Cloudformation не может создать ресурсную политику для apigateway - PullRequest
Новая
       11

Cloudformation не может создать ресурсную политику для apigateway

2 голосов
/ 10 апреля 2019

Политика ресурсов работает нормально, когда я напрямую передаю ее на консоль.Ниже приведен пример политики ресурсов: - 

{ "Version": "2012-10-17",

"Statement": [{

"Effect": "Allow",

"Principal": "*",

"Action": "execute-api:Invoke",

"Resource": "arn:aws:execute-api:us-west-2:339159142535:ooxmwl6q4e/*",

"Condition": {

"IpAddress":

{ "aws:SourceIp": [""14.98.8.190/32""] }

}

}]}

Теперь, как создать шаблон облачной информации для его создания и присоединения к apigateway

Я пытался создать политику, но в соответствии с новымполитика "Принципал" запрещена.

Я также создал роль, но не помог.Ниже приведен фрагмент роли: - 

{   "AWSTemplateFormatVersion": "2010-09-09",
    "Resources": {
    "Apifirewall": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [{
            "Effect": "Allow",
            "Principal":{ "Service": ["apigateway.amazonaws.com"] },
            "Action": ["sts:AssumeRole"]
          }]
        },
        "Policies": [{
          "PolicyName": "Apifirewall",
          "PolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [{
              "Effect": "Allow",
              "Action": "*",
              "Resource": ["arn:aws:execute-api:us-west-2:339159142535:ooxmwl6q4e/*"],
              "Condition" : {
                "IpAddress": {
                    "aws:SourceIp": ["14.98.8.190/32"]
                             }
                          }
            }]
          }
        }]
      }
    }
   },
   "Outputs": {
        "Apifirewall": { "Value": { "Fn::GetAtt": ["Apifirewall", "Arn"]}}
        }
    }

Ответы [ 2 ]

1 голос
/ 10 апреля 2019

Политика ресурсов APIGateway не привязана к политике IAM, это другой тип ресурса.

Поэтому, чтобы реализовать его на RestApi, вы должны использовать параметр Policy для ресурса AWS::ApiGateway::RestApi в

{
  "Type" : "AWS::ApiGateway::RestApi",
  "Properties" : {  
    "ApiKeySourceType" : String,
    "BinaryMediaTypes" : [ String, ... ],
    "Body" : JSON object,
    "BodyS3Location" : S3Location,
    "CloneFrom" : String,
    "Description" : String,      
    "EndpointConfiguration" : EndpointConfiguration,
    "FailOnWarnings" : Boolean,
    "MinimumCompressionSize" : Integer,
    "Name" : String,
    "Parameters" : { String:String, ... },
    "Policy" : JSON object
  }
}
0 голосов
/ 11 апреля 2019

Ниже приведен весь CFT для развертывания API с лямбда-интеграцией 

{   "AWSTemplateFormatVersion": "2010-09-09",
    "Parameters": {
                            "AppEnv": {
                                       "Type": "String",
                                       "Description": "Application environment, for this deployment"
                                      },
                            "DeployTag": {
                                          "Type": "String",
                                          "Description": "Distinct deployment tag ex: BLUE, GREEN"
                                         }
                   },
    "Resources": 
    {
       "LambdaExecutionRole": {
                                "Type": "AWS::IAM::Role",
                                "Properties": {
                                                 "AssumeRolePolicyDocument": {
                                                                                "Version": "2012-10-17",
                                                                                "Statement": [{
                                                                                "Effect": "Allow",
                                                                                "Principal": { "Service": ["lambda.amazonaws.com"] },
                                                                                "Action": ["sts:AssumeRole"]
                                                                                }]
                                                                             },
                                                "ManagedPolicyArns": ["arn:aws:iam::aws:policy/AWSLambdaFullAccess"]
                                              }
                             },
       "RecommenderLambda": {
                               "Type": "AWS::Lambda::Function",
                               "Properties": {
                                               "Handler": "recommender_field_validation_lambda.lambda_handler",
                                               "FunctionName" : "recommenderlambda2",
                                               "Role": { "Fn::GetAtt" : ["LambdaExecutionRole", "Arn"] },
                                               "Environment": { 
                                                                "Variables": { 
                                                                                "S3_BUCKET": "belcorp.recommender.test",
                                                                                "REGION_NAME": "us-west-2",
                                                                                "TOPIC_ARN": { "Fn::ImportValue" : "RecommenderTopicARN"},
                                                                                "TABLE_NAME":{"Fn::ImportValue" : "recommederrequestinfo"} 
                                                                             }
                                                              },
                                               "Code": {
                                                           "S3Bucket": "belcorp.recommender.lambdas",
                                                           "S3Key": "recommender_field_validation_lambda.zip"
                                                       },
                                                "Runtime": "python3.6",
                                                "Timeout": 25
                                            }
                            },    
        "LambdaPermission": {
                             "DependsOn": "RecommenderLambda",
                             "Type": "AWS::Lambda::Permission",
                             "Properties": {
                                             "Action": "lambda:invokeFunction",
                                             "FunctionName": "recommenderlambda2",
                                             "Principal": "apigateway.amazonaws.com",
                                             "SourceArn": {"Fn::Join": ["", ["arn:aws:execute-api:", {"Ref": "AWS::Region"}, ":", {"Ref": "AWS::AccountId"}, ":", {"Ref": "RecommenderApi"}, "/*"]]}
                                           }
                            },


        "RecommenderApi": {
           "Type": "AWS::ApiGateway::RestApi",
           "Properties": {
                           "EndpointConfiguration" :{"Types":["EDGE"]},
                           "Description": "RecommenderAPI",
                          "Name": {"Fn::Sub": "RecommenderApi-${AppEnv}-${DeployTag}"},
                          "Policy":{ "Version": "2012-10-17",
                                     "Statement": [{
                                     "Effect": "Allow",
                                     "Principal": "*",
                                     "Action": "execute-api:Invoke",
                                     "Resource": { "Fn::Sub":"arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:*/*"},
                                     "Condition": {"IpAddress":{ "aws:SourceIp": ["14.98.8.190/32"] }}}]}
                         }
                     },
            "ApiGatewayAccount": {
                                  "Type": "AWS::ApiGateway::Account",
                                  "Properties": {
                                  "CloudWatchRoleArn": {"Fn::ImportValue" : "cloudwatchRole"}
                                     }
                               },

         "ApiDeployment": {
                            "Type": "AWS::ApiGateway::Deployment",
                            "DependsOn": ["OfferPostMethod", "OrderPostMethod"],
                            "Properties": {
                            "RestApiId": {"Ref": "RecommenderApi"},
                            "StageName": "dev"
                             }
                          },
        "ProcessInput": {
                        "Type": "AWS::ApiGateway::Resource",
                        "Properties": {
                                         "RestApiId": {"Ref": "RecommenderApi"},
                                         "ParentId": {"Fn::GetAtt": ["RecommenderApi", "RootResourceId"]},
                                         "PathPart": "process-input"
                                      }
                      },
        "OfferLevel": {
                        "Type": "AWS::ApiGateway::Resource",
                        "Properties": {
                                         "RestApiId": {"Ref": "RecommenderApi"},
                                         "ParentId": {"Ref":"ProcessInput"},
                                         "PathPart": "offer-level"
                                      }
                      },
        "OrderLevel": {
                        "Type": "AWS::ApiGateway::Resource",
                        "Properties": {
                                         "RestApiId": {"Ref": "RecommenderApi"},
                                         "ParentId": {"Ref":"ProcessInput"},
                                         "PathPart": "order-level"
                                      }
                      },              

         "OfferPostMethod": {
                        "DependsOn": "RecommenderLambda",
                        "Type": "AWS::ApiGateway::Method",
                        "Properties": {
                                        "RestApiId": { "Ref": "RecommenderApi" },
                                        "ResourceId": { "Ref":"OfferLevel" },
                                        "HttpMethod": "POST",
                                        "AuthorizationType": "NONE",
                                        "Integration": {  
                                                         "Type": "AWS_PROXY",
                                                         "IntegrationHttpMethod": "POST",
                                                         "Uri": {"Fn::Join": ["",["arn:aws:apigateway:", {"Ref": "AWS::Region"}, ":lambda:path/2015-03-31/functions/",{"Fn::GetAtt": ["RecommenderLambda", "Arn"]}, "/invocations"]]},
                                                         "IntegrationResponses": [{
                                                                                   "StatusCode": 200,
                                                                                   "ResponseTemplates": {
                                                                                                           "application/json": "$input.json('$.body')"
                                                                                                        }
                                                                                  }]
                                                       }
                                      }
                      } ,
         "OrderPostMethod": {
                        "DependsOn": "RecommenderLambda",
                        "Type": "AWS::ApiGateway::Method",
                        "Properties": {
                                        "RestApiId": { "Ref": "RecommenderApi" },
                                        "ResourceId": { "Ref":"OrderLevel" },
                                        "HttpMethod": "POST",
                                        "AuthorizationType": "NONE",
                                        "Integration": {  
                                                         "Type": "AWS_PROXY",
                                                         "IntegrationHttpMethod": "POST",
                                                         "Uri": {"Fn::Join": ["",["arn:aws:apigateway:", {"Ref": "AWS::Region"}, ":lambda:path/2015-03-31/functions/",{"Fn::GetAtt": ["RecommenderLambda", "Arn"]}, "/invocations"]]},
                                                         "IntegrationResponses": [{
                                                                                   "StatusCode": 200,
                                                                                   "ResponseTemplates": {
                                                                                                           "application/json": "$input.json('$.body')"
                                                                                                        }
                                                                                  }]
                                                       }
                                      }
                      }                   
    },
      "Outputs": {
                    "RootUrl": {
                                     "Description": "Root URL of the API gateway",
                                     "Value": {"Fn::Join": ["", ["https://", {"Ref": "RecommenderApi"}, ".execute-api.", {"Ref": "AWS::Region"}, ".amazonaws.com"]]}
                               },
                    "OfferUrl": {
                                     "Description": "Root URL of the API gateway",
                                     "Value": {"Fn::Join": ["", ["https://", {"Ref": "RecommenderApi"}, ".execute-api.", {"Ref": "AWS::Region"}, ".amazonaws.com","/dev/process-input/offer-level"]]}
                               },
                    "OrderUrl": {
                                     "Description": "Root URL of the API gateway",
                                     "Value": {"Fn::Join": ["", ["https://", {"Ref": "RecommenderApi"}, ".execute-api.", {"Ref": "AWS::Region"}, ".amazonaws.com","/dev/process-input/order-level"]]}
                               }
                }

}
...