如何解决AWS Cloudformation 堆栈集指定堆栈实例的运行顺序
我有以下 Cloudformation YAML,它在 UserRootAccount 中创建一个角色,也在非 UserRootAccount 帐户中创建一个角色,并允许 UserRootAccount 在这些子帐户中担任角色。
问题是无法控制堆栈实例运行的帐户顺序。
如果第一个运行的账户恰好是 UserRootAccount 那么它工作正常,但如果 AWS 选择任何其他账户首先运行它会失败并出现错误
ResourceLogicalId:EbsSnapshotAgeReportingLambdaRole、ResourceType:AWS::IAM::Role、ResourceStatusReason:策略中的主体无效:
我可以看到有一种方法可以指定区域的顺序,但这并没有帮助,因为我们的主帐户和子帐户都在同一区域运行堆栈实例。
有什么办法可以指定帐户的顺序吗?
目前,我检查 list_stack_instances 中是否存在 item['StatusReason'] 中包含“Invalid principal in policy”的类型错误,如果它是从不等于主帐户的帐户抛出的,我会不断重试直到它选择主帐户先更新然后完成,但这太糟糕了。
Description: "Deployment testing"
Parameters:
UserRootAccount:
Type: String
MinLength: 12
MaxLength: 12
Default: "000000000000" # DO NOT CHANGE
AllowedPattern: "[0-9]{12}"
Description: AWS account serving as root account
Conditions:
IsNotMgmtAccount: !Not [!Equals [ !Ref "AWS::AccountId",!Ref UserRootAccount ]]
IsMgmtAccount: !Equals [ !Ref "AWS::AccountId",!Ref UserRootAccount ]
Resources:
RootEbsSnapshotAgeReportingLambdaRole:
Type: AWS::IAM::Role
Condition: IsMgmtAccount
Properties:
RoleName: 'test-old-snapshots-managment-role-16'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Policies:
-
PolicyName: 'snapshot-age-role-policy'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'logs:CreateLogStream'
- 'ec2:DescribeRegions'
- 'ec2:DescribeVolumes'
- 'ebs:ListSnapshotBlocks'
- 'ec2:DescribeSnapshots'
- 'logs:CreateLogGroup'
- 'logs:PutLogEvents'
- 'ebs:ListChangedBlocks'
- 'ebs:GetSnapshotBlock'
Resource: '*'
-
PolicyName: 'sts-snapshot-age-role-policy'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'sts:AssumeRole'
Resource: 'arn:aws:iam::*:role/test-old-snapshots-role'
EbsSnapshotAgeReportingLambdaRole:
Type: AWS::IAM::Role
Condition: IsNotMgmtAccount
Properties:
RoleName: 'test-old-snapshots-role'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Principal:
AWS:
- !Sub 'arn:aws:iam::${UserRootAccount}:role/test-old-snapshots-managment-role-16'
Action:
- sts:AssumeRole
Policies:
-
PolicyName: 'snapshot-age-role-policy'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'logs:CreateLogStream'
- 'ec2:DescribeRegions'
- 'ec2:DescribeVolumes'
- 'ebs:ListSnapshotBlocks'
- 'ec2:DescribeSnapshots'
- 'logs:CreateLogGroup'
- 'logs:PutLogEvents'
- 'ebs:ListChangedBlocks'
- 'ebs:GetSnapshotBlock'
Resource: '*'```
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。