Sac*_*esh 8 amazon-web-services aws-cdk
我正在使用 aws cdk 创建 S3、SQS 和 KMS 资源。我在 S3 和 SQS 资源上启用了加密。当我启用从 S3 到 SQS 的通知时,我收到循环依赖错误。当我从我的代码中删除 KMS 设置时,它可以工作。
GitHub 存储库:https : //github.com/techcoderunner/s3-sqs-kms-sample
from aws_cdk import aws_kms as kms
from aws_cdk import aws_s3 as s3
from aws_cdk import aws_sqs as sqs
from aws_cdk import aws_s3_notifications as s3notif
kms_key = kms.Key(self, 'ssl_s3_sqs_kms_key',
alias='sslS3SqsKmsKey',
description='This is kms key',
enabled=True,
enable_key_rotation=True,
policy=kms_policy_document,
)
# Create the S3 bucket
bucket = s3.Bucket(
self, "ssl_s3_bucket_raw_kms",
bucket_name="ssl-s3-bucket-kms-raw",
encryption=s3.BucketEncryption.KMS,
encryption_key=kms_key,
)
# Create the SQS queue
queue = sqs.Queue(
self, "ssl_sqs_event_queue",
queue_name="ssl-sqs-kms-event-queue",
encryption=sqs.QueueEncryption.KMS,
encryption_master_key=kms_key,
)
# Create S3 notification object which points to SQS
notification = s3notif.SqsDestination(queue)
filter1 = s3.NotificationKeyFilter(prefix="home/")
# Attach notificaton event to S3 bucket
bucket.add_event_notification(s3.EventType.OBJECT_CREATED,notification,filter1)
我为此打开了GitHub 错误报告。
看起来根本问题是在 KMS 密钥中添加了以下条件:
CDK输出模板ssls3sqskmskey83E47315.Properties.KeyPolicy.Statement[1]:
{
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Condition": {
"ArnLike": {
"aws:SourceArn": {
"Fn::GetAtt": [
"ssls3bucketrawkms4B1E1122",
"Arn"
]
}
}
},
},
S3 存储桶依赖于 KMS 密钥进行加密,而 KMS 密钥有一个依赖于 S3 存储桶的条件。
使用逃生舱口删除条件后,我能够部署堆栈:
# Delete the circular reference
cfn_kms_key = kms_key.node.default_child
cfn_kms_key.add_property_deletion_override("KeyPolicy.Statement.1")
| 归档时间: |
|
| 查看次数: |
838 次 |
| 最近记录: |