基于标签阻止ec2的Terraform/lambda/IAM

Question

这是任何试图测试它的https://cloudywithachanceofbigdata.com/really-simple-terraform-infrastructure-automation-using-aws-lambda/的人的资源。

我的tf脚本创建：

• 是Lambda函数
• Lambda function
• a Cloudwatch事件规则和触发器

的IAM角色和相关策略

我的地形版本：

Terraform v0.13.4

我的main.tf如下：

#
# Module Provider
#

provider "aws" {
    region = "us-west-1"
    shared_credentials_file = "~/.aws/credentials"
    profile                 = "default"
}

#
# Create IAM Role and Policy for Lambda Function
#

resource "aws_iam_role" "lambda_stop_ec2" {
  name = "lambda_stop_ec2"
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "lambda.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

resource "aws_iam_role_policy" "lamdba_ec2_shutdown_policy" {
  name = "lamdba_ec2_shutdown_policy"
  role = "${aws_iam_role.lambda_stop_ec2.id}"
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "arn:aws:logs:*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:Stop*",
        "ec2:DescribeInstances"
      ],
      "Resource": "*"
    }
  ]
}
EOF
}

#
# Create ZIP Archive for Function Source Code
#

data "archive_file" "lambda_stop_ec2_zip" {
  type = "zip"
  output_path = "/home/test/scheduler/repo/simple-lambda-ec2-scheduler/lambda_stop_ec2_zip"
  source_dir = "/home/test/scheduler/repo/simple-lambda-ec2-scheduler/function_source_code/"
}

#
# Create Lambda Function
#
 
resource "aws_lambda_function" "lambda_stop_ec2" {
  filename = "lambda_stop_ec2_zip"
  function_name    = "lambda_stop_ec2"
  timeout          = 10  
  role             = "${aws_iam_role.lambda_stop_ec2.arn}"
  handler          = "lambda_stop_ec2.lambda_handler"
  runtime          = "python3.8"
}

#
# Create CloudWatch Event Rule
#

resource "aws_cloudwatch_event_rule" "stop_ec2_event_rule" {
  name        = "stop-ec2-event-rule"
  description = "Stop running EC2 instance at a specified time each day"
  schedule_expression = "${var.schedule_expression}"
}

#
# Create CloudWatch Event Target
#

resource "aws_cloudwatch_event_target" "stop_ec2_event_rule_target" {
  rule      = "${aws_cloudwatch_event_rule.stop_ec2_event_rule.name}"
  target_id = "TriggerLambdaFunction"
  arn       = "${aws_lambda_function.lambda_stop_ec2.arn}"
  input     = "{\"name\":\"${var.name}\"}"
}

#
# Add Lamdba Permission
#

resource "aws_lambda_permission" "allow_cloudwatch" {
  statement_id  = "AllowExecutionFromCloudWatch"
  action        = "lambda:InvokeFunction"
  function_name = "${aws_lambda_function.lambda_stop_ec2.function_name}"
  principal     = "events.amazonaws.com"
  source_arn    = "${aws_cloudwatch_event_rule.stop_ec2_event_rule.arn}"
}

我的terraform.tfvars：

schedule_expression = "cron(0 17 * * ? *)"
name = "instanceScheduler"

我的variables.tf：

variable "schedule_expression" {}
variable "name" {}

我的函数源代码/lambda_stop_ec2.py

import boto3
region = 'us-west-1'

def lambda_handler(event, context):
    name = event["name"]
    print("stopping all instances in the %s name" % (name))
    ec2 = boto3.client('ec2', region_name=region)
    response = ec2.describe_instances(
        Filters=[
            {
                'Name': 'tag:Name',
                'Values': [name]
            }
        ]
    )
    for reservation in response["Reservations"]:
        for instance in reservation["Instances"]:
            print("instance [%s] is in [%s] state" % (instance["InstanceId"], instance["State"]["Name"]))
            if instance["State"]["Name"] == "running":
                print("stopping instance [%s]" % (instance["InstanceId"]))
                ec2.stop_instances(InstanceIds=[instance["InstanceId"]])
                print("instance [%s] stopped" % (instance["InstanceId"]))

我的运行命令：

terraform init
terraform apply

我得到的是：

Plan: 6 to add, 0 to change, 0 to destroy.


Warning: Interpolation-only expressions are deprecated

  on main.tf line 38, in resource "aws_iam_role_policy" "lamdba_ec2_shutdown_policy":
  38:   role = "${aws_iam_role.lambda_stop_ec2.id}"

Terraform 0.11 and earlier required all non-constant expressions to be
provided via interpolation syntax, but this pattern is now deprecated. To
silence this warning, remove the "${ sequence from the start and the }"
sequence from the end of this expression, leaving just the inner expression.

Template interpolation syntax is still used to construct strings from
expressions when the template includes multiple interpolation sequences or a
mixture of literal strings and interpolations. This deprecation applies only
to templates that consist entirely of a single interpolation sequence.

(and 6 more similar warnings elsewhere)

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_cloudwatch_event_rule.stop_ec2_event_rule: Creating...
aws_iam_role.lambda_stop_ec2: Creating...
aws_iam_role.lambda_stop_ec2: Creation complete after 1s [id=lambda_stop_ec2]
aws_iam_role_policy.lamdba_ec2_shutdown_policy: Creating...
aws_lambda_function.lambda_stop_ec2: Creating...
aws_cloudwatch_event_rule.stop_ec2_event_rule: Creation complete after 2s [id=stop-ec2-event-rule]
aws_lambda_function.lambda_stop_ec2: Still creating... [10s elapsed]
aws_lambda_function.lambda_stop_ec2: Creation complete after 16s [id=lambda_stop_ec2]
aws_lambda_permission.allow_cloudwatch: Creating...
aws_cloudwatch_event_target.stop_ec2_event_rule_target: Creating...
aws_lambda_permission.allow_cloudwatch: Creation complete after 1s [id=AllowExecutionFromCloudWatch]
aws_cloudwatch_event_target.stop_ec2_event_rule_target: Creation complete after 1s [id=stop-ec2-event-rule-TriggerLambdaFunction]

Error: Error putting IAM role policy lamdba_ec2_shutdown_policy: MalformedPolicyDocument: Partition "aws" is not valid for resource "arn:aws:logs:*:*:*".
        status code: 400, request id: b2e4b11e-da82-4b1d-b482-8cc2a3afd242

救命啊！！

Answer 1

在https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.html中显示的策略示例中

资源是"arn:aws:logs:*:*:*"

看三个星号。我已经在IAM策略模拟器(https://policysim.aws.amazon.com/)上测试了您的策略，由于缺少星号，它是无效的。

完整的政策样本：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "logs:DescribeLogStreams"
    ],
      "Resource": [
        "arn:aws:logs:*:*:*"
    ]
  }
 ]
}