CloudFormation - 策略变量的资源依赖关系未解决?
CloudFormation - Unresolved resource dependencies for policy variables?
我创建了一个 CloudFormation 模板,它部署了一个 AWS Lambda 函数,AWS Transfer 调用该函数来验证 sftp 用户。 Lambda 函数 returns AWS Transfer 选择并用于锁定 sftp 用户权限的策略。
此政策包括变量:
transfer:HomeFoldertransfer:HomeBuckettransfer:HomeDirectory
有关这些变量作用的文档,请参阅:Editing User Configuration - AWS Transfer for SFTP
当我尝试部署我的 CloudFormation 模板时,出现以下错误:
An error occurred (ValidationError) when calling the CreateChangeSet operation: Template format error: Unresolved resource dependencies [transfer:HomeFolder, transfer:HomeBucket, transfer:HomeDirectory] in the Resources block of the template.
是否可以覆盖策略变量的 CloudFormation 参数:transfer:HomeFolder、transfer:HomeBucket、transfer:HomeDirectory?
这是我的 CloudFormation 模板的 Lambda 部分:
GetUserConfigLambda:
Type: AWS::Lambda::Function
Properties:
Code:
ZipFile:
Fn::Sub: |
'use strict';
const https = require('https');
exports.handler = (event, context, callback) => {
const data = JSON.stringify({
username: event.username,
password: event.password
});
const options = {
hostname: '${Url}',
path: '/api/v1.0/users',
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Content-Length': data.length
}
};
var policy = {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::${transfer:HomeBucket}"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"${transfer:HomeFolder}/*",
"${transfer:HomeFolder}"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
},
{
"Action":[
"s3:PutObject"
],
"Effect":"Deny",
"Resource":"arn:aws:s3:::${transfer:HomeDirectory}/*/"
}
]
}
var req = https.request(options, (res) => {
console.log("Status code: ", res.statusCode);
let data = '';
res.on('data', (chunk) => {
data += chunk;
}).on('end', () => {
let response = JSON.parse(data);
let lambdaResponse = {};
if('data' in response &&
'name' in response['data']) {
lambdaResponse = {
// Required.
Role: 'arn:aws:iam::669858054894:role/${UserRole}',
// JSON blob which further restrict this user's permissions.
Policy: JSON.stringify(policy),
// Home directory is a concatenation of home bucket and integration name.
HomeDirectory: "/${SftpS3Bucket}/" + response['data']['name'],
// Name of home bucket.
HomeBucket: "${SftpS3Bucket}"
}
}
callback(null, lambdaResponse);
});
}).on("error", (err) => {
console.log("Error: ", err.message);
callback(null, {});
});
req.end(data);
};
我怀疑 CloudFormation 可能对 ${xx} 块感到困惑,这些块在 CloudFormation 模板中具有特殊含义。
我认为您只是希望将这些值作为文本传递,然后在 IAM 策略中进行解释。
您应该可以通过拆分 Python 中的文本字符串来避免此行为,例如:
"arn:aws:s3:::$""{transfer:HomeBucket}"
我创建了一个 CloudFormation 模板,它部署了一个 AWS Lambda 函数,AWS Transfer 调用该函数来验证 sftp 用户。 Lambda 函数 returns AWS Transfer 选择并用于锁定 sftp 用户权限的策略。
此政策包括变量:
transfer:HomeFoldertransfer:HomeBuckettransfer:HomeDirectory
有关这些变量作用的文档,请参阅:Editing User Configuration - AWS Transfer for SFTP
当我尝试部署我的 CloudFormation 模板时,出现以下错误:
An error occurred (ValidationError) when calling the CreateChangeSet operation: Template format error: Unresolved resource dependencies [transfer:HomeFolder, transfer:HomeBucket, transfer:HomeDirectory] in the Resources block of the template.
是否可以覆盖策略变量的 CloudFormation 参数:transfer:HomeFolder、transfer:HomeBucket、transfer:HomeDirectory?
这是我的 CloudFormation 模板的 Lambda 部分:
GetUserConfigLambda:
Type: AWS::Lambda::Function
Properties:
Code:
ZipFile:
Fn::Sub: |
'use strict';
const https = require('https');
exports.handler = (event, context, callback) => {
const data = JSON.stringify({
username: event.username,
password: event.password
});
const options = {
hostname: '${Url}',
path: '/api/v1.0/users',
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Content-Length': data.length
}
};
var policy = {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::${transfer:HomeBucket}"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"${transfer:HomeFolder}/*",
"${transfer:HomeFolder}"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
},
{
"Action":[
"s3:PutObject"
],
"Effect":"Deny",
"Resource":"arn:aws:s3:::${transfer:HomeDirectory}/*/"
}
]
}
var req = https.request(options, (res) => {
console.log("Status code: ", res.statusCode);
let data = '';
res.on('data', (chunk) => {
data += chunk;
}).on('end', () => {
let response = JSON.parse(data);
let lambdaResponse = {};
if('data' in response &&
'name' in response['data']) {
lambdaResponse = {
// Required.
Role: 'arn:aws:iam::669858054894:role/${UserRole}',
// JSON blob which further restrict this user's permissions.
Policy: JSON.stringify(policy),
// Home directory is a concatenation of home bucket and integration name.
HomeDirectory: "/${SftpS3Bucket}/" + response['data']['name'],
// Name of home bucket.
HomeBucket: "${SftpS3Bucket}"
}
}
callback(null, lambdaResponse);
});
}).on("error", (err) => {
console.log("Error: ", err.message);
callback(null, {});
});
req.end(data);
};
我怀疑 CloudFormation 可能对 ${xx} 块感到困惑,这些块在 CloudFormation 模板中具有特殊含义。
我认为您只是希望将这些值作为文本传递,然后在 IAM 策略中进行解释。
您应该可以通过拆分 Python 中的文本字符串来避免此行为,例如:
"arn:aws:s3:::$""{transfer:HomeBucket}"