关于CloudFormation条件函数!Join
指定多个资源arn值的yaml语法请求帮助。
我无法找出正确的yaml语法来生成有效的json IAM策略。
任何帮助都将是非常感激的。
- CloudFormation Template (yaml):
AWSTemplateFormatVersion: 2010-09-09
Parameters:
AdminRoleHaveRLP:
Type: String
Default: 'Yes'
AllowedValues:
- 'Yes'
- 'No'
TestPolicyName:
Type: String
Default: test-service-role-policy
TestServiceRole1:
Type: String
Default: test-service-role1
TestServiceRole2:
Type: String
Default: test-service-role2
Conditions:
AdminRoleHasRLP: !Equals
- 'Yes'
- !Ref AdminRoleHaveRLP
Resources:
Policy:
Type: 'AWS::IAM::ManagedPolicy'
Properties:
ManagedPolicyName: !Ref TestPolicyName
Path: /
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: ServiceRolePolicy
Effect: Allow
Action:
- 'iam:AttachRolePolicy'
Resource:
- !If
- AdminRoleHasRLP
- !Join ['', ['arn:aws:iam::*:role/', !Ref TestServiceRole1,',', 'arn:aws:iam::*:role/', !Ref TestServiceRole2]]
- 'arn:aws:iam::*:role/*'
- AdminRoleHaveRLP=Yes: IAM Policy输出
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:AttachRolePolicy"
],
"Resource": [
"arn:aws:iam::*:role/test-service-role1,arn:aws:iam::*:role/test-service-role2"
],
"Effect": "Allow",
"Sid": "ServiceRolePolicy"
}
]
}
- 预期策略输出:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:AttachRolePolicy"
],
"Resource": [
"arn:aws:iam::*:role/test-service-role1",
"arn:aws:iam::*:role/test-service-role2"
],
"Effect": "Allow",
"Sid": "ServiceRolePolicy"
}
]
}
定义策略的正常和更简单的方法是使用Sub
,而不是Join
:
AWSTemplateFormatVersion: 2010-09-09
Parameters:
AdminRoleHaveRLP:
Type: String
Default: 'Yes'
AllowedValues:
- 'Yes'
- 'No'
TestPolicyName:
Type: String
Default: test-service-role-policy
TestServiceRole1:
Type: String
Default: test-service-role1
TestServiceRole2:
Type: String
Default: test-service-role2
Conditions:
AdminRoleHasRLP: !Equals
- 'Yes'
- !Ref AdminRoleHaveRLP
Resources:
Policy:
Type: 'AWS::IAM::ManagedPolicy'
Properties:
ManagedPolicyName: !Ref TestPolicyName
Path: /
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: ServiceRolePolicy
Effect: Allow
Action:
- 'iam:AttachRolePolicy'
Resource:
!If
- AdminRoleHasRLP
- - !Sub 'arn:aws:iam::*:role/${TestServiceRole1}'
- !Sub 'arn:aws:iam::*:role/${TestServiceRole2}'
- 'arn:aws:iam::*:role/*'