AWS CloudFormation ses角色的環境條件

我想做一個可重用的CloudFormation模板，並希望做一些有條件的地方如果環境參數是「測試」（或任何其他環境除「prod」），然後發送SES電子郵件到只有Gmail帳戶（即公司帳戶），但對於「prod」，發送SES電子郵件在任何地方。我需要做兩個不同的角色，並且每個角色都有條件嗎？或者有沒有辦法在下面的一個角色中做到這一點？謝謝你的幫助！AWS CloudFormation ses角色的環境條件

Parameters: 

    Environment: 
    Description: Environment, which can be "test", "stage", "prod", etc. 
    Type: String 

Resources: 

    Role: 
    Type: AWS::IAM::Role 
    Properties: 
    RoleName: myRole 
    Path:/
    AssumeRolePolicyDocument: 
     Version: "2012-10-17" 
     Statement: 
     - 
      Effect: "Allow" 
      Principal: 
      Service: 
       - "ecs.amazonaws.com" 
      Action: 
      - "sts:AssumeRole" 
    Policies: 
     - 
     PolicyName: "ses-policy" 
     PolicyDocument: 
      Version: "2012-10-17" 
      Statement: 
      - 
       Effect: "Allow" 
       Action: 
       - "ses:SendEmail" 
       - "ses:SendRawEmail" 
       Resource: "*" 
       Condition: 
       "ForAllValues:StringLike": 
        "ses:Recipients": 
        - "*@gmail.com"

來源

2017-01-19 Justin

Conditions非常適合將這種條件邏輯添加到CloudFormation資源屬性。在您的示例中，如果環境不是prod和AWS::NoValue，則可以使用Fn::If固有函數將現有的Policy Condition（不要與CloudFormation條件混淆！）包括在內（當環境爲prod時，完全移除策略條件）：

Parameters: 
    Environment: 
    Description: Environment, which can be "test", "stage", "prod", etc. 
    Type: String 
    AllowedValues: [test, stage, prod] 
Conditions: 
    IsProdEnvironment: !Equals [ !Ref Environment, prod ] 
Resources: 
    Role: 
    Type: AWS::IAM::Role 
    Properties: 
     RoleName: myRole 
     Path:/
     AssumeRolePolicyDocument: 
     Version: "2012-10-17" 
     Statement: 
      - 
      Effect: "Allow" 
      Principal: 
       Service: 
       - "ecs.amazonaws.com" 
      Action: 
       - "sts:AssumeRole" 
     Policies: 
     - 
      PolicyName: "ses-policy" 
      PolicyDocument: 
      Version: "2012-10-17" 
      Statement: 
       - 
       Effect: "Allow" 
       Action: 
        - "ses:SendEmail" 
        - "ses:SendRawEmail" 
       Resource: "*" 
       Condition: !If 
       - IsProdEnvironment 
       - !Ref AWS::NoValue 
       - "ForAllValues:StringLike": 
        "ses:Recipients": 
         - "*@gmail.com"

來源

2017-01-20 09:08:33 wjordan

AWS CloudFormation ses角色的環境條件

回答

相關問題