CloudFormation StackSet S3 错误：区域“us-east-1”错误；期待“ap-southeast-1”

Question

我正在尝试使用 CloudFormation StackSets 将我的 lambda 函数部署到多个 AWS 账户和区域。但由于以下错误而失败

ResourceLogicalId:OfficeHoursAutoScalingStart、ResourceType:AWS::Lambda::Function、ResourceStatusReason:GetObject 时发生错误。 S3 错误代码：AuthorizationHeaderMalformed。 S3 错误信息：授权标头格式错误；区域“us-east-1”是错误的；期待“ap-southeast-1”

这似乎是一个权限问题？我该如何解决这个问题？

我的模板：

AWSTemplateFormatVersion : '2010-09-09'
Description: 'Skynet. AWS Management Assistant'
Parameters:
  AppName:
    Type: String
    Description: Prefix for resources
    Default: skynet-lambda-stackset
  ArtifactsBucket:
    Type: String
    Description: S3 bucket storing lambda function zip
  ArtifactZipPath:
    Type: String
    Description: Path to lambda function zip
  CostCenter:
    Type: String
    Description: Cost center
    Default: Admin
  Owner:
    Type: String
    Description: Owner
    Default: Jiew Meng

Resources:
  LambdaRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub '${AppName}-lambda'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
              - lambda.amazonaws.com
              - apigateway.amazonaws.com
          Action:
          - sts:AssumeRole
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/AmazonEC2FullAccess'
        - 'arn:aws:iam::aws:policy/AWSLambdaFullAccess'
        - 'arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess'
        - 'arn:aws:iam::aws:policy/AmazonAPIGatewayInvokeFullAccess'
        - 'arn:aws:iam::aws:policy/CloudWatchLogsFullAccess'

  NewEc2AutoTag:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        S3Bucket: !Ref ArtifactsBucket
        S3Key: !Ref ArtifactZipPath
      Handler: ec2/newEc2_autoTag.handler
      Runtime: nodejs6.10
      FunctionName: 'NewEC2_AutoTag'
      Description: 'Auto tag new EC2 instances with Owner tag'
      Timeout: 30
      Role: !GetAtt LambdaRole.Arn
      Tags:
        - Key: Cost Center
          Value: !Ref CostCenter
        - Key: Owner
          Value: !Ref Owner

  NewEc2Event:
    Type: AWS::Events::Rule
    Properties:
      Name: !Sub ${AppName}-newEc2
      Description: On new EC2 instance created
      EventPattern:
        source:
          - 'aws.ec2'
        detail-type:
          - 'AWS API Call via CloudTrail'
        detail:
          eventName:
            - RunInstances
      Targets:
        - !Ref NewEc2AutoTag

  AfterhoursEc2Shutdown:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        S3Bucket: !Ref ArtifactsBucket
        S3Key: !Ref ArtifactZipPath
      Handler: ec2/afterHours_shutdown.handler
      Runtime: nodejs6.10
      FunctionName: 'Afterhours_Shutdown'
      Description: 'Shutdown instances tagged Auto Shutdown: true'
      Timeout: 30
      Role: !GetAtt LambdaRole.Arn
      Tags:
        - Key: Cost Center
          Value: !Ref CostCenter
        - Key: Owner
          Value: !Ref Owner

  AfterHoursEvent:
    Type: AWS::Events::Rule
    Properties:
      Name: !Sub ${AppName}-afterHours
      Description: Triggered on weekdays 2400 SGT
      ScheduleExpression: cron(0 16 ? * MON,TUE,WED,THUR,FRI *)
      Targets:
        - !Ref AfterhoursEc2Shutdown
        - !Ref AfterhoursAutoScalingShutdown

  OfficeHoursEc2Start:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        S3Bucket: !Ref ArtifactsBucket
        S3Key: !Ref ArtifactZipPath
      Handler: ec2/officeHours_start.handler
      Runtime: nodejs6.10
      FunctionName: 'OfficeHours_Start'
      Description: 'Starts instances with Auto Shutdown: true'
      Timeout: 30
      Role: !GetAtt LambdaRole.Arn
      Tags:
        - Key: Cost Center
          Value: !Ref CostCenter
        - Key: Owner
          Value: !Ref Owner

  OfficeHoursEvent:
    Type: AWS::Events::Rule
    Properties:
      Name: !Sub ${AppName}-officeHours
      Description: Triggered on 7AM SGT weekdays
      ScheduleExpression: cron(0 23 ? * SUN,MON,TUE,WED,THU *)
      Targets:
        - !Ref OfficeHoursEc2Start
        - !Ref OfficeHoursAutoScalingStart

  StartedEc2ConfigureDns:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        S3Bucket: !Ref ArtifactsBucket
        S3Key: !Ref ArtifactZipPath
      Handler: ec2/started_configureDns.handler
      Runtime: nodejs6.10
      FunctionName: 'StartedEc2_ConfigureDns'
      Description: 'When EC2 started, configure DNS if required'
      Timeout: 30
      Role: !GetAtt LambdaRole.Arn
      Tags:
        - Key: Cost Center
          Value: !Ref CostCenter
        - Key: Owner
          Value: !Ref Owner

  Ec2StartedEvent:
    Type: AWS::Events::Rule
    Properties:
      Name: !Sub ${AppName}-ec2-started
      Description: Triggered on EC2 starts
      EventPattern:
        source:
          - 'aws.ec2'
        detail-type:
          - 'EC2 Instance State-change Notification'
        detail:
          state:
            - running
      Targets:
        - !Ref StartedEc2ConfigureDns

  AfterhoursAutoScalingShutdown:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        S3Bucket: !Ref ArtifactsBucket
        S3Key: !Ref ArtifactZipPath
      Handler: autoscaling/afterHours_shutdown.handler
      Runtime: nodejs6.10
      FunctionName: 'Afterhours_AutoScalingShutdown'
      Description: 'Scales down autoscaling groups tagged Auto Shutdown: true'
      Timeout: 30
      Role: !GetAtt LambdaRole.Arn
      Tags:
        - Key: Cost Center
          Value: !Ref CostCenter
        - Key: Owner
          Value: !Ref Owner

  OfficeHoursAutoScalingStart:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        S3Bucket: !Ref ArtifactsBucket
        S3Key: !Ref ArtifactZipPath
      Handler: autoscaling/officeHours_start.handler
      Runtime: nodejs6.10
      FunctionName: 'OfficeHours_AutoScalingStart'
      Description: 'Scales up auto scaling groups that are scaled down to 0 and tagged autostart: true'
      Timeout: 30
      Role: !GetAtt LambdaRole.Arn
      Tags:
        - Key: Cost Center
          Value: !Ref CostCenter
        - Key: Owner
          Value: !Ref Owner

  NewAutoScalingGroupEvent:
    Type: AWS::Events::Rule
    Properties:
      Name: !Sub ${AppName}-autoscaling-new
      Description: Triggered when new autoscaling group created
      EventPattern:
        source:
          - 'aws.autoscaling'
        detail-type:
          - 'AWS API Call via CloudTrail'
        detail:
          eventName:
            - CreateAutoScalingGroup
      Targets:
        - !Ref NewAutoScalingGroupAutoTag

  NewAutoScalingGroupAutoTag:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        S3Bucket: !Ref ArtifactsBucket
        S3Key: !Ref ArtifactZipPath
      Handler: autoscaling/new_autoTag.handler
      Runtime: nodejs6.10
      FunctionName: 'NewAutoScalingGroup_AutoTag'
      Description: 'Tags new autoscaling groups with owner and autoshutdown tags if not existing'
      Timeout: 30
      Role: !GetAtt LambdaRole.Arn
      Tags:
        - Key: Cost Center
          Value: !Ref CostCenter
        - Key: Owner
          Value: !Ref Owner

Answer 1

看起来您已经在 AWS 区域 ap-southeast-1 中创建了 s3 存储桶（由模板中的变量 ArtifactsBucket 引用）。

使用 AWS Stacksets，您已选择 us-east-1 作为部署顺序中的区域之一。

AWS Stackset 将 SAME 参数 传递给它尝试在多个区域/账户中创建的所有堆栈。

因此，当它试图在us-east-1 区域中创建lambda 函数OfficeHoursAutoScalingStart 时，它正在尝试访问us-east-1 区域本身中的s3 存储桶（GETObject 请求），具有相同的存储桶名称。

即。假设名称由ArtifactsBucket参数传递的s3存储桶本身存在于us-east-1中。但是由于lambda函数的源代码实际上是存在于区域ap-southeast-1的存储桶中，所以@987654331 @被抛出。在这种情况下，存储桶名称匹配，但区域不匹配。

目前，当您使用 CloudFormation 创建 lambda 函数时，存在一个限制，即包含您的 Lambda 函数源代码的 S3 存储桶必须与您正在创建的 STACK 位于同一区域中 . Doc Reference Link

如果这是问题所在，那么作为修复，您可以考虑在所需区域中创建 s3 存储桶（将 region-name 作为存储桶名称的前缀添加）并在基于区域的模板中使用它们。

Example:
us-east-1-lambdabkt
us-east-2-lambdabkt
ap-southeast-1-lambdabkt