如何在 AWS CDK PolicyStatement AddAction 方法中嵌套键值对?
How do I nest a KeyValue pair within AWS CDK PolicyStatement AddAction method?
我目前正在尝试使用带有 .NET 应用程序的 AWS CDK 复制另一个开发人员的 powershell 脚本功能。他正在使用 VaporShell 生成 CloudFormation 模板 (YAML)。我把 CloudFormation 模板放在下面(我已经为这个 post 做了很多通用名称)。我放了一个箭头指向让我头疼的键值对。
Resources:
rSNSTopic:
Type: AWS::SNS::Topic
Properties:
DisplayName: 'SNS topic'
TopicName: 'SNS Topic'
rSNSPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
Topics:
- !Ref 'rSNSTopic'
PolicyDocument:
Statement:
- Condition:
StringEquals:
AWS:SourceOwner: 'CurrentAcct' <=== This is the key/value pair.
Action:
- SNS:Publish
- SNS:RemovePermission
- SNS:SetTopicAttributes
- SNS:DeleteTopic
- SNS:ListSubscriptionsByTopic
- SNS:GetTopicAttributes
- SNS:Receive
- SNS:AddPermission
- SNS:Subscribe
Resource: !Ref 'rSNSTopic'
Effect: Allow
Sid: Default
Principal:
AWS: '*'
Version: '2012-10-17'
我已经能够使用 C# 应用程序和 AWS CDK 生成另一个 CloudFormation 模板。除了生成我在上面突出显示的键值对之外,它几乎完美地工作。我曾尝试使用一个数组,生成一个新的策略声明对象并在 .NET 中使用 Key/Value 对对象。我将在下面给出这三种尝试中每一种尝试的示例以及相应的输出。有谁知道用上面显示的相同方式生成 key/value 对的方法吗?当然是在 C# 中使用 CDK。
尝试 1:使用字符串数组。
C# 代码(下):
var topic = new Topic(this, "rSNSTopic", new TopicProps
{
DisplayName = "SNS topic",
TopicName = "SNS topic"
});
var topicPolicyStatement1 = new PolicyStatement(0)
.Describe("Default")
.AddAwsPrincipal("*")
.AddActions("- SNS:Publish\n" +
"- SNS:RemovePermission\n" +
"- SNS:SetTopicAttributes\n" +
"- SNS:DeleteTopic\n" +
"- SNS:ListSubscriptionsByTopic\n" +
"- SNS:GetTopicAttributes\n" +
"- SNS:Receive\n" +
"- SNS:AddPermission\n" +
"- SNS:Subscribe\n")
.AddCondition("StringEquals",
new [] {"AWS:SourceOwner", "pTestAccnt"}) <=== Using an array as the second .AddCondition parameter.
.AddCondition("aws:SourceArn", topic.TopicArn)
.AddResource(topic.TopicArn);
topic.AddToResourcePolicy(topicPolicyStatement1);
topic.AddToResourcePolicy(topicPolicyStatement2);
已生成 key/value 对部分 CloudFormation 模板(下):
Condition:
StringEquals:
- AWS:SourceOwner
- TestAccnt
尝试 2:使用新的策略声明对象。
C# 代码(下):
var topic = new Topic(this, "rSNSTopic", new TopicProps
{
DisplayName = "SNS topic",
TopicName = "SNS topic"
});
var topicPolicyStatement1 = new PolicyStatement(0)
.Describe("Default")
.AddAwsPrincipal("*")
.AddActions("- SNS:Publish\n" +
"- SNS:RemovePermission\n" +
"- SNS:SetTopicAttributes\n" +
"- SNS:DeleteTopic\n" +
"- SNS:ListSubscriptionsByTopic\n" +
"- SNS:GetTopicAttributes\n" +
"- SNS:Receive\n" +
"- SNS:AddPermission\n" +
"- SNS:Subscribe\n")
.AddCondition("StringEquals",
new PolicyStatement(0).AddCondition("AWS:SourceOwner", "pTestAccnt")) <=== Using a policy statement as the second .AddCondition parameter.
.AddCondition("aws:SourceArn", topic.TopicArn)
.AddResource(topic.TopicArn);
topic.AddToResourcePolicy(topicPolicyStatement1);
topic.AddToResourcePolicy(topicPolicyStatement2);
已生成 key/value 对部分 CloudFormation 模板(下):
Condition:
StringEquals:
Condition: <=== This solution creates a second condition key which throws an error in AWS CloudFormation.
AWS:SourceOwner: TestAccnt <=== This key value pair looks correct.
尝试 3:使用来自 .NETnew 策略语句对象的 Key/Value 对象。
C# 代码(下):
var topic = new Topic(this, "rSNSTopic", new TopicProps
{
DisplayName = "SNS topic",
TopicName = "SNS topic"
});
var topicPolicyStatement1 = new PolicyStatement(0)
.Describe("Default")
.AddAwsPrincipal("*")
.AddActions("- SNS:Publish\n" +
"- SNS:RemovePermission\n" +
"- SNS:SetTopicAttributes\n" +
"- SNS:DeleteTopic\n" +
"- SNS:ListSubscriptionsByTopic\n" +
"- SNS:GetTopicAttributes\n" +
"- SNS:Receive\n" +
"- SNS:AddPermission\n" +
"- SNS:Subscribe\n")
.AddCondition("StringEquals",
new KeyValuePair<string, string>("AWS:SourceOwner", "pTestAccnt")) <=== Using a policy statement as the second .AddCondition parameter.
.AddCondition("aws:SourceArn", topic.TopicArn)
.AddResource(topic.TopicArn);
topic.AddToResourcePolicy(topicPolicyStatement1);
topic.AddToResourcePolicy(topicPolicyStatement2);
此方法会引发错误。我怀疑它与 JSII 运行时有关 compiling/interpreting 我在 C# 应用程序中使用的 key/value 对对象。
命令行的全部输出(下):
Unhandled Exception: System.ArgumentException: Could not infer JSII type for .NET type 'KeyValuePair`2'
Parameter name: type
at Amazon.JSII.Runtime.Services.Converters.FrameworkToJsiiConverter.InferType(IReferenceMap referenceMap, Type type)
at Amazon.JSII.Runtime.Services.Converters.ValueConverter.ConvertAny(IReferenceMap referenceMap, Object value)
at Amazon.JSII.Runtime.Services.Converters.ValueConverter.TryConvertPrimitive(IReferenceMap referenceMap, Object value, Boolean isOptional, PrimitiveType primitiveType, Object& result)
at Amazon.JSII.Runtime.Services.Converters.ValueConverter.TryConvert(TypeReference typeReference, IReferenceMap referenceMap, Object value, Object& result)
at Amazon.JSII.Runtime.Deputy.DeputyBase.<>c__DisplayClass20_0.<ConvertArguments>b__0(Parameter parameter, Object frameworkArgument)
at System.Linq.Enumerable.ZipIterator[TFirst,TSecond,TResult](IEnumerable`1 first, IEnumerable`1 second, Func`3 resultSelector)+MoveNext()
at System.Collections.Generic.LargeArrayBuilder`1.AddRange(IEnumerable`1 items)
at System.Collections.Generic.EnumerableHelpers.ToArray[T](IEnumerable`1 source)
at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
at Amazon.JSII.Runtime.Deputy.DeputyBase.<InvokeMethodCore>g__GetResult|18_0[T](<>c__DisplayClass18_0`1& )
at Amazon.JSII.Runtime.Deputy.DeputyBase.InvokeMethodCore[T](JsiiMethodAttribute methodAttribute, Object[] arguments, Func`3 beginFunc, Func`3 invokeFunc)
at Amazon.JSII.Runtime.Deputy.DeputyBase.InvokeInstanceMethod[T](Object[] arguments, String methodName)
at HelloCdk.TestStack..ctor(App parent, String name, IStackProps props) in C:\Users\SomeUser\Documents\git\SomeGITRepo\SingleStackGenerator\src\HelloCdk\TestStack.cs:line 57
at HelloCdk.Program.Main(String[] args) in C:\Users\SomeUser\Documents\git\SomeGITRepo\SingleStackGenerator\src\HelloCdk\Program.cs:line 18
(node:39548) UnhandledPromiseRejectionWarning: Error: EPIPE: broken pipe, write
at Object.writeSync (fs.js:569:3)
at t.SyncStdio.writeBuffer (C:\Users\SomeUser\AppData\Local\Temp\gnh3dhha.5kf\jsii-runtime.js:1:165352)
at t.SyncStdio.writeLine (C:\Users\SomeUser\AppData\Local\Temp\gnh3dhha.5kf\jsii-runtime.js:1:164892)
at t.InputOutput.write (C:\Users\SomeUser\AppData\Local\Temp\gnh3dhha.5kf\jsii-runtime.js:1:164341)
at t.KernelHost.writeError (C:\Users\SomeUser\AppData\Local\Temp\gnh3dhha.5kf\jsii-runtime.js:1:79440)
at i.then.catch.e (C:\Users\SomeUser\AppData\Local\Temp\gnh3dhha.5kf\jsii-runtime.js:1:79101)
(node:39548) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 1)
(node:39548) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.
Subprocess exited with error 3762504530
我找到了解决办法。 C# 中的 "dictionary" 对象是完美的,JSII 运行时也可以编译它。
面临同样的问题,解决方案不是很明显...发布最终代码片段:
var topic = new Topic(this, "rSNSTopic", new TopicProps
{
DisplayName = "SNS topic",
TopicName = "SNS topic"
});
topic.AddToResourcePolicy(new PolicyStatement(
new PolicyStatementProps
{
Principals = new IPrincipal[] { new AnyPrincipal() },
Actions = new []
{
"SNS:Publish",
"SNS:RemovePermission",
"SNS:SetTopicAttributes",
"SNS:DeleteTopic",
"SNS:ListSubscriptionsByTopic",
"SNS:GetTopicAttributes",
"SNS:Receive",
"SNS:AddPermission",
"SNS:Subscribe"
},
Resources = new[] { topic.TopicArn },
Conditions = new Dictionary<string, object>
{
{"StringEquals",
new Dictionary<string, object> {{ "aws:SourceOwner", "pTestAccnt" } }},
{"StringEquals",
new Dictionary<string, object> {{ "aws:SourceArn", topic.TopicArn } }
}
}
);
我目前正在尝试使用带有 .NET 应用程序的 AWS CDK 复制另一个开发人员的 powershell 脚本功能。他正在使用 VaporShell 生成 CloudFormation 模板 (YAML)。我把 CloudFormation 模板放在下面(我已经为这个 post 做了很多通用名称)。我放了一个箭头指向让我头疼的键值对。
Resources:
rSNSTopic:
Type: AWS::SNS::Topic
Properties:
DisplayName: 'SNS topic'
TopicName: 'SNS Topic'
rSNSPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
Topics:
- !Ref 'rSNSTopic'
PolicyDocument:
Statement:
- Condition:
StringEquals:
AWS:SourceOwner: 'CurrentAcct' <=== This is the key/value pair.
Action:
- SNS:Publish
- SNS:RemovePermission
- SNS:SetTopicAttributes
- SNS:DeleteTopic
- SNS:ListSubscriptionsByTopic
- SNS:GetTopicAttributes
- SNS:Receive
- SNS:AddPermission
- SNS:Subscribe
Resource: !Ref 'rSNSTopic'
Effect: Allow
Sid: Default
Principal:
AWS: '*'
Version: '2012-10-17'
我已经能够使用 C# 应用程序和 AWS CDK 生成另一个 CloudFormation 模板。除了生成我在上面突出显示的键值对之外,它几乎完美地工作。我曾尝试使用一个数组,生成一个新的策略声明对象并在 .NET 中使用 Key/Value 对对象。我将在下面给出这三种尝试中每一种尝试的示例以及相应的输出。有谁知道用上面显示的相同方式生成 key/value 对的方法吗?当然是在 C# 中使用 CDK。
尝试 1:使用字符串数组。
C# 代码(下):
var topic = new Topic(this, "rSNSTopic", new TopicProps
{
DisplayName = "SNS topic",
TopicName = "SNS topic"
});
var topicPolicyStatement1 = new PolicyStatement(0)
.Describe("Default")
.AddAwsPrincipal("*")
.AddActions("- SNS:Publish\n" +
"- SNS:RemovePermission\n" +
"- SNS:SetTopicAttributes\n" +
"- SNS:DeleteTopic\n" +
"- SNS:ListSubscriptionsByTopic\n" +
"- SNS:GetTopicAttributes\n" +
"- SNS:Receive\n" +
"- SNS:AddPermission\n" +
"- SNS:Subscribe\n")
.AddCondition("StringEquals",
new [] {"AWS:SourceOwner", "pTestAccnt"}) <=== Using an array as the second .AddCondition parameter.
.AddCondition("aws:SourceArn", topic.TopicArn)
.AddResource(topic.TopicArn);
topic.AddToResourcePolicy(topicPolicyStatement1);
topic.AddToResourcePolicy(topicPolicyStatement2);
已生成 key/value 对部分 CloudFormation 模板(下):
Condition:
StringEquals:
- AWS:SourceOwner
- TestAccnt
尝试 2:使用新的策略声明对象。
C# 代码(下):
var topic = new Topic(this, "rSNSTopic", new TopicProps
{
DisplayName = "SNS topic",
TopicName = "SNS topic"
});
var topicPolicyStatement1 = new PolicyStatement(0)
.Describe("Default")
.AddAwsPrincipal("*")
.AddActions("- SNS:Publish\n" +
"- SNS:RemovePermission\n" +
"- SNS:SetTopicAttributes\n" +
"- SNS:DeleteTopic\n" +
"- SNS:ListSubscriptionsByTopic\n" +
"- SNS:GetTopicAttributes\n" +
"- SNS:Receive\n" +
"- SNS:AddPermission\n" +
"- SNS:Subscribe\n")
.AddCondition("StringEquals",
new PolicyStatement(0).AddCondition("AWS:SourceOwner", "pTestAccnt")) <=== Using a policy statement as the second .AddCondition parameter.
.AddCondition("aws:SourceArn", topic.TopicArn)
.AddResource(topic.TopicArn);
topic.AddToResourcePolicy(topicPolicyStatement1);
topic.AddToResourcePolicy(topicPolicyStatement2);
已生成 key/value 对部分 CloudFormation 模板(下):
Condition:
StringEquals:
Condition: <=== This solution creates a second condition key which throws an error in AWS CloudFormation.
AWS:SourceOwner: TestAccnt <=== This key value pair looks correct.
尝试 3:使用来自 .NETnew 策略语句对象的 Key/Value 对象。
C# 代码(下):
var topic = new Topic(this, "rSNSTopic", new TopicProps
{
DisplayName = "SNS topic",
TopicName = "SNS topic"
});
var topicPolicyStatement1 = new PolicyStatement(0)
.Describe("Default")
.AddAwsPrincipal("*")
.AddActions("- SNS:Publish\n" +
"- SNS:RemovePermission\n" +
"- SNS:SetTopicAttributes\n" +
"- SNS:DeleteTopic\n" +
"- SNS:ListSubscriptionsByTopic\n" +
"- SNS:GetTopicAttributes\n" +
"- SNS:Receive\n" +
"- SNS:AddPermission\n" +
"- SNS:Subscribe\n")
.AddCondition("StringEquals",
new KeyValuePair<string, string>("AWS:SourceOwner", "pTestAccnt")) <=== Using a policy statement as the second .AddCondition parameter.
.AddCondition("aws:SourceArn", topic.TopicArn)
.AddResource(topic.TopicArn);
topic.AddToResourcePolicy(topicPolicyStatement1);
topic.AddToResourcePolicy(topicPolicyStatement2);
此方法会引发错误。我怀疑它与 JSII 运行时有关 compiling/interpreting 我在 C# 应用程序中使用的 key/value 对对象。
命令行的全部输出(下):
Unhandled Exception: System.ArgumentException: Could not infer JSII type for .NET type 'KeyValuePair`2'
Parameter name: type
at Amazon.JSII.Runtime.Services.Converters.FrameworkToJsiiConverter.InferType(IReferenceMap referenceMap, Type type)
at Amazon.JSII.Runtime.Services.Converters.ValueConverter.ConvertAny(IReferenceMap referenceMap, Object value)
at Amazon.JSII.Runtime.Services.Converters.ValueConverter.TryConvertPrimitive(IReferenceMap referenceMap, Object value, Boolean isOptional, PrimitiveType primitiveType, Object& result)
at Amazon.JSII.Runtime.Services.Converters.ValueConverter.TryConvert(TypeReference typeReference, IReferenceMap referenceMap, Object value, Object& result)
at Amazon.JSII.Runtime.Deputy.DeputyBase.<>c__DisplayClass20_0.<ConvertArguments>b__0(Parameter parameter, Object frameworkArgument)
at System.Linq.Enumerable.ZipIterator[TFirst,TSecond,TResult](IEnumerable`1 first, IEnumerable`1 second, Func`3 resultSelector)+MoveNext()
at System.Collections.Generic.LargeArrayBuilder`1.AddRange(IEnumerable`1 items)
at System.Collections.Generic.EnumerableHelpers.ToArray[T](IEnumerable`1 source)
at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
at Amazon.JSII.Runtime.Deputy.DeputyBase.<InvokeMethodCore>g__GetResult|18_0[T](<>c__DisplayClass18_0`1& )
at Amazon.JSII.Runtime.Deputy.DeputyBase.InvokeMethodCore[T](JsiiMethodAttribute methodAttribute, Object[] arguments, Func`3 beginFunc, Func`3 invokeFunc)
at Amazon.JSII.Runtime.Deputy.DeputyBase.InvokeInstanceMethod[T](Object[] arguments, String methodName)
at HelloCdk.TestStack..ctor(App parent, String name, IStackProps props) in C:\Users\SomeUser\Documents\git\SomeGITRepo\SingleStackGenerator\src\HelloCdk\TestStack.cs:line 57
at HelloCdk.Program.Main(String[] args) in C:\Users\SomeUser\Documents\git\SomeGITRepo\SingleStackGenerator\src\HelloCdk\Program.cs:line 18
(node:39548) UnhandledPromiseRejectionWarning: Error: EPIPE: broken pipe, write
at Object.writeSync (fs.js:569:3)
at t.SyncStdio.writeBuffer (C:\Users\SomeUser\AppData\Local\Temp\gnh3dhha.5kf\jsii-runtime.js:1:165352)
at t.SyncStdio.writeLine (C:\Users\SomeUser\AppData\Local\Temp\gnh3dhha.5kf\jsii-runtime.js:1:164892)
at t.InputOutput.write (C:\Users\SomeUser\AppData\Local\Temp\gnh3dhha.5kf\jsii-runtime.js:1:164341)
at t.KernelHost.writeError (C:\Users\SomeUser\AppData\Local\Temp\gnh3dhha.5kf\jsii-runtime.js:1:79440)
at i.then.catch.e (C:\Users\SomeUser\AppData\Local\Temp\gnh3dhha.5kf\jsii-runtime.js:1:79101)
(node:39548) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 1)
(node:39548) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.
Subprocess exited with error 3762504530
我找到了解决办法。 C# 中的 "dictionary" 对象是完美的,JSII 运行时也可以编译它。
面临同样的问题,解决方案不是很明显...发布最终代码片段:
var topic = new Topic(this, "rSNSTopic", new TopicProps
{
DisplayName = "SNS topic",
TopicName = "SNS topic"
});
topic.AddToResourcePolicy(new PolicyStatement(
new PolicyStatementProps
{
Principals = new IPrincipal[] { new AnyPrincipal() },
Actions = new []
{
"SNS:Publish",
"SNS:RemovePermission",
"SNS:SetTopicAttributes",
"SNS:DeleteTopic",
"SNS:ListSubscriptionsByTopic",
"SNS:GetTopicAttributes",
"SNS:Receive",
"SNS:AddPermission",
"SNS:Subscribe"
},
Resources = new[] { topic.TopicArn },
Conditions = new Dictionary<string, object>
{
{"StringEquals",
new Dictionary<string, object> {{ "aws:SourceOwner", "pTestAccnt" } }},
{"StringEquals",
new Dictionary<string, object> {{ "aws:SourceArn", topic.TopicArn } }
}
}
);