如何使用sparkleformation创建IAM策略?

时间:2017-11-08 20:47:04

标签: amazon-web-services amazon-cloudformation

我正在尝试使用sparkleformation创建IAM策略,但我不知道要调用哪个动态,并且不确定我的模板格式是否正确。 Sparkleformation在错误消息方面也几乎没有提供任何内容,这只会使调试变得更加困难。

继承我想要在sparkleformation中创建的政策

{
    "Version": "2010-09-09",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*",
                "ec2:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

这是我目前创建此

的模板 
SparkleFormation.new(:my_policy, :provider => :aws) do
  AWSTemplateFormatVersion '2010-09-09'
  description 'my policy'

  dynamic!(:aws_iam_policy, :test_group) do
    properties do
      policies array!(
        -> {
          policy_name "mypolicy"
          policy_document do
                version "2012-10-17"
                statement do
                  effect "Allow"
                  resource "*"
                  action array!(
                    "s3:Get*",
                    "s3:List*",
                    "ec2:*"
                  )
                end
            end
        }
      )
    end
  end
end

运行此命令会发出以下错误:

$ bundle exec sfn create test --file sparkleformation/templates/my-policy.rb 
[Sfn]: Callback template stack_policy: starting
[Sfn]: Callback template stack_policy: complete
[Sfn]: SparkleFormation: create
[Sfn]:   -> Name: test
[Sfn]: Events for Stack: test
Time                      Resource Logical Id   Resource Status      Resource Status Reason   
2017-11-08 20:36:24 UTC   test                  CREATE_IN_PROGRESS   User Initiated           
2017-11-08 20:36:28 UTC   TestGroupIamPolicy   CREATE_FAILED        Encountered unsupported property Policies                              
2017-11-08 20:36:29 UTC   test                     CREATE_FAILED        The following resource(s) failed to create: [TestGroupIamPolicy].  
[FATAL]: Create of new stack test: FAILED
ERROR: RuntimeError: Stack did not reach a successful completion state.

1 个答案:

答案 0 :(得分:0)

这是正确的结构。请注意,与角色或组不同,您不需要设置策略数组,只需设置文档。此外,无法自行创建策略,必须通过在角色,组和/或用户数组中设置至少一个值来附加某个策略:

SparkleFormation.new(:my_policy, :provider => :aws) do
  AWSTemplateFormatVersion '2010-09-09'
  description 'my policy'

  dynamic!(:aws_iam_policy, :test_group) do
    # at least one of these must be set roles, groups, users
    roles array!(
      "role1",
      "other-role"
    )

    users array!(
      "myuser"
    )

    policy_name "mypolicy"
    policy_document do
      version "2012-10-17"
      statement do
        effect "Allow"
        resource "*"
        action array!(
          "s3:Get*",
          "s3:List*",
          "ec2:*"
        )
      end
    end

  end
end
相关问题
最新问题