cloudformation новая роль / политика | MalformedPolicyDocument - PullRequest
Новая
       23

cloudformation новая роль / политика | MalformedPolicyDocument

0 голосов
/ 05 сентября 2018

Я пытаюсь создать новую роль и политику, используя облачную информацию.

При развертывании я получаю следующую ошибку:

Синтаксические ошибки в политике. (Сервис: AmazonIdentityManagement; Код состояния: 400; Код ошибки: MalformedPolicyDocument; Идентификатор запроса: 848a408e-b0f1-11e8-90b6-cf2a19d18ad2) 

AWSTemplateFormatVersion: 2010-09-09
    Description: >
      AWS CloudFormation Template
    Parameters:
      StackName:
        Type: String
        Description: stack test
        Default: stackTest
      DclEnvironment:
        Type: String
        Description: Env
        AllowedValues :
          - test
          - dev
          - stage
          - prod
        Default: dev
      Domain:
        Type: String
        Description: Private Domain name
        Default: int.mydomain.com
      VpcId:
        Type: AWS::EC2::VPC::Id
        Default: xxxx
      AppAmiId:
        Type: AWS::EC2::Image::Id
        Description: Ec2 AMI ID
        Default: ami-XXXX
      KeyName:
        Type: AWS::EC2::KeyPair::KeyName
        Description: Key Name
        Default: xxxx
      SecurityGroupIds:
        Type: CommaDelimitedList
        Description: Comma-separated list of existing security group IDs in your VPC
        Default: sg-xxxx
      SubnetA:
        Description: Subnet from AZ a
        Type: String
        Default: subnet-xxxxx
      SubnetB:
        Description: Subnet from AZ b
        Type: String
        Default: subnet-xxxx
      SubnetC:
        Description: Subnet from AZ c
        Type: String
        Default: subnet-xxxx
      DbSubnetGroupA:
        Type: String
        Description: Subnet from AZ A
        Default: subnet-xxxx
      DbSubnetGroupB:
        Type: String
        Description: Subnet from AZ B
        Default: subnet-xxxxx
      DbSubnetGroupC:
        Type: String
        Description: Subnet from AZ C
        Default: subnet-xxxxx
    Resources:
      monitoringRole:
        Type: AWS::IAM::Role
        Properties:
          RoleName: !Join
          - "-"
          - - !Ref DclEnvironment
            - "iam-01"
          AssumeRolePolicyDocument:
            Version: "2012-10-17"
            Statement:
            - Effect: Allow
              Action: sts:AssumeRole
              Principal:
                Service:
                - ec2.amazonaws.com
          Path: "/"
      policyEC2Monitoring:
        Type: AWS::IAM::Policy
        Properties:
          PolicyName: !Join
          - "-"
          - - !Ref DclEnvironment
            - "policy-01"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
            - Effect: Allow
              Action:
              - ec2:Describe*
              Ressource: "*"
            - Effect: Allow
              Action:
              - elasticloadbalancing:Describe*
              Ressource: "*"
            - Effect: Allow
              Action:
              - cloudwatch:ListMetrics*
              - cloudwatch:GetMetricStatistics
              - cloudwatch:Describe*
              Ressource: "*"
            - Effect: Allow
              Action:
              - autoscaling:Describe*
              Ressource: "*"
          Roles:
          - !Ref monitoringRole
      instanceProfile:
        Type: AWS::IAM::InstanceProfile
        Properties:
          InstanceProfileName: !Join
          - "-"
          - - !Ref DclEnvironment
            - "inp-01"
          Path: "/"
          Roles:
          - !Ref monitoringRole

Заранее спасибо,

Fas3r.

РЕДАКТИРОВАТЬ

ресурс должен быть окружен ["*"], если более 1 действия; когда одно действие не нужно для новой строки, это может быть: Действие: actionName

ш.

1 Ответ

0 голосов
/ 05 сентября 2018

Как показывает ошибка, ваш yaml имеет неверный синтаксис.

Вы можете использовать веб-инструменты, такие как http://www.yamllint.com/, для устранения проблем с синтаксисом.

Вот правильный синтаксис файла yaml: 

AWSTemplateFormatVersion: 2010-09-09
Description: >
  AWS CloudFormation Template
Parameters:
  StackName:
    Type: String
    Description: stack test
    Default: stackTest
  DclEnvironment:
    Type: String
    Description: Env
    AllowedValues :
      - test
      - dev
      - stage
      - sbox
      - prod
    Default: dev
  DclPod:
    Type: String
    Description: Pod Name
    Default: enel
  DclService:
    Type: String
    Description: Pod Name
    Default: monitoring
  Domain:
    Type: String
    Description: Private Domain name
    Default: int.mydomain.com
  VpcId:
    Type: AWS::EC2::VPC::Id
    Default: vpc-4ac3bb21
  AppAmiId:
    Type: AWS::EC2::Image::Id
    Description: Ec2 AMI ID
    Default: ami-XXXX
  KeyName:
    Type: AWS::EC2::KeyPair::KeyName
    Description: Key Name
    Default: c3-kp-01
  SecurityGroupIds:
    Type: CommaDelimitedList
    Description: Comma-separated list of existing security group IDs in your VPC
    Default: sg-07f5186b
  SubnetA:
    Description: Subnet from AZ a
    Type: String
    Default: subnet-7d576316
  SubnetB:
    Description: Subnet from AZ b
    Type: String
    Default: subnet-496a0834
  SubnetC:
    Description: Subnet from AZ c
    Type: String
    Default: subnet-7d576316
  DbSubnetGroupA:
    Type: String
    Description: Subnet from AZ A
    Default: subnet-1154607a
  DbSubnetGroupB:
    Type: String
    Description: Subnet from AZ B
    Default: subnet-3d650740
  DbSubnetGroupC:
    Type: String
    Description: Subnet from AZ C
    Default: subnet-4d027e00
Resources:
  monitoringRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Join
      - "-"
      - - !Ref DclEnvironment
        - !Ref DclPod
        - !Ref DclService
        - "iam-01"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Effect: Allow
          Action: sts:AssumeRole
          Principal:
            Service:
            - ec2.amazonaws.com
      Path: "/"
  policyEC2Monitoring:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: !Join
      - "-"
      - - !Ref DclEnvironment
        - !Ref DclPod
        - !Ref DclService
        - "policy-01"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Effect: Allow
          Action:
          - ec2:Describe*
          Ressource: "*"
        - Effect: Allow
          Action:
          - elasticloadbalancing:Describe*
          Ressource: "*"
        - Effect: Allow
          Action:
          - cloudwatch:ListMetrics*
          - cloudwatch:GetMetricStatistics
          - cloudwatch:Describe*
          Ressource: "*"
        - Effect: Allow
          Action:
          - autoscaling:Describe*
          Ressource: "*"
      Roles:
      - !Ref monitoringRole
  instanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      InstanceProfileName: !Join
      - "-"
      - - !Ref DclEnvironment
        - !Ref DclPod
        - !Ref DclService
        - "inp-01"
      Path: "/"
      Roles:
      - !Ref monitoringRole

Надеюсь, это поможет.

...