【发布时间】:2019-12-01 15:08:51
【问题描述】:
我正在编写一个 CloudFormation,它创建一个 S3 存储桶和一个 SQS 队列。在同一个 CFN 中,我试图让 S3 存储桶向 SQS 队列发送消息。我不断收到此错误:
无法验证以下目标配置
昨天我花了大约 12 个小时反复试验。我想我现在已经阅读了所有关于这个主题的文章。大多数似乎都在 Lambdas 或 SNS 主题上,但过程应该是相同的。我尝试在 S3 存储桶中添加 DependsOn,以便在存储桶之前创建 SQS 策略,但这不起作用。然后我做了另一个建议的解决方案,即创建存储桶和 sqs,然后为 sqs 存储桶创建允许 s3 发布到它的策略,最后创建通知。我已成功创建通知。
这是我的 sqs 创建:
SQSBiaData:
Type: AWS::SQS::Queue
Properties:
QueueName: !Ref Queue
Tags:
- Key: 'Environment'
Value: !Ref Environment
这是我的 sqs 政策:
SQSBiaPolicy:
Type: AWS::SQS::QueuePolicy
Properties:
Queues:
- !Ref SQSBiaData
PolicyDocument:
Statement:
- Sid: SendMessage
Effect: Allow
Principal:
AWS: !Ref AccountNumber
Action: SQS:SendMessage
Resource:
- 'arn:aws:sqs:us-east-1:123456:bia-data'
Condition:
ArnLike:
aws:SourceArn:
Fn::Join:
- ''
- - 'arn:aws:s3:*:*:'
- 'bia-data'
这是我创建的存储桶:
S3BucketBiaData:
Type: AWS::S3::Bucket
DependsOn:
- SQSBiaPolicy
DeletionPolicy: Retain
Properties:
AccessControl: Private
BucketName: !Ref BucketName
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
Tags:
- Key: 'Environment'
Value: !Ref Environment
NotificationConfiguration:
QueueConfigurations:
- Event: 's3:ObjectCreated:*'
Queue: 'arn:aws:sqs:us-east-1:123456:bia-data'
Filter:
S3Key:
Rules:
- Name: 'prefix'
Value: 'manifest/'
最后,这是我的存储桶策略:
S3BucketBiaPolicies:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref BucketName
PolicyDocument:
Statement:
- Sid: DenyInsecureConnections
Effect: Deny
Principal: '*'
Action: s3:*
Resource:
- !Sub 'arn:aws:s3:::${S3BucketBiaData}/*'
Condition:
Bool:
aws:SecureTransport: 'false'
- Sid: DenyPublicReadGrant
Effect: Deny
Principal:
AWS: "*"
Action:
- s3:PutObject
- s3:PutObjectAcl
Resource:
- !Sub 'arn:aws:s3:::${S3BucketBiaData}/*'
Condition:
StringLike:
s3:x-amz-grant-read:
- "*http://acs.amazonaws.com/groups/global/AllUsers*"
- "*http://acs.amazonaws.com/groups/global/AuthenticatedUsers*"
- Sid: OnlyAllowVPCAccess
Effect: Deny
Principal: '*'
Action: s3:*
Resource:
- !Sub 'arn:aws:s3:::${S3BucketBiaData}/*'
Condition:
ForAnyValue:StringNotEquals:
'aws: sourceVpce': !Ref VPCs
我预计 CFN 会按以下顺序发生:
- SQS
- SQS 政策
- S3 存储桶
- S3 存储桶策略
谁能告诉我我做错了什么?请记住,CFN 一直有效,直到我添加了 NotificationConfiguration 部分。
谢谢!
【问题讨论】:
标签: amazon-s3 yaml amazon-cloudformation amazon-sqs