1. 首页
  2. 问答
  3. AWS CloudFormation ses角色的环境条件

AWS CloudFormation ses角色的环境条件

2017-01-19 32 views
0

我想做一个可重用的CloudFormation模板,并希望做一些有条件的地方如果环境参数是“测试”(或任何其他环境除“prod”),然后发送SES电子邮件到只有Gmail帐户(即公司帐户),但对于“prod”,发送SES电子邮件在任何地方。我需要做两个不同的角色,并且每个角色都有条件吗?或者有没有办法在下面的一个角色中做到这一点?谢谢你的帮助!AWS CloudFormation ses角色的环境条件

Parameters: 

    Environment: 
    Description: Environment, which can be "test", "stage", "prod", etc. 
    Type: String 

Resources: 

    Role: 
    Type: AWS::IAM::Role 
    Properties: 
    RoleName: myRole 
    Path:/
    AssumeRolePolicyDocument: 
     Version: "2012-10-17" 
     Statement: 
     - 
      Effect: "Allow" 
      Principal: 
      Service: 
       - "ecs.amazonaws.com" 
      Action: 
      - "sts:AssumeRole" 
    Policies: 
     - 
     PolicyName: "ses-policy" 
     PolicyDocument: 
      Version: "2012-10-17" 
      Statement: 
      - 
       Effect: "Allow" 
       Action: 
       - "ses:SendEmail" 
       - "ses:SendRawEmail" 
       Resource: "*" 
       Condition: 
       "ForAllValues:StringLike": 
        "ses:Recipients": 
        - "*@gmail.com"

来源

2017-01-19 Justin

回答

2

Conditions非常适合将这种条件逻辑添加到CloudFormation资源属性。在您的示例中,如果环境不是prodAWS::NoValue,则可以使用Fn::If固有函数将现有的Policy Condition(不要与CloudFormation条件混淆!)包括在内(当环境为prod时,完全移除策略条件):

Parameters: 
    Environment: 
    Description: Environment, which can be "test", "stage", "prod", etc. 
    Type: String 
    AllowedValues: [test, stage, prod] 
Conditions: 
    IsProdEnvironment: !Equals [ !Ref Environment, prod ] 
Resources: 
    Role: 
    Type: AWS::IAM::Role 
    Properties: 
     RoleName: myRole 
     Path:/
     AssumeRolePolicyDocument: 
     Version: "2012-10-17" 
     Statement: 
      - 
      Effect: "Allow" 
      Principal: 
       Service: 
       - "ecs.amazonaws.com" 
      Action: 
       - "sts:AssumeRole" 
     Policies: 
     - 
      PolicyName: "ses-policy" 
      PolicyDocument: 
      Version: "2012-10-17" 
      Statement: 
       - 
       Effect: "Allow" 
       Action: 
        - "ses:SendEmail" 
        - "ses:SendRawEmail" 
       Resource: "*" 
       Condition: !If 
       - IsProdEnvironment 
       - !Ref AWS::NoValue 
       - "ForAllValues:StringLike": 
        "ses:Recipients": 
         - "*@gmail.com"

来源

2017-01-20 09:08:33 wjordan

相关问题

 相关问题