Tit*_*lum 4 amazon-web-services aws-cloudformation ssm
我有一个 CloudFormation 模板,它创建一个AWS::Events::Rule和一个AWS::SSM::Document. 我需要提供的名单Targets为SSM::Rule,但每个目标要求的ARN:
mySSMDocument:
Type: AWS::SSM::Document
Properties:
DocumentType: 'Command'
Content:
schemaVersion: '2.2'
description: "Code that will be run on EC2"
mainSteps:
- action: "aws:runShellScript"
name: runShellScript
inputs:
runCommand:
- 'Some command to execute'
myEventRule:
Type: AWS::Events::Rule
Properties:
Description: "A description for the Rule."
EventPattern:
source:
- "aws.autoscaling"
detail-type:
- "EC2 Instance-terminate Lifecycle Action"
detail:
AutoScalingGroupName:
- !Ref 'someAutoScalingGroupInThisTemplate'
RoleArn: 'some role ARN'
State: "ENABLED"
Targets:
- Id: "some-unique-id"
Arn: <-- This is the value that I need to fill in.
RunCommandParameters:
RunCommandTargets:
- Key: "tag: Name"
Values:
- 'The name of the EC2 machine'
我认为我需要<-- This is the value that I need to fill in.用ARNof替换mySSMDocument,但我没有看到任何方法可以从模板本身中检索此值。文档不指定任何GetAtt有关的功能SSM::Document,允许获得ARN。有谁知道如何解决这个问题?
!Sub arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:document/${mySSMDocument}
您可以生成ARN 格式以AWS::SSM::Document使用 的返回值AWS::SSM::Document、分区、区域和 AccountId 的伪参数以及Sub内部函数
这是文档的 ARN 模式
arn:${Partition}:ssm:${Region}:${Account}:document/${DocumentName}
例子:
arn:aws:ssm:us-east-2:12345678912:document/demooo
您可以使用Ref函数获取文档名称,然后Sub创建最终的 ARN
参考:https : //docs.aws.amazon.com/IAM/latest/UserGuide/list_awssystemsmanager.html#awssystemsmanager-resources-for-iam-policies
| 归档时间: |
|
| 查看次数: |
2002 次 |
| 最近记录: |