我正在修改一个有效的CDK管道。我正在添加一个lambda,当进行此代码修改时,管道将失败并出现错误。
import * as cdk from '@aws-cdk/core';
import * as lambda from '@aws-cdk/aws-lambda';
import * as path from 'path';
import { Rule, Schedule } from '@aws-cdk/aws-events';
import { LambdaFunction } from '@aws-cdk/aws-events-targets';
import { Secret } from '@aws-cdk/aws-secretsmanager';
import { Effect, Policy, PolicyStatement } from '@aws-cdk/aws-iam';
interface LambdaStackProps extends cdk.StackProps {
logzioToken: string;
}
export class Lambda extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props: LambdaStackProps) {
super(scope, id, props);
const logzioSecret = Secret.fromSecretAttributes(this, 'sv-logzioToken', {
secretPartialArn: props.logzioToken,
});
// Here is the func itself
const func = new lambda.Function(this, 'sv-http-cache-clear-lambda', {
runtime: lambda.Runtime.NODEJS_14_X,
handler: 'index.handler',
// The "build" folder requires `yarn build` to have been run in the lambda folder
code: lambda.Code.fromAsset(path.join(__dirname, '../../lambdas/HttpCacheClear/build')),
environment: {
LOGZIO_TOKEN: logzioSecret.secretValueFromJson('logzioToken').toString(),
},
});
// Here are the Dynamo permissions I think we need
const policyStatement = new PolicyStatement({
actions: ['dynamodb:GetItem', 'dynamodb:Query', 'dynamodb:Scan', 'dynamodb:DeleteItem'],
effect: Effect.ALLOW,
resources: ['*'],
});
const policy = new Policy(this, 'sv-http-cache-clear-policy', {
statements: [policyStatement],
});
func.role?.attachInlinePolicy(policy);
new Rule(this, 'sv-http-cache-clear-schedule-rule', {
description: 'Schedule a Lambda that regularly clears the cache',
schedule: Schedule.cron({
year: '*',
month: '*',
day: '*',
hour: '1',
minute: '0',
}),
targets: [new LambdaFunction(func)],
});
}
}
这在CDK中从这里实例化:
#!/usr/bin/env node
import 'source-map-support/register';
import * as cdk from '@aws-cdk/core';
import { AppStack } from '../lib/app-stack';
import { ECR } from '../lib/ecr';
import { Lambda } from '../lib/lambda';
import { getConfig } from '../lib/config';
const app = new cdk.App();
// Stateful infra
const { repository } = new ECR(app, 'sv-ecr-stack');
// Get app config
const environment = process.env.ENVIRONMENT || '';
const { certificateArn, domainName, sIdProgramId, logzioToken, optimizelyUrl } = getConfig(environment);
new AppStack(app, 'sv-stack', {
repository,
domainName,
certificateArn,
sIdProgramId,
logzioToken,
optimizelyUrl,
environment,
});
const lambda = new Lambda(app, 'sv-http-scheduled-cache-clear', {
logzioToken,
});
为了简洁起见,我没有在这篇文章中添加AppStack。
最后,我有一组相当简单的NPM依赖项:
{
"name": "cdk",
"version": "0.1.0",
"bin": {
"cdk": "bin/cdk.js"
},
"scripts": {
"build": "tsc",
"watch": "tsc -w",
"cdk": "cdk",
"synth": "cdk synth -q",
"deploy": "cdk deploy --all --progress=events --require-approval=never"
},
"devDependencies": {
"@aws-cdk/assert": "^1.100.0",
"@aws-cdk/aws-certificatemanager": "^1.100.0",
"@aws-cdk/aws-ec2": "^1.100.0",
"@aws-cdk/aws-ecr": "^1.100.0",
"@aws-cdk/aws-ecs": "^1.100.0",
"@aws-cdk/aws-ecs-patterns": "^1.100.0",
"@aws-cdk/aws-iam": "^1.100.0",
"@aws-cdk/aws-route53": "^1.100.0",
"@types/node": "10.17.27",
"aws-cdk": "^1.100.0",
"ts-node": "^9.0.0",
"typescript": "~3.9.7"
},
"dependencies": {
"@aws-cdk/core": "^1.100.0",
"source-map-support": "^0.5.16"
}
}
如果我在本地运行npm run synth,那么它会运行synth命令,并成功。我的编辑器中没有TypeScript错误。
以下是cdk deploy错误:
export AWS_ACCESS_KEY_ID=$DEV_ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY=$DEV_SECRET_ACCESS_KEY
export ENVIRONMENT=dev
cd cdk
npm install
npm run deploy
npm WARN read-shrinkwrap This version of npm is compatible with lockfileVersion@1, but package-lock.json was generated for lockfileVersion@2. I'll try to do my best with it!
npm WARN cdk@0.1.0 No repository field.
npm WARN cdk@0.1.0 No license field.
added 1363 packages from 232 contributors and audited 1366 packages in 19.228s
18 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
> cdk@0.1.0 deploy /home/circleci/project/cdk
> cdk deploy --all --progress=events --require-approval=never
sv-ecr-stack
sv-ecr-stack: deploying...
✅ sv-ecr-stack (no changes)
Outputs:
sv-ecr-stack.ExportsOutputFnGetAttsvrepositoryXXX = arn:aws:ecr:*********:067685711111:repository/student-validation-app
sv-ecr-stack.ExportsOutputRefsvrepositoryXXX = student-validation-app
Stack ARN:
arn:aws:cloudformation:*********:067685711111:stack/sv-ecr-stack/aabbccddeeffgghhiijjkk
sv-http-scheduled-cache-clear
sv-http-scheduled-cache-clear: deploying...
[0%] start: Publishing abcdefghijklmnop:current
[100%] fail: Bucket named 'cdktoolkit-stagingbucket-7k57fjeur592' exists, but not in account 067685711111. Wrong account?
❌ sv-http-scheduled-cache-clear failed: Error: Failed to publish one or more assets. See the error messages above for more information.
at Object.publishAssets (/home/circleci/project/cdk/node_modules/aws-cdk/lib/util/asset-publishing.ts:25:11)
at Object.deployStack (/home/circleci/project/cdk/node_modules/aws-cdk/lib/api/deploy-stack.ts:235:3)
at CdkToolkit.deploy (/home/circleci/project/cdk/node_modules/aws-cdk/lib/cdk-toolkit.ts:180:24)
at initCommandLine (/home/circleci/project/cdk/node_modules/aws-cdk/bin/cdk.ts:208:9)
***************************************************
*** Newer version of CDK is available [1.110.0] ***
*** Upgrade recommended ***
***************************************************
Failed to publish one or more assets. See the error messages above for more information.
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! cdk@0.1.0 deploy: `cdk deploy --all --progress=events --require-approval=never`
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the cdk@0.1.0 deploy script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.
npm ERR! A complete log of this run can be found in:
npm ERR! /home/circleci/.npm/_logs/2021-06-25T13_34_37_706Z-debug.log
Exited with code exit status 1
一点研究表明CDK使用S3来创建";分段桶";,我假设这就是CCD_ 4(它不是我明确创建的工件(。
我需要远程/显式或本地/手动创建这个bucket吗?
更新
我发现了这个错误报告,它表明错误消息很糟糕——它需要S3访问,但消息并没有说明这一点。我已经为CI/CD用户找到了这个策略文件,我想知道是否需要确定添加什么策略来允许S3的使用。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "StmtXXXYYYZZZ4501",
"Action": [
"cloudformation:*",
"ec2:*",
"ecs:*",
"ecr:*",
"application-autoscaling:*",
"elasticloadbalancing:*",
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:TagRole",
"iam:UpdateRole",
"iam:GetRolePolicy",
"iam:DeleteRolePolicy",
"iam:PutRolePolicy",
"iam:PassRole",
"logs:*",
"route53:*",
"secretsmanager:*",
"sts:*",
"dynamodb:*",
],
"Effect": "Allow",
"Resource": "*"
}
]
}
错误消息具有误导性。如果您可以访问多个帐户,S3 bucket很可能存在于另一个帐户中——这是因为它是CDK用来打包和部署lambdas的自动生成的bucket。我认为它在所有AWS帐户中都是相同的名称。
简单的解决方案是将"s3:*"添加到针对"*"资源的允许操作中。但是,我决定添加一个新的Policy,这样资源规范就更加严格了。在我的案例中,这意味着添加一个具有不同资源规范的新子句:
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::cdktoolkit-stagingbucket-*"
}
看起来你不必显式地创建这个bucket——CDK会为你做这件事。还可以看出;Sid";不是必填字段。
在我的情况下,添加此策略会显示我缺少了多少其他权限,但至少这些权限的错误消息更明智!
触发该错误的操作是s3:GetBucketLocation。只提供CDK所需的最低权限的策略是:
{
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:GetBucketLocation",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::cdktoolkit-stagingbucket-*",
"Effect": "Allow"
}