amazon-web-services - S3 通知配置 - 无法验证目标配置

Question

我正在尝试设置一个 S3 存储桶，该存储桶会在创建新对象时通知 Lambda 函数。

下面的堆栈工作正常，但我想按照最佳实践将 SourceArn 添加到 Lambda 权限。

有一些关于此的文献建议通过字符串而不是 Fn::GetAtt/Arn -

https://aws.amazon.com/premiumsupport/knowledge-center/unable-validate-circular-dependency-cloudformation/

但是如果我取消注释相关的 SourceArn 行并重新部署，我会得到 -

Unable to validate the following destination configurations (Service: Amazon S3; Status Code: 400; Error Code: InvalidArgument; Request ID: TBZDEVZ1HVD9EN0Q; S3 Extended Request ID: gL3CRz6UayvHup5i5oC4+/RMm0p1oRaRrPVtfZrykeAaJ1BVuhNSKkqxQ8TL5sy749d9PtbMOEQ=; Proxy: null) 

呵呵。再次查看该文章，我发现 MyBucket 需要依赖于 MyBucketFunctionPermission - 但如果我取消注释并重新部署，我现在得到 -

An error occurred (ValidationError) when calling the CreateChangeSet operation: Circular dependency between resources: [MyBucketFunctionPermission, MyBucket]

这是一些新鲜的 hell 圈。我是否遗漏了文章中的某些内容，或者是否有 SourceArn 格式 + DependsOn 的其他组合可以使其正常工作？

TIA。

AWSTemplateFormatVersion: '2010-09-09'
Outputs: {}
Parameters: {}
Resources:
  MyBucket:
    #  DependsOn:
    #  - MyBucketFunctionPermission
    Properties:
      NotificationConfiguration:
        LambdaConfigurations:
        - Event: s3:ObjectCreated:*
          Function:
            Fn::GetAtt:
            - MyBucketFunction
            - Arn
    Type: AWS::S3::Bucket
  MyBucketFunction:
    Properties:
      Code:
        ZipFile: "def handler(event, context):\n  print (event)"
      Handler: index.handler
      Role:
        Fn::GetAtt:
        - MyBucketRole
        - Arn
      Runtime: "python3.8"
    Type: AWS::Lambda::Function
  MyBucketFunctionPermission:
    Properties:
      Action: lambda:InvokeFunction
      FunctionName:
        Ref: MyBucketFunction
      Principal: s3.amazonaws.com
      #  SourceArn:
      #    Fn::Sub: arn:aws:s3:::${MyBucket}
    Type: AWS::Lambda::Permission
  MyBucketRole:
    Properties:
      AssumeRolePolicyDocument:
        Statement:
        - Action: sts:AssumeRole
          Effect: Allow
          Principal:
            Service: lambda.amazonaws.com
        Version: '2012-10-17'
      Policies:
      - PolicyDocument:
          Statement:
          - Action: logs:*
            Effect: Allow
            Resource: '*'
          Version: '2012-10-17'
        PolicyName:
          Fn::Sub: my-bucket-role-policy-1234567890
    Type: AWS::IAM::Role

Answer 1

您的模板看起来没有任何问题。它工作得很好，至少对我来说。但 MyBucket 和 MyBucketFunctionPermission 之间可能存在竞争条件。因此，为了防止这种情况，您必须使用DependsOn。但要使其发挥作用，您必须显式设置您的存储桶名称。例如:

AWSTemplateFormatVersion: '2010-09-09'
Outputs: {}
Parameters: {}
Resources:
  MyBucket:
    DependsOn:
     - MyBucketFunctionPermission
    Properties:
      BucketName: !Sub "my-bucket-323323-${AWS::StackName}-${AWS::Region}"
      NotificationConfiguration:
        LambdaConfigurations:
        - Event: s3:ObjectCreated:*
          Function:
            Fn::GetAtt:
            - MyBucketFunction
            - Arn
    Type: AWS::S3::Bucket
  MyBucketFunction:
    Properties:
      Code:
        ZipFile: "def handler(event, context):\n  print (event)"
      Handler: index.handler
      Role:
        Fn::GetAtt:
        - MyBucketRole
        - Arn
      Runtime: "python3.8"
    Type: AWS::Lambda::Function
  MyBucketFunctionPermission:
    Properties:
      Action: lambda:InvokeFunction
      FunctionName:
        Ref: MyBucketFunction
      Principal: s3.amazonaws.com
      SourceArn: !Sub "arn:aws:s3:::my-bucket-323323-${AWS::StackName}-${AWS::Region}"
    Type: AWS::Lambda::Permission
  MyBucketRole:
    Properties:
      AssumeRolePolicyDocument:
        Statement:
        - Action: sts:AssumeRole
          Effect: Allow
          Principal:
            Service: lambda.amazonaws.com
        Version: '2012-10-17'
      Policies:
      - PolicyDocument:
          Statement:
          - Action: logs:*
            Effect: Allow
            Resource: '*'
          Version: '2012-10-17'
        PolicyName:
          Fn::Sub: my-bucket-role-policy-1234567890
    Type: AWS::IAM::Role