cloudformation的新角色/政策|格式错误的政策文件

时间:2018-09-05 10:00:59

标签: amazon-web-services yaml amazon-cloudformation

我正在尝试使用cloudformation创建一个新角色和一个策略。

在部署它时,出现以下错误:

策略中的语法错误。 (服务:AmazonIdentityManagement;状态代码:400;错误代码:MalformedPolicyDocument;请求ID:848a408e-b0f1-11e8-90b6-cf2a19d18ad2)

AWSTemplateFormatVersion: 2010-09-09
    Description: >
      AWS CloudFormation Template
    Parameters:
      StackName:
        Type: String
        Description: stack test
        Default: stackTest
      DclEnvironment:
        Type: String
        Description: Env
        AllowedValues :
          - test
          - dev
          - stage
          - prod
        Default: dev
      Domain:
        Type: String
        Description: Private Domain name
        Default: int.mydomain.com
      VpcId:
        Type: AWS::EC2::VPC::Id
        Default: xxxx
      AppAmiId:
        Type: AWS::EC2::Image::Id
        Description: Ec2 AMI ID
        Default: ami-XXXX
      KeyName:
        Type: AWS::EC2::KeyPair::KeyName
        Description: Key Name
        Default: xxxx
      SecurityGroupIds:
        Type: CommaDelimitedList
        Description: Comma-separated list of existing security group IDs in your VPC
        Default: sg-xxxx
      SubnetA:
        Description: Subnet from AZ a
        Type: String
        Default: subnet-xxxxx
      SubnetB:
        Description: Subnet from AZ b
        Type: String
        Default: subnet-xxxx
      SubnetC:
        Description: Subnet from AZ c
        Type: String
        Default: subnet-xxxx
      DbSubnetGroupA:
        Type: String
        Description: Subnet from AZ A
        Default: subnet-xxxx
      DbSubnetGroupB:
        Type: String
        Description: Subnet from AZ B
        Default: subnet-xxxxx
      DbSubnetGroupC:
        Type: String
        Description: Subnet from AZ C
        Default: subnet-xxxxx
    Resources:
      monitoringRole:
        Type: AWS::IAM::Role
        Properties:
          RoleName: !Join
          - "-"
          - - !Ref DclEnvironment
            - "iam-01"
          AssumeRolePolicyDocument:
            Version: "2012-10-17"
            Statement:
            - Effect: Allow
              Action: sts:AssumeRole
              Principal:
                Service:
                - ec2.amazonaws.com
          Path: "/"
      policyEC2Monitoring:
        Type: AWS::IAM::Policy
        Properties:
          PolicyName: !Join
          - "-"
          - - !Ref DclEnvironment
            - "policy-01"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
            - Effect: Allow
              Action:
              - ec2:Describe*
              Ressource: "*"
            - Effect: Allow
              Action:
              - elasticloadbalancing:Describe*
              Ressource: "*"
            - Effect: Allow
              Action:
              - cloudwatch:ListMetrics*
              - cloudwatch:GetMetricStatistics
              - cloudwatch:Describe*
              Ressource: "*"
            - Effect: Allow
              Action:
              - autoscaling:Describe*
              Ressource: "*"
          Roles:
          - !Ref monitoringRole
      instanceProfile:
        Type: AWS::IAM::InstanceProfile
        Properties:
          InstanceProfileName: !Join
          - "-"
          - - !Ref DclEnvironment
            - "inp-01"
          Path: "/"
          Roles:
          - !Ref monitoringRole

预先感谢,

Fas3r。

编辑 如果有1个以上的操作,

资源应该用[“ *”]括起来; 当一个动作,不需要换行时,可以是: 动作:actionName

br。

1 个答案:

答案 0 :(得分:0)

错误提示,您的Yaml语法无效。

您可以使用http://www.yamllint.com/之类的网络工具来解决语法问题。

这是正确的语法yaml文件:

AWSTemplateFormatVersion: 2010-09-09
Description: >
  AWS CloudFormation Template
Parameters:
  StackName:
    Type: String
    Description: stack test
    Default: stackTest
  DclEnvironment:
    Type: String
    Description: Env
    AllowedValues :
      - test
      - dev
      - stage
      - sbox
      - prod
    Default: dev
  DclPod:
    Type: String
    Description: Pod Name
    Default: enel
  DclService:
    Type: String
    Description: Pod Name
    Default: monitoring
  Domain:
    Type: String
    Description: Private Domain name
    Default: int.mydomain.com
  VpcId:
    Type: AWS::EC2::VPC::Id
    Default: vpc-4ac3bb21
  AppAmiId:
    Type: AWS::EC2::Image::Id
    Description: Ec2 AMI ID
    Default: ami-XXXX
  KeyName:
    Type: AWS::EC2::KeyPair::KeyName
    Description: Key Name
    Default: c3-kp-01
  SecurityGroupIds:
    Type: CommaDelimitedList
    Description: Comma-separated list of existing security group IDs in your VPC
    Default: sg-07f5186b
  SubnetA:
    Description: Subnet from AZ a
    Type: String
    Default: subnet-7d576316
  SubnetB:
    Description: Subnet from AZ b
    Type: String
    Default: subnet-496a0834
  SubnetC:
    Description: Subnet from AZ c
    Type: String
    Default: subnet-7d576316
  DbSubnetGroupA:
    Type: String
    Description: Subnet from AZ A
    Default: subnet-1154607a
  DbSubnetGroupB:
    Type: String
    Description: Subnet from AZ B
    Default: subnet-3d650740
  DbSubnetGroupC:
    Type: String
    Description: Subnet from AZ C
    Default: subnet-4d027e00
Resources:
  monitoringRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Join
      - "-"
      - - !Ref DclEnvironment
        - !Ref DclPod
        - !Ref DclService
        - "iam-01"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Effect: Allow
          Action: sts:AssumeRole
          Principal:
            Service:
            - ec2.amazonaws.com
      Path: "/"
  policyEC2Monitoring:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: !Join
      - "-"
      - - !Ref DclEnvironment
        - !Ref DclPod
        - !Ref DclService
        - "policy-01"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Effect: Allow
          Action:
          - ec2:Describe*
          Ressource: "*"
        - Effect: Allow
          Action:
          - elasticloadbalancing:Describe*
          Ressource: "*"
        - Effect: Allow
          Action:
          - cloudwatch:ListMetrics*
          - cloudwatch:GetMetricStatistics
          - cloudwatch:Describe*
          Ressource: "*"
        - Effect: Allow
          Action:
          - autoscaling:Describe*
          Ressource: "*"
      Roles:
      - !Ref monitoringRole
  instanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      InstanceProfileName: !Join
      - "-"
      - - !Ref DclEnvironment
        - !Ref DclPod
        - !Ref DclService
        - "inp-01"
      Path: "/"
      Roles:
      - !Ref monitoringRole

希望有帮助。