时间戳

首页 > 解决方案 > 如何在 aws cdk 中使用伪参数?

python - 如何在 aws cdk 中使用伪参数?

问题描述

嗨,我正在使用 python 开发 AWS CDK。我正在创建政策文件。以前我为相同的策略编写了云形成模板,它运行良好。以下是云形成政策。

MWSECSServiceRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service: [ecs.amazonaws.com]
            Action: ['sts:AssumeRole']
      Path: /
      Policies:
        - PolicyName: "ecs-service-role"
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - elasticloadbalancing:DeregisterInstancesFromLoadBalancer
                  - elasticloadbalancing:DeregisterTargets
                  - elasticloadbalancing:RegisterInstancesWithLoadBalancer
                  - elasticloadbalancing:RegisterTargets
                # yamllint disable-line rule:line-length
                Resource:
                  # yamllint disable-line rule:line-length
                  - !Sub 'arn:aws:elasticloadbalancing:*:${AWS::AccountId}:loadbalancer/app/mws-*'
                  # yamllint disable-line rule:line-length
                  - !Sub 'arn:aws:elasticloadbalancing:*:${AWS::AccountId}:listener-rule/app/mws-*'
                  # yamllint disable-line rule:line-length
                  - !Sub 'arn:aws:elasticloadbalancing:*:${AWS::AccountId}:listener/app/mws-*'
                  # yamllint disable-line rule:line-length
                  - !Sub 'arn:aws:elasticloadbalancing:*:${AWS::AccountId}:targetgroup/mws-*'

              - Effect: Allow
                Action:
                  - ec2:Describe*
                  - ec2:AuthorizeSecurityGroupIngress
                  - elasticloadbalancing:Describe*
                Resource: '*'

现在我正在编写 AWS CDK,如下所示。

 MWSECSServiceRole = iam.Role(self, 'MWSECSServiceRole',
          assumed_by=new ServicePrincipal('ecs.amazonaws.com'))

        MWSECSServiceRole.add_to_policy(iam.PolicyStatement(
        effect=iam.Effect.ALLOW,
        resources=["arn:aws:elasticloadbalancing:*:${AWS::AccountId}:loadbalancer/app/mws-*","arn:aws:elasticloadbalancing:*:${AWS::AccountId}:listener-rule/app/mws-*","arn:aws:elasticloadbalancing:*:${AWS::AccountId}:listener/app/mws-*","arn:aws:elasticloadbalancing:*:${AWS::AccountId}:targetgroup/mws-*"],
        actions=["elasticloadbalancing:DeregisterInstancesFromLoadBalancer","elasticloadbalancing:DeregisterTargets","elasticloadbalancing:RegisterInstancesWithLoadBalancer","elasticloadbalancing:RegisterTargets"]
        ))

        MWSECSServiceRole.add_to_policy(iam.PolicyStatement(
        effect=iam.Effect.ALLOW,
        resources=["*"],
        actions=["ec2:AuthorizeSecurityGroupIngress","ec2:Describe*","elasticloadbalancing:Describe*"]
        ))

例如,这将生成资源,arn:aws:elasticloadbalancing:*:${AWS::AccountId}:loadbalancer/app/mws-*但我需要的是 - !Sub 'arn:aws:elasticloadbalancing:*:${AWS::AccountId}:loadbalancer/app/mws-*'. 那么如何在 AWS CDK 中使用 !Sub 呢?有人可以帮助我吗?

标签: pythonamazon-web-servicesamazon-cloudformationaws-cdk

解决方案

所以我最近才开始将 AWS CDK 与 Python 结合使用。以为我会回答它可以帮助其他人的事件

我们正在使用 CDK 迁移现有的 cfn 模板,并且我们希望利用代码抽象和馈入参数来生成 cfn 模板。

我遇到了同样的问题并做了以下事情:

进口核心:

from aws_cdk import (
    core
)

在您的 CDK 类之外声明 CDK 函数对象:

Fn = core.Fn

在您的 CDK 类中创建一个类似于以下内容的函数:

def checkFnSubRequired(self, content):
    if re.search(r'\${.*}', content):
        return Fn.sub(content)
    else:
        return content

该函数允许您获取可能需要替换的任何字符串并返回替换的对象,例如:

resources=["arn:aws:elasticloadbalancing:*:${AWS::AccountId}"]

更改为以下内容:

resources=[self.checkFnSubRequired("arn:aws:elasticloadbalancing:*:${AWS::AccountId}")]

推荐阅读