问题描述
Conditions:
IsBeta: !Equals [!Ref Stage,"beta"]
映射:
Mappings:
ABCMap:
beta:
Role1: "arn:aws::iam::...",Role1-Test: "arn:aws::iam::...",Role2: ""arn:aws::iam::...",Role2-Test: "arn:aws::iam::..."
prod:
Role1: "arn:aws::iam::...",Role2: "arn:aws::iam::..."
以及资源政策的一部分:
ResourcePolicy:
CustomStatements:
- Action: ['execute-api:Invoke']
Effect: Allow
Principal:
AWS:
- !FindInMap [ IAMRoleMap,!Ref Stage,Role1 ]
- !FindInMap [ IAMRoleMap,Role2 ]
- Fn::If:
- IsBeta
- - !FindInMap [ ABCMap,Role1-Test ]
- {Ref: 'AWS::Novalue'}
- Fn::If:
- IsBeta
- - !FindInMap [ ABCMap,Role2-Test ]
- {Ref: 'AWS::Novalue'}
Resource: "arn::aws..."
如何将它们组合成一个“if”?或者有没有更好的方式来表达,如果阶段是beta,我只需要在资源策略中有Role1-Test和Role2-Test?
解决方法
您应该将所有原则放在一个大 Fn::If 中:
ResourcePolicy:
CustomStatements:
- Action: ['execute-api:Invoke']
Effect: Allow
Principal:
AWS:
Fn::If:
- IsBeta
- - !FindInMap [ IAMRoleMap,!Ref Stage,Role1 ]
- !FindInMap [ IAMRoleMap,Role2 ]
- !FindInMap [ ABCMap,Role1-Test ]
- !FindInMap [ ABCMap,Role2-Test ]
- - !FindInMap [ IAMRoleMap,Role2 ]
Resource: "arn::aws..."