为 Amazon S3 来源创建 EventBridge 规则(Amazon CloudFormation 模板) - Amazon CodePipeline
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

为 Amazon S3 来源创建 EventBridge 规则(Amazon CloudFormation 模板)

Amazon CloudFormation 要使用创建规则,请更新您的模板,如下所示。

创建以 Amazon S3 作为事件源和 CodePipeline 目标的 EventBridge 规则并应用权限策略
  1. 在模板下的模板中Resources,使用AWS::IAM::Role Amazon CloudFormation 资源配置允许您的活动启动管道的IAM角色。此条目将创建一个使用两个策略的角色:

    • 第一个策略允许代入角色。

    • 第二个策略提供启动管道所需的权限。

    我为何做出此更改? 添加AWS::IAM::Role资源可以 Amazon CloudFormation 为创建权限 EventBridge。此资源已添加到您的 Amazon CloudFormation 堆栈中。

    YAML
    EventRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - events.amazonaws.com Action: sts:AssumeRole Path: / Policies: - PolicyName: eb-pipeline-execution PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: codepipeline:StartPipelineExecution Resource: !Join [ '', [ 'arn:aws:codepipeline:', !Ref 'AWS::Region', ':', !Ref 'AWS::AccountId', ':', !Ref AppPipeline ] ] ...
    JSON
    "EventRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "events.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }, "Path": "/", "Policies": [ { "PolicyName": "eb-pipeline-execution", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codepipeline:StartPipelineExecution", "Resource": { "Fn::Join": [ "", [ "arn:aws:codepipeline:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "AppPipeline" } ] ] ...
  2. 使用AWS::Events::Rule Amazon CloudFormation 资源添加 EventBridge 规则。此事件模式会创建一个事件,以监控 Amazon S3 源桶上的 CopyObjectPutObjectCompleteMultipartUpload。此外,还包括您管道的目标。当发生 CopyObjectPutObjectCompleteMultipartUpload 时,此规则将对目标管道调用 StartPipelineExecution

    我为何做出此更改? 添加AWS::Events::Rule资源 Amazon CloudFormation 即可创建事件。此资源已添加到您的 Amazon CloudFormation 堆栈中。

    YAML
    EventRule: Type: AWS::Events::Rule Properties: EventPattern: source: - aws.s3 detail-type: - 'AWS API Call via CloudTrail' detail: eventSource: - s3.amazonaws.com eventName: - CopyObject - PutObject - CompleteMultipartUpload requestParameters: bucketName: - !Ref SourceBucket key: - !Ref SourceObjectKey Targets: - Arn: !Join [ '', [ 'arn:aws:codepipeline:', !Ref 'AWS::Region', ':', !Ref 'AWS::AccountId', ':', !Ref AppPipeline ] ] RoleArn: !GetAtt EventRole.Arn Id: codepipeline-AppPipeline ...
    JSON
    "EventRule": { "Type": "AWS::Events::Rule", "Properties": { "EventPattern": { "source": [ "aws.s3" ], "detail-type": [ "AWS API Call via CloudTrail" ], "detail": { "eventSource": [ "s3.amazonaws.com" ], "eventName": [ "CopyObject", "PutObject", "CompleteMultipartUpload" ], "requestParameters": { "bucketName": [ { "Ref": "SourceBucket" } ], "key": [ { "Ref": "SourceObjectKey" } ] } } }, "Targets": [ { "Arn": { "Fn::Join": [ "", [ "arn:aws:codepipeline:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":", { "Ref": "AppPipeline" } ] ] }, "RoleArn": { "Fn::GetAtt": [ "EventRole", "Arn" ] }, "Id": "codepipeline-AppPipeline" } ] } } }, ...
  3. 将此代码段添加到第一个模板,以允许跨堆栈功能:

    YAML
    Outputs: SourceBucketARN: Description: "S3 bucket ARN that Cloudtrail will use" Value: !GetAtt SourceBucket.Arn Export: Name: SourceBucketARN
    JSON
    "Outputs" : { "SourceBucketARN" : { "Description" : "S3 bucket ARN that Cloudtrail will use", "Value" : { "Fn::GetAtt": ["SourceBucket", "Arn"] }, "Export" : { "Name" : "SourceBucketARN" } } ...
  4. 将更新后的模板保存到本地计算机上,然后打开 Amazon CloudFormation 控制台。

  5. 选择堆栈,然后选择为当前堆栈创建更改集

  6. 上传更新的模板,然后查看 Amazon CloudFormation中所列的更改。以下是将对堆栈进行的更改。您应在列表中看到新资源。

  7. 选择执行

编辑管道的 PollForSourceChanges参数
重要

使用此方法创建管道时,如果 PollForSourceChanges 参数未明确设置为 false,则默认为 true。添加基于事件的更改检测时,必须将参数添加到输出并将其设置为 false 以禁用轮询。否则,您的管道将针对单个源更改启动两次。有关详细信息,请参阅PollForSourceChanges参数的有效设置

  • 在模板中,将 PollForSourceChanges 更改为 false。如果您未在管道定义中包含 PollForSourceChanges,请添加它并将它设置为 false

    我为何做出此更改?PollForSourceChanges 更改为 false 将关闭定期检查,因此您只能使用基于事件的更改检测。

    YAML
    Name: Source Actions: - Name: SourceAction ActionTypeId: Category: Source Owner: AWS Version: 1 Provider: S3 OutputArtifacts: - Name: SourceOutput Configuration: S3Bucket: !Ref SourceBucket S3ObjectKey: !Ref SourceObjectKey PollForSourceChanges: false RunOrder: 1
    JSON
    { "Name": "SourceAction", "ActionTypeId": { "Category": "Source", "Owner": "AWS", "Version": 1, "Provider": "S3" }, "OutputArtifacts": [ { "Name": "SourceOutput" } ], "Configuration": { "S3Bucket": { "Ref": "SourceBucket" }, "S3ObjectKey": { "Ref": "SourceObjectKey" }, "PollForSourceChanges": false }, "RunOrder": 1 }
为您的 Amazon S3 管道的 CloudTrail 资源创建第二个模板
  • 在单独的模板中Resources,使用AWS::S3::BucketAWS::S3::BucketPolicy、和AWS::CloudTrail::Trail Amazon CloudFormation 资源为其提供简单的存储桶定义和跟踪 CloudTrail。

    我为何做出此更改? 鉴于当前每个账户只能有五条 CloudTrail 跟踪,因此必须单独创建和管理跟踪。(参见中的限制 Amazon CloudTrail。) 但是,您可以在单个跟踪上包括许多 Amazon S3 桶,因此您可以创建跟踪一次,然后根据需要为其他管道添加 Amazon S3 桶。将以下内容粘贴到第二个示例模板文件中。

    YAML
    ################################################################################### # Prerequisites: # - S3 SourceBucket and SourceObjectKey must exist ################################################################################### Parameters: SourceObjectKey: Description: 'S3 source artifact' Type: String Default: SampleApp_Linux.zip Resources: AWSCloudTrailBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref AWSCloudTrailBucket PolicyDocument: Version: 2012-10-17 Statement: - Sid: AWSCloudTrailAclCheck Effect: Allow Principal: Service: - cloudtrail.amazonaws.com Action: s3:GetBucketAcl Resource: !GetAtt AWSCloudTrailBucket.Arn - Sid: AWSCloudTrailWrite Effect: Allow Principal: Service: - cloudtrail.amazonaws.com Action: s3:PutObject Resource: !Join [ '', [ !GetAtt AWSCloudTrailBucket.Arn, '/AWSLogs/', !Ref 'AWS::AccountId', '/*' ] ] Condition: StringEquals: s3:x-amz-acl: bucket-owner-full-control AWSCloudTrailBucket: Type: AWS::S3::Bucket DeletionPolicy: Retain AwsCloudTrail: DependsOn: - AWSCloudTrailBucketPolicy Type: AWS::CloudTrail::Trail Properties: S3BucketName: !Ref AWSCloudTrailBucket EventSelectors: - DataResources: - Type: AWS::S3::Object Values: - !Join [ '', [ !ImportValue SourceBucketARN, '/', !Ref SourceObjectKey ] ] ReadWriteType: WriteOnly IncludeManagementEvents: false IncludeGlobalServiceEvents: true IsLogging: true IsMultiRegionTrail: true ...
    JSON
    { "Parameters": { "SourceObjectKey": { "Description": "S3 source artifact", "Type": "String", "Default": "SampleApp_Linux.zip" } }, "Resources": { "AWSCloudTrailBucket": { "Type": "AWS::S3::Bucket", "DeletionPolicy": "Retain" }, "AWSCloudTrailBucketPolicy": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "AWSCloudTrailBucket" }, "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "AWSCloudTrailAclCheck", "Effect": "Allow", "Principal": { "Service": [ "cloudtrail.amazonaws.com" ] }, "Action": "s3:GetBucketAcl", "Resource": { "Fn::GetAtt": [ "AWSCloudTrailBucket", "Arn" ] } }, { "Sid": "AWSCloudTrailWrite", "Effect": "Allow", "Principal": { "Service": [ "cloudtrail.amazonaws.com" ] }, "Action": "s3:PutObject", "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "AWSCloudTrailBucket", "Arn" ] }, "/AWSLogs/", { "Ref": "AWS::AccountId" }, "/*" ] ] }, "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ] } } }, "AwsCloudTrail": { "DependsOn": [ "AWSCloudTrailBucketPolicy" ], "Type": "AWS::CloudTrail::Trail", "Properties": { "S3BucketName": { "Ref": "AWSCloudTrailBucket" }, "EventSelectors": [ { "DataResources": [ { "Type": "AWS::S3::Object", "Values": [ { "Fn::Join": [ "", [ { "Fn::ImportValue": "SourceBucketARN" }, "/", { "Ref": "SourceObjectKey" } ] ] } ] } ], "ReadWriteType": "WriteOnly", "IncludeManagementEvents": false } ], "IncludeGlobalServiceEvents": true, "IsLogging": true, "IsMultiRegionTrail": true } } } } ...