您好,我正在使用 python 开发 AWS CDK。我正在创建政策文件。之前我为相同的策略编写了云形成模板,并且运行良好。以下是云形成策略。
MWSECSServiceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [ecs.amazonaws.com]
Action: ['sts:AssumeRole']
Path: /
Policies:
- PolicyName: "ecs-service-role"
PolicyDocument:
Statement:
- Effect: Allow
Action:
- elasticloadbalancing:DeregisterInstancesFromLoadBalancer
- elasticloadbalancing:DeregisterTargets
- elasticloadbalancing:RegisterInstancesWithLoadBalancer
- elasticloadbalancing:RegisterTargets
# yamllint disable-line rule:line-length
Resource:
# yamllint disable-line rule:line-length
- !Sub 'arn:aws:elasticloadbalancing:*:${AWS::AccountId}:loadbalancer/app/mws-*'
# yamllint disable-line rule:line-length
- !Sub 'arn:aws:elasticloadbalancing:*:${AWS::AccountId}:listener-rule/app/mws-*'
# yamllint disable-line rule:line-length
- !Sub 'arn:aws:elasticloadbalancing:*:${AWS::AccountId}:listener/app/mws-*'
# yamllint disable-line rule:line-length
- !Sub 'arn:aws:elasticloadbalancing:*:${AWS::AccountId}:targetgroup/mws-*'
- Effect: Allow
Action:
- ec2:Describe*
- ec2:AuthorizeSecurityGroupIngress
- elasticloadbalancing:Describe*
Resource: '*'
现在我正在编写AWS CDK,如下所示。
MWSECSServiceRole = iam.Role(self, 'MWSECSServiceRole',
assumed_by=new ServicePrincipal('ecs.amazonaws.com'))
MWSECSServiceRole.add_to_policy(iam.PolicyStatement(
effect=iam.Effect.ALLOW,
resources=["arn:aws:elasticloadbalancing:*:${AWS::AccountId}:loadbalancer/app/mws-*","arn:aws:elasticloadbalancing:*:${AWS::AccountId}:listener-rule/app/mws-*","arn:aws:elasticloadbalancing:*:${AWS::AccountId}:listener/app/mws-*","arn:aws:elasticloadbalancing:*:${AWS::AccountId}:targetgroup/mws-*"],
actions=["elasticloadbalancing:DeregisterInstancesFromLoadBalancer","elasticloadbalancing:DeregisterTargets","elasticloadbalancing:RegisterInstancesWithLoadBalancer","elasticloadbalancing:RegisterTargets"]
))
MWSECSServiceRole.add_to_policy(iam.PolicyStatement(
effect=iam.Effect.ALLOW,
resources=["*"],
actions=["ec2:AuthorizeSecurityGroupIngress","ec2:Describe*","elasticloadbalancing:Describe*"]
))
这将生成例如 arn:aws:elasticloadbalancing:*:${AWS::AccountId}:loadbalancer/app/mws-*
的资源,但我需要的是 - !Sub 'arn:aws:elasticloadbalancing:*:${AWS::AccountId}:loadbalancer/app/mws-*'
。那么如何在AWS CDK中使用!Sub呢?有人可以帮我吗?
最佳答案
所以我最近才开始将 AWS CDK 与 Python 结合使用。我想如果它能帮助别人的话我会回答它
我们正在使用 CDK 迁移现有的 cfn 模板,并且希望利用代码抽象和馈入参数来生成 cfn 模板。
我遇到了同样的问题并执行了以下操作:
导入核心:
from aws_cdk import (
core
)
在 CDK 类之外声明 CDK 函数对象:
Fn = core.Fn
在 CDK 类中创建一个类似于以下内容的函数:
def checkFnSubRequired(self, content):
if re.search(r'\${.*}', content):
return Fn.sub(content)
else:
return content
该函数允许您获取可能需要替换的任何字符串并返回替换的对象,例如:
resources=["arn:aws:elasticloadbalancing:*:${AWS::AccountId}"]
更改如下:
resources=[self.checkFnSubRequired("arn:aws:elasticloadbalancing:*:${AWS::AccountId}")]
关于python - 如何在aws cdk中使用伪参数?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/59260668/