole", "Arn" ] }, "Id": "codepipeline-AppPipeline" } ] } } }, ...
  3. 將此片段新增到您的第一個範本,以允許跨堆疊功能:

    YAML
    Outputs: SourceBucketARN: Description: "S3 bucket ARN that Cloudtrail will use" Value: !GetAtt SourceBucket.Arn Export: Name: SourceBucketARN
    JSON
    "Outputs" : { "SourceBucketARN" : { "Description" : "S3 bucket ARN that Cloudtrail will use", "Value" : { "Fn::GetAtt": ["SourceBucket", "Arn"] }, "Export" : { "Name" : "SourceBucketARN" } } ...
  4. 將更新的範本儲存到本機電腦,然後開啟主 AWS CloudFormation 控台。

  5. 選擇您的堆疊,然後選擇 Create Change Set for Current Stack (建立目前堆疊的變更集)

  6. 上傳您的更新範本,然後檢視中 AWS CloudFormation所列的變更。這些是會針對堆疊進行的變更。您應該會在清單中看到新資源。

  7. 選擇 Execute (執行)

若要編輯管線的 PollForSourceChanges參數
重要

當您使用這個方法建立管道時,如果沒有明確設為 false,則 PollForSourceChanges 參數會預設為 true。當新增基於事件的變更偵測時,您必須將該參數新增到輸出,並將其設為 false 以停用輪詢。否則,您的管道會針對單一來源變更啟動兩次。如需詳細資訊,請參閱 PollForSourceChanges 參數的有效設定

  • 在範本中,將 PollForSourceChanges 變更為 false。如果您並未在管道定義中包含 PollForSourceChanges,請新增它,並將其設為 false

    為什麼我會做出此變更?PollForSourceChanges變更為 false 會關閉定期檢查,因此您只能使用事件型變更偵測。

    YAML
    Name: Source Actions: - Name: SourceAction ActionTypeId: Category: Source Owner: AWS Version: 1 Provider: S3 OutputArtifacts: - Name: SourceOutput Configuration: S3Bucket: !Ref SourceBucket S3ObjectKey: !Ref SourceObjectKey PollForSourceChanges: false RunOrder: 1
    JSON
    { "Name": "SourceAction", "ActionTypeId": { "Category": "Source", "Owner": "AWS", "Version": 1, "Provider": "S3" }, "OutputArtifacts": [ { "Name": "SourceOutput" } ], "Configuration": { "S3Bucket": { "Ref": "SourceBucket" }, "S3ObjectKey": { "Ref": "SourceObjectKey" }, "PollForSourceChanges": false }, "RunOrder": 1 }
若要為 Amazon S3 管道的 CloudTrail 資源建立第二個範本
  • 在單獨的範本中Resources,使用AWS::S3::BucketAWS::S3::BucketPolicy、和AWS::CloudTrail::Trail AWS CloudFormation 資源來提供簡單的值區定義和追蹤 CloudTrail。

    我為什麼要進行這項變更? 鑑於每個帳戶目前有五個 CloudTrail 追蹤的限制,必須個別建立和管理追蹤。(請參閱中的限制 AWS CloudTrail。) 不過,您可以在單一追蹤中包含多個 Amazon S3 儲存貯體,因此您可以建立一次追蹤,然後視需要為其他管道新增 Amazon S3 儲存貯體。將下列內容貼至您的第二個範例範本檔案中。

    YAML
    ################################################################################### # Prerequisites: # - S3 SourceBucket and SourceObjectKey must exist ################################################################################### Parameters: SourceObjectKey: Description: 'S3 source artifact' Type: String Default: SampleApp_Linux.zip Resources: AWSCloudTrailBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref AWSCloudTrailBucket PolicyDocument: Version: 2012-10-17 Statement: - Sid: AWSCloudTrailAclCheck Effect: Allow Principal: Service: - cloudtrail.amazonaws.com Action: s3:GetBucketAcl Resource: !GetAtt AWSCloudTrailBucket.Arn - Sid: AWSCloudTrailWrite Effect: Allow Principal: Service: - cloudtrail.amazonaws.com Action: s3:PutObject Resource: !Join [ '', [ !GetAtt AWSCloudTrailBucket.Arn, '/AWSLogs/', !Ref 'AWS::AccountId', '/*' ] ] Condition: StringEquals: s3:x-amz-acl: bucket-owner-full-control AWSCloudTrailBucket: Type: AWS::S3::Bucket DeletionPolicy: Retain AwsCloudTrail: DependsOn: - AWSCloudTrailBucketPolicy Type: AWS::CloudTrail::Trail Properties: S3BucketName: !Ref AWSCloudTrailBucket EventSelectors: - DataResources: - Type: AWS::S3::Object Values: - !Join [ '', [ !ImportValue SourceBucketARN, '/', !Ref SourceObjectKey ] ] ReadWriteType: WriteOnly IncludeManagementEvents: false IncludeGlobalServiceEvents: true IsLogging: true IsMultiRegionTrail: true ...
    JSON
    { "Parameters": { "SourceObjectKey": { "Description": "S3 source artifact", "Type": "String", "Default": "SampleApp_Linux.zip" } }, "Resources": { "AWSCloudTrailBucket": { "Type": "AWS::S3::Bucket", "DeletionPolicy": "Retain" }, "AWSCloudTrailBucketPolicy": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "AWSCloudTrailBucket" }, "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "AWSCloudTrailAclCheck", "Effect": "Allow", "Principal": { "Service": [ "cloudtrail.amazonaws.com" ] }, "Action": "s3:GetBucketAcl", "Resource": { "Fn::GetAtt": [ "AWSCloudTrailBucket", "Arn" ] } }, { "Sid": "AWSCloudTrailWrite", "Effect": "Allow", "Principal": { "Service": [ "cloudtrail.amazonaws.com" ] }, "Action": "s3:PutObject", "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "AWSCloudTrailBucket", "Arn" ] }, "/AWSLogs/", { "Ref": "AWS::AccountId" }, "/*" ] ] }, "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ] } } }, "AwsCloudTrail": { "DependsOn": [ "AWSCloudTrailBucketPolicy" ], "Type": "AWS::CloudTrail::Trail", "Properties": { "S3BucketName": { "Ref": "AWSCloudTrailBucket" }, "EventSelectors": [ { "DataResources": [ { "Type": "AWS::S3::Object", "Values": [ { "Fn::Join": [ "", [ { "Fn::ImportValue": "SourceBucketARN" }, "/", { "Ref": "SourceObjectKey" } ] ] } ] } ], "ReadWriteType": "WriteOnly", "IncludeManagementEvents": false } ], "IncludeGlobalServiceEvents": true, "IsLogging": true, "IsMultiRegionTrail": true } } } } ...