cloudformation中Elasticache集群的参考arn
我想在云形成模板中引用“即将创建的”Redis ElastiCache 集群的 arn。
这是 ElasticacheCluster 模板(经过测试并在 cloudFormation 中工作),
ElasticacheCluster:
Type: AWS::ElastiCache::CacheCluster
Properties:
AutoMinorVersionUpgrade: 'true'
Engine: redis
CacheNodeType: cache.t2.micro
NumCacheNodes: '1'
VpcSecurityGroupIds:
- Fn::GetAtt:
- ElastiCacheSecurityGroup
- GroupId
CacheSubnetGroupName:
Ref: ElastiCacheSubnetGroup
我删除了其他人员(例如子网组和安全组),因为它在这里也不相关。我应该使用我正在尝试的访问策略向另一个资源授予对集群的访问权限:
AccessPolicies:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: "*"
Action: es:*
Resource: !GetAtt ElasticacheCluster.Arn
- Effect: Allow
Principal:
AWS: "*"
Action: es:*
Resource: !GetAtt ElasticacheCluster.Arn
Condition:
IpAddress:
aws:SourceIp: 0.0.0.0/0
我看到了:
资源条目的 !GetAtt ElasticacheCluster.Arn
这里,但在这种情况下似乎不起作用,因为 !GetAtt 返回一组固定的属性,而 ARN 不是其中之一(正如@Anton 在评论中所建议的那样。
我还看到这个其他问题可以解决这个问题,但我更喜欢一个非硬编码的-解决方案不依赖于区域和帐户 ID 等内容。
问题的解决方案似乎很简单,但我正在努力寻找一个干净的答案。
I would like to reference the arn of a "going-to-be-created" Redis ElastiCache cluster in a cloud formation template.
This is the ElasticacheCluster template (tested and working in cloudFormation)
ElasticacheCluster:
Type: AWS::ElastiCache::CacheCluster
Properties:
AutoMinorVersionUpgrade: 'true'
Engine: redis
CacheNodeType: cache.t2.micro
NumCacheNodes: '1'
VpcSecurityGroupIds:
- Fn::GetAtt:
- ElastiCacheSecurityGroup
- GroupId
CacheSubnetGroupName:
Ref: ElastiCacheSubnetGroup
I cut on the other staff like subnetgroup and security group because it is also not relevant here. I should grant access to the Cluster to another resource with an Access Policies here what I was trying:
AccessPolicies:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: "*"
Action: es:*
Resource: !GetAtt ElasticacheCluster.Arn
- Effect: Allow
Principal:
AWS: "*"
Action: es:*
Resource: !GetAtt ElasticacheCluster.Arn
Condition:
IpAddress:
aws:SourceIp: 0.0.0.0/0
I saw this:
the !GetAtt ElasticacheCluster.Arn for the resource entry
here but seems not to be working in this case since !GetAtt is returning a fixed set of attributes and ARN is not one of them (as suggested by @Anton in the comments.
I also saw this other question that could solve the issue but I would prefer a not-harcoded-solution being not dependent on things like region and account id.
The solution to the problem seems to be simple but I am struggling to find a clean answer.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我从 @multiscup 答案和问题中引用的 一个 中获得了灵感。
这种方法远非干净,我正在等待更好的答案,但至少它是有效的。
主要思想是构造 arn 所需的字符串:
为此,我使用了一个连接,尝试通过内置的 CloudFormation 函数动态获取元素:
我使用 Map 来定义 Redis 集群,因为我使用的是CloudFormation 模板中的其他点也具有相同的值。也许您会发现地图也很有帮助
I took inspiration from both the @multiscup answer and the one referenced in the question.
This approach is far from clean and I am waiting for a better answer but at least it is working.
The main idea is to construct the string needed for the arn:
To do that I used a join trying to dynamically get the element thanks to the built-in CloudFormation functions:
I used a Map to define the Redis-cluster because I was using the same value also in other points in the CloudFormation template. Maybe you might find helpful to have the map as well
正如 Anton 提到的,GetAtt 仅具有您可以获得的某些属性。此外,!Ref 将返回 资源的逻辑 ID。您是否考虑过尝试使用 用户< /a> 和/或 UserGroup 资源来完成您想要的任务?
As Anton mentioned, GetAtt only has certain attributes that you can get. Also, the !Ref will return the logical ID of the resource. Have you thought about trying to use the User and/or the UserGroup resources to accomplish what you want?