Привет, я работаю над AWS CDK на Python. Я создаю программный документ. Раньше я писал шаблон формирования облака для той же политики, и он работал нормально. Ниже приведена политика формирования облака.
MWSECSServiceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [ecs.amazonaws.com]
Action: ['sts:AssumeRole']
Path: /
Policies:
- PolicyName: "ecs-service-role"
PolicyDocument:
Statement:
- Effect: Allow
Action:
- elasticloadbalancing:DeregisterInstancesFromLoadBalancer
- elasticloadbalancing:DeregisterTargets
- elasticloadbalancing:RegisterInstancesWithLoadBalancer
- elasticloadbalancing:RegisterTargets
# yamllint disable-line rule:line-length
Resource:
# yamllint disable-line rule:line-length
- !Sub 'arn:aws:elasticloadbalancing:*:${AWS::AccountId}:loadbalancer/app/mws-*'
# yamllint disable-line rule:line-length
- !Sub 'arn:aws:elasticloadbalancing:*:${AWS::AccountId}:listener-rule/app/mws-*'
# yamllint disable-line rule:line-length
- !Sub 'arn:aws:elasticloadbalancing:*:${AWS::AccountId}:listener/app/mws-*'
# yamllint disable-line rule:line-length
- !Sub 'arn:aws:elasticloadbalancing:*:${AWS::AccountId}:targetgroup/mws-*'
- Effect: Allow
Action:
- ec2:Describe*
- ec2:AuthorizeSecurityGroupIngress
- elasticloadbalancing:Describe*
Resource: '*'
Теперь я пишу AWS CDK, как показано ниже.
MWSECSServiceRole = iam.Role(self, 'MWSECSServiceRole',
assumed_by=new ServicePrincipal('ecs.amazonaws.com'))
MWSECSServiceRole.add_to_policy(iam.PolicyStatement(
effect=iam.Effect.ALLOW,
resources=["arn:aws:elasticloadbalancing:*:${AWS::AccountId}:loadbalancer/app/mws-*","arn:aws:elasticloadbalancing:*:${AWS::AccountId}:listener-rule/app/mws-*","arn:aws:elasticloadbalancing:*:${AWS::AccountId}:listener/app/mws-*","arn:aws:elasticloadbalancing:*:${AWS::AccountId}:targetgroup/mws-*"],
actions=["elasticloadbalancing:DeregisterInstancesFromLoadBalancer","elasticloadbalancing:DeregisterTargets","elasticloadbalancing:RegisterInstancesWithLoadBalancer","elasticloadbalancing:RegisterTargets"]
))
MWSECSServiceRole.add_to_policy(iam.PolicyStatement(
effect=iam.Effect.ALLOW,
resources=["*"],
actions=["ec2:AuthorizeSecurityGroupIngress","ec2:Describe*","elasticloadbalancing:Describe*"]
))
Это сгенерирует ресурсы, например arn:aws:elasticloadbalancing:*:${AWS::AccountId}:loadbalancer/app/mws-*
, но мне нужно - !Sub 'arn:aws:elasticloadbalancing:*:${AWS::AccountId}:loadbalancer/app/mws-*'
. Итак, как использовать! Sub в AWS CDK? Может ли кто-нибудь мне в этом помочь?