Terraform - 同一个存储桶上的多个 aws_s3_bucket_notification 触发器

Posted

技术标签:

【中文标题】Terraform - 同一个存储桶上的多个 aws_s3_bucket_notification 触发器【英文标题】:Terraform - Multiple aws_s3_bucket_notification triggers on the same bucket 【发布时间】:2020-06-15 13:35:06 【问题描述】:

我需要为 S3 存储桶创建触发器。我们使用以下内容来创建触发器:

resource "aws_s3_bucket_notification" "bucket_notification" 
  bucket = var.aws_s3_bucket_id

  lambda_function 
    lambda_function_arn = var.lambda_function_arn
    events              = ["s3:ObjectCreated:Put"]
    filter_prefix       = var.filter_prefix
    filter_suffix       = var.filter_suffix

当存储桶没有触发器时,这可以正常工作,除了生产之外的所有环境都是这种情况。 当我们部署生产时,我们看到存储桶上已经存在的触发器被删除了。我们需要两个触发器。 我可以手动添加另一个触发器,例如只需更改前缀即可添加一个 PUT 事件触发器,但是当我从 Terraform 执行此操作时,前一个总是被删除。我有什么遗漏吗?

【问题讨论】:

【参考方案1】:

aws_s3_bucket_notification resource documentation 在顶部提到了这一点:

注意: S3 存储桶仅支持单一通知配置。将多个 aws_s3_bucket_notification 资源声明到同一个 S3 存储桶将导致配置的永久差异。有关选项,请参阅示例“触发多个 Lambda 函数”。

他们的示例显示了如何通过在 aws_s3_bucket_notification 资源中添加多个 lambda_function 块来完成此操作:

resource "aws_iam_role" "iam_for_lambda" 
  name = "iam_for_lambda"

  assume_role_policy = <<EOF

  "Version": "2012-10-17",
  "Statement": [
    
      "Action": "sts:AssumeRole",
      "Principal": 
        "Service": "lambda.amazonaws.com"
      ,
      "Effect": "Allow"
    
  ]

EOF


resource "aws_lambda_permission" "allow_bucket1" 
  statement_id  = "AllowExecutionFromS3Bucket1"
  action        = "lambda:InvokeFunction"
  function_name = "$aws_lambda_function.func1.arn"
  principal     = "s3.amazonaws.com"
  source_arn    = "$aws_s3_bucket.bucket.arn"


resource "aws_lambda_function" "func1" 
  filename      = "your-function1.zip"
  function_name = "example_lambda_name1"
  role          = "$aws_iam_role.iam_for_lambda.arn"
  handler       = "exports.example"
  runtime       = "go1.x"


resource "aws_lambda_permission" "allow_bucket2" 
  statement_id  = "AllowExecutionFromS3Bucket2"
  action        = "lambda:InvokeFunction"
  function_name = "$aws_lambda_function.func2.arn"
  principal     = "s3.amazonaws.com"
  source_arn    = "$aws_s3_bucket.bucket.arn"


resource "aws_lambda_function" "func2" 
  filename      = "your-function2.zip"
  function_name = "example_lambda_name2"
  role          = "$aws_iam_role.iam_for_lambda.arn"
  handler       = "exports.example"


resource "aws_s3_bucket" "bucket" 
  bucket = "your_bucket_name"


resource "aws_s3_bucket_notification" "bucket_notification" 
  bucket = "$aws_s3_bucket.bucket.id"

  lambda_function 
    lambda_function_arn = "$aws_lambda_function.func1.arn"
    events              = ["s3:ObjectCreated:*"]
    filter_prefix       = "AWSLogs/"
    filter_suffix       = ".log"
  

  lambda_function 
    lambda_function_arn = "$aws_lambda_function.func2.arn"
    events              = ["s3:ObjectCreated:*"]
    filter_prefix       = "OtherLogs/"
    filter_suffix       = ".log"

【讨论】:

以上是关于Terraform - 同一个存储桶上的多个 aws_s3_bucket_notification 触发器的主要内容,如果未能解决你的问题,请参考以下文章

从托管在 S3 存储桶上的站点访问 AWS API 时出现 CORS 问题 [关闭]

S3 存储桶上的未加密文件是不是有 Etag?

使用 CORS 在 AWS S3 存储桶上获取

AWS CDK 错误:存储桶上已存在存储桶策略

尽管政策允许我的站点引荐来源网址,但 S3 存储桶上的 copyObject 访问被拒绝

AWS S3 CLI - 如何使用存储桶上设置的所有当前策略获取 JSON?