CloudFormation条件函数Fn::Join: | !Join指定多个资源arn值的yaml语法问题 - Trouble with yaml syntax for CloudFormation condition function Fn::Join: | !Join to specify multiple resource arn values 小贝子编程网

关于CloudFormation条件函数!Join指定多个资源arn值的yaml语法请求帮助。

我无法找出正确的yaml语法来生成有效的json IAM策略。

任何帮助都将是非常感激的。

CloudFormation Template (yaml):

AWSTemplateFormatVersion: 2010-09-09
Parameters:
AdminRoleHaveRLP:
Type: String
Default: 'Yes'
AllowedValues:
- 'Yes'
- 'No'
TestPolicyName:
Type: String
Default: test-service-role-policy
TestServiceRole1:
Type: String
Default: test-service-role1
TestServiceRole2:
Type: String
Default: test-service-role2
Conditions:
AdminRoleHasRLP: !Equals 
- 'Yes'
- !Ref AdminRoleHaveRLP
Resources:
Policy:
Type: 'AWS::IAM::ManagedPolicy'
Properties:
ManagedPolicyName: !Ref TestPolicyName
Path: /
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: ServiceRolePolicy
Effect: Allow
Action:
- 'iam:AttachRolePolicy'
Resource:
- !If 
- AdminRoleHasRLP
- !Join ['', ['arn:aws:iam::*:role/', !Ref TestServiceRole1,',', 'arn:aws:iam::*:role/', !Ref TestServiceRole2]]
- 'arn:aws:iam::*:role/*'

AdminRoleHaveRLP=Yes:

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:AttachRolePolicy"
],
"Resource": [
"arn:aws:iam::*:role/test-service-role1,arn:aws:iam::*:role/test-service-role2"
],
"Effect": "Allow",
"Sid": "ServiceRolePolicy"
}
]
}

预期策略输出:

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:AttachRolePolicy"
],
"Resource": [
"arn:aws:iam::*:role/test-service-role1",
"arn:aws:iam::*:role/test-service-role2"
],
"Effect": "Allow",
"Sid": "ServiceRolePolicy"
}
]
}

定义策略的正常和更简单的方法是使用Sub，而不是Join:

AWSTemplateFormatVersion: 2010-09-09
Parameters:
AdminRoleHaveRLP:
Type: String
Default: 'Yes'
AllowedValues:
- 'Yes'
- 'No'
TestPolicyName:
Type: String
Default: test-service-role-policy
TestServiceRole1:
Type: String
Default: test-service-role1
TestServiceRole2:
Type: String
Default: test-service-role2
Conditions:
AdminRoleHasRLP: !Equals 
- 'Yes'
- !Ref AdminRoleHaveRLP
Resources:
Policy:
Type: 'AWS::IAM::ManagedPolicy'
Properties:
ManagedPolicyName: !Ref TestPolicyName
Path: /
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: ServiceRolePolicy
Effect: Allow
Action:
- 'iam:AttachRolePolicy'
Resource:
!If 
- AdminRoleHasRLP
- - !Sub 'arn:aws:iam::*:role/${TestServiceRole1}'
- !Sub 'arn:aws:iam::*:role/${TestServiceRole2}'
- 'arn:aws:iam::*:role/*'

CloudFormation条件函数Fn::Join: | !Join指定多个资源arn值的yaml语法问题

相关内容

最新更新

热门标签：