1. Accueil
  2. Question et réponse
  3. Comment utiliser principal AWS dans le paramètre de référence dans la cloudformation

Comment utiliser principal AWS dans le paramètre de référence dans la cloudformation

2017-08-21 2 views
1

Je dois automatiser cette ligne "AWS": "arn: aws: iam :: 684821578293: utilisateur/jenkins" sur mon modèle de cloudformation, mais en utilisant join il ne fonctionnera pas Quelqu'un m'aide à ça.Comment utiliser principal AWS dans le paramètre de référence dans la cloudformation

modèle de travail est ci-dessous, vous pouvez utiliser pression ci-dessous pour la liste des paramètres

StackName: Test

CreateCodeDeployRole: false CreateECSRole: false CreateJenkinsRole: true CustomerPrefix: kfc (anyname) Environnement: dt GroupName: sogetiadmin Nom du rôle: Jenkins_Tool_Access Nom d'utilisateur: jenkins

https://s3.amazonaws.com/linuxblogger-k8s-state/iamcreation_working.json

Problème:

Mais une fois que je mets à jour cette entrée sur le modèle de travail de "AWS": "arn: aws: iam :: 684821578293: mode/admin" à "AWS": « arn: aws: iam :: 684821578293: utilisateur/jenkins "ça ne marchera pas.

je tente avec fonction Regrouper avec l'utilisateur Jenkins, mais il ne vous pouvez voir ce travail JSON ci-dessous

https://s3.amazonaws.com/linuxblogger-k8s-state/iamcreation_not_working.json

Source

2017-08-21 Rohan Khanolkar

Répondre

1

{ "AWSTemplateFormatVersion": "2010-09-09",

"Description" : "IAM groups and account-wide role configurations", 

"Parameters" : { 
    "CustomerPrefix" : { 
     "Type" : "String", 
     "Default" : "testcust", 
     "Description" : "Enter Customer Prefix" 
    }, 

    "Environment" : { 
     "Type" : "String", 
     "Default" : "dt", 
     "Description" : "Enter Environment (Input Format - d=development, t=test, a=acceptance, p=production, dt=devtest, ap=acceptanceproduction)", 
     "AllowedValues" : [ 
      "d", 
      "t", 
      "a", 
      "p", 
      "dt", 
      "ap" 
     ] 
    }, 


    "CreateCodeDeployRole" : { 
     "Type"     : "String", 
     "Default"    : "true", 
     "Description"   : "Whether a role should be created for use with AWS CodeDeploy", 
     "AllowedValues"   : ["true", "false"], 
     "ConstraintDescription" : "Must be true or false." 
    }, 


    "CreateECSRole" : { 
     "Type"     : "String", 
     "Default"    : "true", 
     "Description"   : "Whether a role should be created for use with AWS EC2 Container Service", 
     "AllowedValues"   : ["true", "false"], 
     "ConstraintDescription" : "Must be true or false." 
    }, 

    "CreateJenkinsRole" : { 
     "Type"     : "String", 
     "Default"    : "true", 
     "Description"   : "Whether a role should be created for use with Aws Jenkins Service", 
     "AllowedValues"   : ["true", "false"], 
     "ConstraintDescription" : "Must be true or false." 
    }, 


    "UserName" : { 
    "Type"     : "String", 
    "Default"    : "jenkins", 
    "Description"   : "Please Provide Name of the IAM user"  
    }, 

    "RoleName" : { 
    "Type"     : "String", 
    "Default"    : "Jenkins_Tool_Access", 
    "Description"   : "Please Provide Name of the IAM Role"  
    }, 

    "GroupName" : { 
    "Type"     : "String", 
    "Default"    : "sogetiadmin", 
    "Description"   : "Please Provide Name of the IAM Role"  
    } 
}, 


"Conditions" :{ 
    "IsDev" : { 
     "Fn::Equals" : [ { "Ref" : "Environment" }, "dev" ] 
    }, 
    "IsQet" : { 
     "Fn::Equals" : [ { "Ref" : "Environment" }, "qet" ] 
    }, 
    "IsStg" : { 
     "Fn::Equals" : [ { "Ref" : "Environment" }, "stg" ] 
    }, 
    "IsPrd" : { 
     "Fn::Equals" : [ { "Ref" : "Environment" }, "prd" ] 
    }, 

    "CreateCodeDeployRole" : { 
     "Fn::Equals" : [ { "Ref" : "CreateCodeDeployRole" }, "true" ] 
    }, 


    "CreateECSRole" : { 
     "Fn::Equals" : [ { "Ref" : "CreateECSRole" }, "true" ] 
    }, 

    "CreateJenkinsRole" : { 
     "Fn::Equals" : [ { "Ref" : "CreateJenkinsRole" }, "true" ] 
    } 

}, 

"Resources" : { 

    "AWSCodeDeployRole" : { 
     "Type" : "AWS::IAM::Role", 
     "Condition" : "CreateCodeDeployRole", 
     "Properties" : { 
      "AssumeRolePolicyDocument": { 
       "Statement": [ 
        { 
         "Effect": "Allow", 
         "Principal": { 
          "Service": { 
           "Fn::Join": [ 
            ".", 
            [ 
             "codedeploy", 
             { "Ref" : "AWS::Region" }, 
             "amazonaws.com" 
            ] 
           ] 
          } 
         }, 
         "Action": "sts:AssumeRole" 
        } 
       ] 
      }, 

      "Policies" : [ 
       { 
        "PolicyName" : "AWSCodeDeployPolicy", 
        "PolicyDocument" : { 
         "Statement": [ 
          { 
           "Action": [ 
            "autoscaling:PutLifecycleHook", 
            "autoscaling:DeleteLifecycleHook", 
            "autoscaling:RecordLifecycleActionHeartbeat", 
            "autoscaling:CompleteLifecycleAction", 
            "autoscaling:DescribeAutoscalingGroups", 
            "autoscaling:PutInstanceInStandby", 
            "autoscaling:PutInstanceInService", 
            "ec2:Describe*" 
           ], 
           "Effect": "Allow", 
           "Resource": "*" 
          }, 
          { 
           "Action": [ 
            "s3:Get*", 
             "s3:List*" 
           ], 
           "Effect": "Allow", 
           "Resource": { 
            "Fn::Join": [ 
             "-", 
             [ 
              "arn:aws:s3:::deployments", 
              { "Ref" : "CustomerPrefix" }, 
              { "Ref" : "Environment" }, 
              "/artifacts/projects/*" 
             ] 
            ] 
           } 
          } 
         ] 
        } 
       } 
      ] 
     } 
    }, 

     "JenkinsUser" : { 
     "Type" : "AWS::IAM::User", 
     "Condition" : "CreateJenkinsRole", 
     "Properties" : { 
     "UserName" : { "Ref" : "UserName" }, 
      "ManagedPolicyArns": 
       [ 
        "arn:aws:iam::aws:policy/AdministratorAccess" 
       ] 
     } 
    },  




     "AWSJenkinsServiceRole" : { 
     "Type": "AWS::IAM::Role", 
     "Condition" : "CreateJenkinsRole", 
     "DependsOn" : "JenkinsUser", 
     "Properties" : { 
      "RoleName": { "Ref" : "RoleName" }, 
      "AssumeRolePolicyDocument": { 
       "Statement": [ 
      { 
      "Sid": "", 
      "Effect": "Allow", 
      "Principal": { 
      "Service": "cloudformation.amazonaws.com" 
      }, 
      "Action": "sts:AssumeRole" 
     }, 
     { 
     "Sid": "", 
     "Effect": "Allow", 
     "Principal": { 
     "AWS": { "Fn::Join" : [ "/", [ "arn:aws:iam::684821578293:user", { "Ref" : "UserName" } ]]}, 
     "Service": "cloudformation.amazonaws.com" 
     }, 

     "Action": "sts:AssumeRole" 
     }] 
     }, 
     "ManagedPolicyArns": 
       [ 
        "arn:aws:iam::aws:policy/AdministratorAccess" 
       ] 

    } 
}, 

     "JenkinsUserAccessKey" : { 
     "Type" : "AWS::IAM::AccessKey", 
     "Properties" : { 
     "UserName" : { "Ref" : "JenkinsUser" } 
     } 
    }, 

     "ServiceAccountsGroup" : { 
     "Type": "AWS::IAM::Group", 
     "Properties" : { 
     "GroupName" : { "Ref" : "GroupName" } 

    } 

    }, 

    "UserToGroupAddition" : { 
    "Type": "AWS::IAM::UserToGroupAddition", 
    "Properties" : { 
    "GroupName" : { "Ref" : "ServiceAccountsGroup" }, 
    "Users" : [ { "Ref" : "UserName" } ] 

    } 

}  
}, 

    "Outputs" : { 

    "JenkinsUserAccessKey" : { 
     "Description" : "The access key for the Jenkins user", 
     "Value"  : { "Ref" : "JenkinsUserAccessKey" } 
    }, 

    "JenkinsUserSecret" : { 
     "Description" : "The secret key for the Jenkins user", 
     "Value"  : { "Fn::GetAtt" : [ "JenkinsUserAccessKey", "SecretAccessKey" ] } 
    } 
}

}

Source

2017-08-21 12:36:30

 Questions connexes

  • Aucun problème connexe^_^