我的 CloudFormation 堆栈附加了一个策略:
{
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"Update:*"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Principal": "*",
"Resource": "*",
"Action": [
"Update:Replace",
"Update:Delete"
],
"Condition": {
"StringEquals": {
"ResourceType": [
"AWS::SNS::Topic",
"AWS::SQS::Queue"
]
}
}
}
]
}
该策略可防止意外删除 SNS/SQS 资源。我希望在dev
环境中使政策更加自由。如何有条件地禁用 Deny
语句,例如,如果我的 CF (cloudformation) 堆栈名称是 my-app-dev
或 CF 堆栈具有标签 STAGE
等于 dev
?
顺便说一句,策略是由无服务器框架生成的,因此我必须将其写入 serverless.yml
最佳答案
这可以通过使用无服务器框架的环境变量来完成。
无服务器.yml
service: sample
provider:
name: aws
stage: ${opt:stage,"dev"}
region: ap-northeast-1
custom:
policyChange:
prd: Deny
dev: Allow
resources:
- ${file(iam.yml)}
iam.yml
Resources:
SampleRole:
Type: AWS::IAM::Role
Properties:
RoleName: SampleRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
Policies:
- PolicyName: SamplePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: '${self:custom.policyChange.${self:provider.stage}}'
Resource: "*"
Action:
- sqs:*
关于amazon-web-services - Cloudformation 更新堆栈名称或环境的堆栈策略条件,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/67124744/