我试图制作一个可重复使用的CloudFormation模板,并希望做一些条件,如果环境参数是" test" (或者除了" prod"之外的任何其他环境),然后将SES电子邮件发送到仅gmail帐户(即公司帐户),但是对于" prod",在任何地方发送SES电子邮件。我是否必须做两个不同的角色并且每个角色都有条件?或者有没有办法在下面的一个角色里面做这个?谢谢你的帮助!
Parameters:
Environment:
Description: Environment, which can be "test", "stage", "prod", etc.
Type: String
Resources:
Role:
Type: AWS::IAM::Role
Properties:
RoleName: myRole
Path: /
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "ecs.amazonaws.com"
Action:
- "sts:AssumeRole"
Policies:
-
PolicyName: "ses-policy"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "ses:SendEmail"
- "ses:SendRawEmail"
Resource: "*"
Condition:
"ForAllValues:StringLike":
"ses:Recipients":
- "*@gmail.com"
答案 0 :(得分:2)
Conditions非常适合将此类条件逻辑添加到CloudFormation资源属性中。在您的示例中,如果环境不是prod,那么您可以使用Fn::If内在函数来包含现有的Policy Condition(不要与CloudFormation条件混淆!),{{3否则(当环境为prod时完全删除策略条件):
Parameters:
Environment:
Description: Environment, which can be "test", "stage", "prod", etc.
Type: String
AllowedValues: [test, stage, prod]
Conditions:
IsProdEnvironment: !Equals [ !Ref Environment, prod ]
Resources:
Role:
Type: AWS::IAM::Role
Properties:
RoleName: myRole
Path: /
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "ecs.amazonaws.com"
Action:
- "sts:AssumeRole"
Policies:
-
PolicyName: "ses-policy"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "ses:SendEmail"
- "ses:SendRawEmail"
Resource: "*"
Condition: !If
- IsProdEnvironment
- !Ref AWS::NoValue
- "ForAllValues:StringLike":
"ses:Recipients":
- "*@gmail.com"