我有一个 aws_scheduler_schedule,计划每分钟向 Lambda 函数发送一条消息,如下所示:
resource "aws_scheduler_schedule" "event_scheduler" {
name = "${var.environment}-${var.account_name}-${var.service_name}-scheduler"
flexible_time_window {
mode = "OFF"
}
schedule_expression = "rate(1 minute)"
target {
arn = var.lambda_arn
role_arn = aws_iam_role.iam_for_eventbridge.arn
input = jsonencode({
MessageBody = "check_expired"
})
}
}
我想限制 aws_scheduler_schedule 的 aws_iam_role,这样它只允许上述调度程序进行 sts:AssumeRole。这是我的 aws_iam_role 代码:
resource "aws_iam_role" "iam_for_eventbridge" {
name = "${var.environment}-${var.account_name}-${var.service_name}-eventbridge-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "scheduler.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "${aws_scheduler_schedule.event_scheduler.arn}"
}
}
]
} …