I have been trying to add a json policy inside a yaml file but unsuccessful so far
custom:
deploymentBucket:
versioning: true
policy: |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSLRequestsOnly",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::deeperion-deployment-bucket",
"arn:aws:s3:::deeperion-deployment-bucket/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
below serverless framework plugin allows you to add bucket policy to the deployment bucket
https://www.serverless.com/plugins/serverless-deployment-bucket
I am defining attribute-based access control (ABAC) for AWS IAM within my terraform file. Sample policy is
resource "aws_iam_role_policy" "testS3" {
name = "testS3"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::dev-${aws:PrincipalTag/team}*"
}
]
}
EOF
}
How do I call that ${block} within terraform? Terraform translates that into its own variables.
It worked with extra $ in the string.
resource "aws_iam_role_policy" "testS3" {
name = "testS3"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::dev-$${aws:PrincipalTag/team}*"
}
]
}
EOF
}
I also tried with variables.tf file and referenced the variable here in json.
variables.tf
variable "principaltag" {
default = "$${aws:PrincipalTag/tedteam}"
}
****
policy.tf
resource "aws_iam_role_policy" "testS3" {
name = "testS3"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::dev-${var.principaltag}*"
}
]
}
EOF
}
I am trying to figure out how to autoformat JSON files in the same manner as standard AWS template. If you run a template through the AWS toolkit or online designer, the format is very readable. Everything I've tried in the JSON Editor ends up looking like crap, but I see tons of templates in json format online that look exactly like the amazon format. I've tried using the AWS toolkit, but that only recognizes files named ".template. Is there a different plugin, or custom settings I should be inputing?
Thanks everyone!
Example (JSON):
{
"AWSTemplateFormatVersion" : "2010-09-09", "Parameters" : {
"LogRetentionTime" : {
"Type" : "Number", "Default" : 90, "Description" : "Flow log retention time in days", "AllowedValues" : [ 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653 ]
}
}, "Resources" : {
"VpcFlowLog" : {
"Type" : "Custom::CreateVpcFlowLogs", "Properties" : {
"ServiceToken" : {
"Ref" : "CreateVpcFlowLogLambdaFunction"
}, "Region" : {
"Ref" : "AWS::Region"
}, "VpcId" : {
"Ref" : "Vpc"
}, "LogGroupName" : {
"Ref" : "VpcLogGroup"
}, "DeliverLogsPermissionArn" : {
"Fn::GetAtt" : [ "FlowLogsRole", "Arn" ]
}
}, "DependsOn" : [ ]
}, "FlowLogsRole" : {
"Type" : "AWS::IAM::Role", "Properties" : {
"AssumeRolePolicyDocument" : {
"Version" : "2012-10-17", "Statement" : [ {
"Effect" : "Allow", "Principal" : {
"Service" : "vpc-flow-logs.amazonaws.com"
}, "Action" : "sts:AssumeRole"
} ]
}, "Policies" : [ {
"PolicyName" : "root", "PolicyDocument" : {
"Version" : "2012-10-17", "Statement" : [ {
"Effect" : "Allow", "Action" : [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "logs:DescribeLogStreams" ], "Resource" : "arn:aws:logs:*:*:*"
} ]
}
} ]
}
}, "VpcLogGroup" : {
"Type" : "AWS::Logs::LogGroup", "Properties" : {
"RetentionInDays" : {
"Ref" : "LogRetentionTime"
}
}, "DependsOn" : [ ]
}
}, "Outputs" : {
"VpcFlowLog" : {
"Description" : "Flog log id", "Value" : {
"Fn::GetAtt" : [ "VpcFlowLog", "Id" ]
}
}
}
}
Example (AWS):
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"LogRetentionTime": {
"Type": "Number",
"Default": 90,
"Description": "Flow log retention time in days",
"AllowedValues": [1,3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653]
}
},
"Resources": {
"VpcFlowLog": {
"Type": "Custom::CreateVpcFlowLogs",
"Properties": {
"ServiceToken": { "Ref" : "CreateVpcFlowLogLambdaFunction" },
"Region": { "Ref": "AWS::Region" },
"VpcId": {
"Ref": "Vpc"
},
"LogGroupName": {
"Ref": "VpcLogGroup"
},
"DeliverLogsPermissionArn": {"Fn::GetAtt" : ["FlowLogsRole", "Arn"] }
},
"DependsOn": []
},
"FlowLogsRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "vpc-flow-logs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Resource": "arn:aws:logs:*:*:*"
}
]
}
}
]
}
},
"VpcLogGroup": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"RetentionInDays": { "Ref" : "LogRetentionTime" }
},
"DependsOn": []
}
},
"Outputs": {
"VpcFlowLog": {
"Description": "Flog log id",
"Value": {
"Fn::GetAtt": [
"VpcFlowLog",
"Id"
]
}
}
}
}
Visual Studio formats them perfectly if you drop manually drop a CRLF into the end of the file it bada booms them into the perfect format.
Does anyone know how to create a policy using cloud formation and then have another cloud formation template that assigns that policy to a role?
I'm looking at http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html and that doesn't answer my question.
The link between a policy and a role is declared in the AWS::IAM::Policy resource. So, for instance, you can have one stack export the role and another stack import it using the intrinsic function Fn::ImportValue and link it to a policy resource.
Exporting stack:
Resources:
myRole:
Type: "AWS::IAM::Role"
Properties:
...
Outputs:
exportedRole:
Value: !Ref myRole
Export:
Name: "myExportedRole"
Importing stack:
Resources:
myPolicy:
Type: "AWS::IAM::Policy"
Properties:
Roles:
- !ImportValue myExportedRole
...
You can create the role and the policy at the same time. Here is an example:
"LambdaFunctionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "AlexaSkillCloudWatchLogsAccess",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowLogging",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"*"
]
}
]
}
}
]
}
}
This resource creates a policy for a Lambda function with a policy included. Then you can include the ARN of the role in a lambda function in the same template with "Fn::GetAtt"
In my cloudformation template I have a Parameter that can be empty but with a Fn::Join assume a value, this is the example:
"Parameters": {
"ConfigureRecipe": {
"Description": "Configure recipe.",
"Type": "String"
}
"Configure": [ { "Fn::Join": [ "", [ "myChefRecipe::", { "Ref": "ConfigureRecipe" } ] ] } ]
If ConfigureRecipe is empty, Cloudfomation will pass to OpsWorks the recipe "myChefRecipe::" and give me an error when configure start because a good variable is "myChefRecipe::mysql". How I can handle this? Maybe with AWS::NoValue if ConfigureRecipe is empty.
Maybe you can try this out:
"Parameters": {
"ConfigureRecipe": {
"Description": "Configure recipe.",
"Type": "String"
}
"Conditions" : {
"CreateLayerWithoutRecipie" : {"Fn::Not" : [{"Ref" : "ConfigureRecipe"}]}
},
"Layer":{
"Type":"AWS::OpsWorks::Layer",
....
....
....
"Configure": [ "Fn::If" : [ "CreateLayerWithoutRecipie", {"Ref" : "AWS::NoValue"}, { "Fn::Join": [ "", [ "myChefRecipe::", { "Ref": "ConfigureRecipe" } ] ] } ]]
}