AWS Cloudformation 堆栈集指定堆栈实例的运行顺序

时间:2021-05-07 17:22:19

标签: amazon-web-services amazon-cloudformation

我有以下 Cloudformation YAML,它在 UserRootAccount 中创建一个角色,也在非 UserRootAccount 帐户中创建一个角色,并允许 UserRootAccount 在这些子帐户中担任角色。

问题是无法控制堆栈实例运行的帐户顺序。

如果第一个运行的账户恰好是 UserRootAccount 那么它工作正常,但如果 AWS 选择任何其他账户首先运行它会失败并出现错误

ResourceLogicalId:EbsSnapshotAgeReportingLambdaRole、ResourceType:AWS::IAM::Role、ResourceStatusReason:策略中的主体无效:

我可以看到有一种方法可以指定区域的顺序,但这并没有帮助,因为我们的主帐户和子帐户都在同一区域运行堆栈实例。

有什么办法可以指定帐户的顺序吗?

目前,我检查 list_stack_instances 中是否存在 item['StatusReason'] 中包含“Invalid principal in policy”的类型错误,如果它是从不等于主帐户的帐户抛出的,我会不断重试直到它选择主帐户先更新然后完成,但这太糟糕了。

Description: "Deployment testing"
Parameters:
  UserRootAccount:
    Type: String
    MinLength: 12
    MaxLength: 12
    Default: "000000000000" # DO NOT CHANGE
    AllowedPattern: "[0-9]{12}"
    Description: AWS account serving as root account

Conditions:
  IsNotMgmtAccount: !Not [!Equals [ !Ref "AWS::AccountId", !Ref UserRootAccount ]]
  IsMgmtAccount: !Equals [ !Ref "AWS::AccountId", !Ref UserRootAccount ]

Resources:

    RootEbsSnapshotAgeReportingLambdaRole:
      Type: AWS::IAM::Role
      Condition: IsMgmtAccount
      Properties:
        RoleName: 'test-old-snapshots-managment-role-16'
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            -
              Effect: Allow
              Principal:
                Service:
                  - lambda.amazonaws.com
              Action:
                - sts:AssumeRole
        Policies:
          -
            PolicyName: 'snapshot-age-role-policy'
            PolicyDocument:
              Version: '2012-10-17'
              Statement:
                -
                  Effect: Allow
                  Action:
                    - 'logs:CreateLogStream'
                    - 'ec2:DescribeRegions'
                    - 'ec2:DescribeVolumes'
                    - 'ebs:ListSnapshotBlocks'
                    - 'ec2:DescribeSnapshots'
                    - 'logs:CreateLogGroup'
                    - 'logs:PutLogEvents'
                    - 'ebs:ListChangedBlocks'
                    - 'ebs:GetSnapshotBlock'
                  Resource: '*'
          -
            PolicyName: 'sts-snapshot-age-role-policy'
            PolicyDocument:
              Version: '2012-10-17'
              Statement:
                -
                  Effect: Allow
                  Action:
                    - 'sts:AssumeRole'
                  Resource: 'arn:aws:iam::*:role/test-old-snapshots-role'
    EbsSnapshotAgeReportingLambdaRole:
      Type: AWS::IAM::Role
      Condition: IsNotMgmtAccount
      Properties:
        RoleName: 'test-old-snapshots-role'
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            -
              Effect: Allow
              Principal:
                AWS:
                  - !Sub 'arn:aws:iam::${UserRootAccount}:role/test-old-snapshots-managment-role-16'
              Action:
                - sts:AssumeRole
        Policies:
          -
            PolicyName: 'snapshot-age-role-policy'
            PolicyDocument:
              Version: '2012-10-17'
              Statement:
                -
                  Effect: Allow
                  Action:
                    - 'logs:CreateLogStream'
                    - 'ec2:DescribeRegions'
                    - 'ec2:DescribeVolumes'
                    - 'ebs:ListSnapshotBlocks'
                    - 'ec2:DescribeSnapshots'
                    - 'logs:CreateLogGroup'
                    - 'logs:PutLogEvents'
                    - 'ebs:ListChangedBlocks'
                    - 'ebs:GetSnapshotBlock'
                  Resource: '*'```

0 个答案:

没有答案
相关问题
最新问题