為 Amazon S3 來源建立 EventBridge 規則 (CloudFormation 範本）

以 Amazon S3 做為事件來源和 CodePipeline 做為目標建立 EventBridge 規則，並套用許可政策

在範本的下Resources，使用 AWS::IAM::Role CloudFormation 資源來設定允許事件啟動管道的 IAM 角色。此項目會建立一個使用兩個政策的角色：

第一個政策允許要承擔的角色。
第二個政策提供啟動管道的許可。

為什麼我會做出此變更？ 新增AWS::IAM::Role資源 CloudFormation 可讓建立 EventBridge 的許可。此資源會新增至您的 CloudFormation 堆疊。

YAML


  EventRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17		 	 	 
        Statement:
          -
            Effect: Allow
            Principal:
              Service:
                - events.amazonaws.com
            Action: sts:AssumeRole
      Path: /
      Policies:
        -
          PolicyName: eb-pipeline-execution
          PolicyDocument:
            Version: 2012-10-17		 	 	 
            Statement:
              -
                Effect: Allow
                Action: codepipeline:StartPipelineExecution
                Resource: !Join [ '', [ 'arn:aws:codepipeline:', !Ref 'AWS::Region', ':', !Ref 'AWS::AccountId', ':', !Ref AppPipeline ] ]


...

JSON


  "EventRole": {
    "Type": "AWS::IAM::Role",
    "Properties": {
      "AssumeRolePolicyDocument": {
        "Version": "2012-10-17",		 	 	 
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "Service": [
                "events.amazonaws.com"
              ]
            },
            "Action": "sts:AssumeRole"
          }
        ]
      },
      "Path": "/",
      "Policies": [
        {
          "PolicyName": "eb-pipeline-execution",
          "PolicyDocument": {
            "Version": "2012-10-17",		 	 	 
            "Statement": [
              {
                "Effect": "Allow",
                "Action": "codepipeline:StartPipelineExecution",
                "Resource": {
                  "Fn::Join": [
                    "",
                    [
                      "arn:aws:codepipeline:",
                      {
                        "Ref": "AWS::Region"
                      },
                      ":",
                      {
                        "Ref": "AWS::AccountId"
                      },
                      ":",
                      {
                        "Ref": "AppPipeline"
                      }
                    ]
                  ]

...

使用 AWS::Events::Rule CloudFormation 資源來新增 EventBridge 規則。此事件模式會建立事件，在您的 Amazon S3 來源儲存貯體CompleteMultipartUpload上監控 CopyObject、 PutObject和。此外，會包含您管道的目標。當 CopyObject、PutObject 或 CompleteMultipartUpload 發生時，此規則會在目標管道上呼叫 StartPipelineExecution。

為什麼我會做出此變更？ 新增 AWS::Events::Rule 資源 CloudFormation 可讓建立事件。此資源會新增至您的 CloudFormation 堆疊。

YAML


  EventRule:
    Type: AWS::Events::Rule
    Properties:
      EventPattern:
        source:
          - aws.s3
        detail-type:
          - 'AWS API Call via CloudTrail'
        detail:
          eventSource:
            - s3.amazonaws.com
          eventName:
            - CopyObject
            - PutObject
            - CompleteMultipartUpload
          requestParameters:
            bucketName:
              - !Ref SourceBucket
            key:
              - !Ref SourceObjectKey
      Targets:
        -
          Arn:
            !Join [ '', [ 'arn:aws:codepipeline:', !Ref 'AWS::Region', ':', !Ref 'AWS::AccountId', ':', !Ref AppPipeline ] ]
          RoleArn: !GetAtt EventRole.Arn
          Id: codepipeline-AppPipeline


...

JSON



  "EventRule": {
    "Type": "AWS::Events::Rule",
    "Properties": {
      "EventPattern": {
        "source": [
          "aws.s3"
        ],
        "detail-type": [
          "AWS API Call via CloudTrail"
        ],
        "detail": {
          "eventSource": [
            "s3.amazonaws.com"
          ],
          "eventName": [
            "CopyObject",
            "PutObject",
            "CompleteMultipartUpload"
          ],
          "requestParameters": {
            "bucketName": [
              {
                "Ref": "SourceBucket"
              }
            ],
            "key": [
              {
                "Ref": "SourceObjectKey"
              }
            ]
          }
        }
      },
      "Targets": [
        {
          "Arn": {
            "Fn::Join": [
              "",
              [
                "arn:aws:codepipeline:",
                {
                  "Ref": "AWS::Region"
                },
                ":",
                {
                  "Ref": "AWS::AccountId"
                },
                ":",
                {
                  "Ref": "AppPipeline"
                }
              ]
            ]
          },
          "RoleArn": {
            "Fn::GetAtt": [
              "EventRole",
              "Arn"
            ]
          },
          "Id": "codepipeline-AppPipeline"
        }
      ]
    }
  }
},

...

將此片段新增到您的第一個範本，以允許跨堆疊功能：

（選用）若要設定具有特定影像 ID 來源覆寫的輸入轉換器，請使用下列 YAML 程式碼片段。下列範例會設定覆寫，其中：
- 在此actionNameSource範例中，是在管道建立時定義的動態值，不是衍生自來源事件。
- 在此revisionTypeS3_OBJECT_VERSION_ID範例中，是在管道建立時定義的動態值，不是衍生自來源事件。
- 此範例中的 revisionValue<revisionValue> 衍生自來源事件變數。
```
---
Rule: my-rule
Targets:
- Id: MyTargetId
  Arn: pipeline-ARN
  InputTransformer:
    InputPathsMap:
      revisionValue: "$.detail.object.version-id"
    InputTemplate:
      sourceRevisions:
        actionName: Source
        revisionType: S3_OBJECT_VERSION_ID
        revisionValue: '<revisionValue>'
```
將更新後的範本儲存至本機電腦，然後開啟 CloudFormation 主控台。
選擇您的堆疊，然後選擇 Create Change Set for Current Stack (建立目前堆疊的變更集)。
上傳您的更新範本，然後檢視中 CloudFormation所列的變更。這些是會針對堆疊進行的變更。您應該會在清單中看到新資源。
選擇 Execute (執行)。

編輯管道的 PollForSourceChanges 參數

重要

當您使用這個方法建立管道時，如果沒有明確設為 false，則 PollForSourceChanges 參數會預設為 true。當新增基於事件的變更偵測時，您必須將該參數新增到輸出，並將其設為 false 以停用輪詢。否則，您的管道會針對單一來源變更啟動兩次。如需詳細資訊，請參閱PollForSourceChanges 參數的有效設定。

在範本中，將 PollForSourceChanges 變更為 false。如果您並未在管道定義中包含 PollForSourceChanges，請新增它，並將其設為 false。

為什麼我會做出此變更？ 將 PollForSourceChanges變更為 false 會關閉定期檢查，因此您只能使用事件型變更偵測。

為 Amazon S3 管道的 CloudTrail 資源建立第二個範本

在個別範本的下Resources，使用 AWS::S3::Bucket、 AWS::S3::BucketPolicy和 AWS::CloudTrail::Trail CloudFormation 資源為 CloudTrail 提供簡單的儲存貯體定義和線索。

為什麼要進行這項變更？ 鑑於每個帳戶的目前限制為 5 個線索，必須分別建立和管理 CloudTrail 線索。（請參閱中的限制 AWS CloudTrail。) 不過，您可以在單一線索上包含許多 Amazon S3 儲存貯體，因此您可以建立一次線索，然後視需要為其他管道新增 Amazon S3 儲存貯體。將下列內容貼至您的第二個範例範本檔案中。

YAML


###################################################################################
# Prerequisites: 
#   - S3 SourceBucket and SourceObjectKey must exist
###################################################################################

Parameters:
  SourceObjectKey:
    Description: 'S3 source artifact'
    Type: String
    Default: SampleApp_Linux.zip

Resources:
  AWSCloudTrailBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref AWSCloudTrailBucket
      PolicyDocument:
        Version: 2012-10-17		 	 	 
        Statement:
          -
            Sid: AWSCloudTrailAclCheck
            Effect: Allow
            Principal:
              Service:
                - cloudtrail.amazonaws.com
            Action: s3:GetBucketAcl
            Resource: !GetAtt AWSCloudTrailBucket.Arn
          -
            Sid: AWSCloudTrailWrite
            Effect: Allow
            Principal:
              Service:
                - cloudtrail.amazonaws.com
            Action: s3:PutObject
            Resource: !Join [ '', [ !GetAtt AWSCloudTrailBucket.Arn, '/AWSLogs/', !Ref 'AWS::AccountId', '/*' ] ]
            Condition: 
              StringEquals:
                s3:x-amz-acl: bucket-owner-full-control
  AWSCloudTrailBucket:
    Type: AWS::S3::Bucket
    DeletionPolicy: Retain
  AwsCloudTrail:
    DependsOn:
      - AWSCloudTrailBucketPolicy
    Type: AWS::CloudTrail::Trail
    Properties:
      S3BucketName: !Ref AWSCloudTrailBucket
      EventSelectors:
        -
          DataResources:
            -
              Type: AWS::S3::Object
              Values:
                - !Join [ '', [ !ImportValue SourceBucketARN, '/', !Ref SourceObjectKey ] ]
          ReadWriteType: WriteOnly
          IncludeManagementEvents: false
      IncludeGlobalServiceEvents: true
      IsLogging: true
      IsMultiRegionTrail: true


...

JSON


{
  "Parameters": {
    "SourceObjectKey": {
      "Description": "S3 source artifact",
      "Type": "String",
      "Default": "SampleApp_Linux.zip"
    }
  },
  "Resources": {
    "AWSCloudTrailBucket": {
      "Type": "AWS::S3::Bucket",
        "DeletionPolicy": "Retain"
    },
    "AWSCloudTrailBucketPolicy": {
      "Type": "AWS::S3::BucketPolicy",
      "Properties": {
        "Bucket": {
          "Ref": "AWSCloudTrailBucket"
        },
        "PolicyDocument": {
          "Version": "2012-10-17",		 	 	 
          "Statement": [
            {
              "Sid": "AWSCloudTrailAclCheck",
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "cloudtrail.amazonaws.com"
                ]
              },
              "Action": "s3:GetBucketAcl",
              "Resource": {
                "Fn::GetAtt": [
                  "AWSCloudTrailBucket",
                  "Arn"
                ]
              }
            },
            {
              "Sid": "AWSCloudTrailWrite",
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "cloudtrail.amazonaws.com"
                ]
              },
              "Action": "s3:PutObject",
              "Resource": {
                "Fn::Join": [
                  "",
                  [
                    {
                      "Fn::GetAtt": [
                        "AWSCloudTrailBucket",
                        "Arn"
                      ]
                    },
                    "/AWSLogs/",
                    {
                      "Ref": "AWS::AccountId"
                    },
                    "/*"
                  ]
                ]
              },
              "Condition": {
                "StringEquals": {
                  "s3:x-amz-acl": "bucket-owner-full-control"
                }
              }
            }
          ]
        }
      }
    },
    "AwsCloudTrail": {
      "DependsOn": [
        "AWSCloudTrailBucketPolicy"
      ],
      "Type": "AWS::CloudTrail::Trail",
      "Properties": {
        "S3BucketName": {
          "Ref": "AWSCloudTrailBucket"
        },
        "EventSelectors": [
          {
            "DataResources": [
              {
                "Type": "AWS::S3::Object",
                "Values": [
                  {
                    "Fn::Join": [
                      "",
                      [
                        {
                          "Fn::ImportValue": "SourceBucketARN"
                        },
                        "/",
                        {
                          "Ref": "SourceObjectKey"
                        }
                      ]
                    ]
                  }
                ]
              }
            ],
            "ReadWriteType": "WriteOnly",
            "IncludeManagementEvents": false
          }
        ],
        "IncludeGlobalServiceEvents": true,
        "IsLogging": true,
        "IsMultiRegionTrail": true
      }
    }
  }
}

...