如何在AWS CDK中使用伪参数?

时间:2019-12-10 05:16:17

标签: python amazon-web-services amazon-cloudformation aws-cdk

嗨,我正在使用python开发AWS CDK。我正在创建政策文件。以前,我为相同的策略编写了云形成模板,并且运行良好。以下是云形成策略。 

MWSECSServiceRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service: [ecs.amazonaws.com]
            Action: ['sts:AssumeRole']
      Path: /
      Policies:
        - PolicyName: "ecs-service-role"
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - elasticloadbalancing:DeregisterInstancesFromLoadBalancer
                  - elasticloadbalancing:DeregisterTargets
                  - elasticloadbalancing:RegisterInstancesWithLoadBalancer
                  - elasticloadbalancing:RegisterTargets
                # yamllint disable-line rule:line-length
                Resource:
                  # yamllint disable-line rule:line-length
                  - !Sub 'arn:aws:elasticloadbalancing:*:${AWS::AccountId}:loadbalancer/app/mws-*'
                  # yamllint disable-line rule:line-length
                  - !Sub 'arn:aws:elasticloadbalancing:*:${AWS::AccountId}:listener-rule/app/mws-*'
                  # yamllint disable-line rule:line-length
                  - !Sub 'arn:aws:elasticloadbalancing:*:${AWS::AccountId}:listener/app/mws-*'
                  # yamllint disable-line rule:line-length
                  - !Sub 'arn:aws:elasticloadbalancing:*:${AWS::AccountId}:targetgroup/mws-*'

              - Effect: Allow
                Action:
                  - ec2:Describe*
                  - ec2:AuthorizeSecurityGroupIngress
                  - elasticloadbalancing:Describe*
                Resource: '*'

现在,我正在如下编写AWS CDK。 

 MWSECSServiceRole = iam.Role(self, 'MWSECSServiceRole',
          assumed_by=new ServicePrincipal('ecs.amazonaws.com'))

        MWSECSServiceRole.add_to_policy(iam.PolicyStatement(
        effect=iam.Effect.ALLOW,
        resources=["arn:aws:elasticloadbalancing:*:${AWS::AccountId}:loadbalancer/app/mws-*","arn:aws:elasticloadbalancing:*:${AWS::AccountId}:listener-rule/app/mws-*","arn:aws:elasticloadbalancing:*:${AWS::AccountId}:listener/app/mws-*","arn:aws:elasticloadbalancing:*:${AWS::AccountId}:targetgroup/mws-*"],
        actions=["elasticloadbalancing:DeregisterInstancesFromLoadBalancer","elasticloadbalancing:DeregisterTargets","elasticloadbalancing:RegisterInstancesWithLoadBalancer","elasticloadbalancing:RegisterTargets"]
        ))

        MWSECSServiceRole.add_to_policy(iam.PolicyStatement(
        effect=iam.Effect.ALLOW,
        resources=["*"],
        actions=["ec2:AuthorizeSecurityGroupIngress","ec2:Describe*","elasticloadbalancing:Describe*"]
        ))

这将生成例如arn:aws:elasticloadbalancing:*:${AWS::AccountId}:loadbalancer/app/mws-*的资源,但我需要的是- !Sub 'arn:aws:elasticloadbalancing:*:${AWS::AccountId}:loadbalancer/app/mws-*'。那么如何在AWS CDK中使用!Sub?有人可以帮我吗?

1 个答案:

答案 0 :(得分:0)

因此,我直到最近才开始将AWS CDK与Python结合使用。以为只要有帮助,我就会回答

我们正在使用CDK迁移现有的cfn模板,我们想利用代码抽象和馈入参数来生成cfn模板。

我遇到了同样的问题,并做了以下事情:

导入核心:

from aws_cdk import (
    core
)

在CDK类之外声明CDK Function对象:

Fn = core.Fn

在您的CDK类中,创建一个类似于以下内容的函数:

def checkFnSubRequired(self, content):
    if re.search(r'\${.*}', content):
        return Fn.sub(content)
    else:
        return content

该函数使您可以获取可能需要替换的任何字符串并返回替换的对象,例如:

resources=["arn:aws:elasticloadbalancing:*:${AWS::AccountId}"]

更改为以下内容:

resources=[self.checkFnSubRequired("arn:aws:elasticloadbalancing:*:${AWS::AccountId}")]
相关问题
最新问题