如何从另一个模板向现有SQS QueuePolicy添加新语句? [英] How to add a new statement to an existing SQS QueuePolicy from another template?
问题描述
我有2个具有不同Cloudformation YAML模板的服务,并想向生产者服务中定义的队列策略添加另一个策略(以允许消费者接收和删除消息).但是,我当前的解决方案只是覆盖现有策略,而不是附加现有策略(即,仅消费者服务角色保留在策略中).
I have 2 services with different Cloudformation YAML templates and want to add another policy to a queue policy defined in producer service (to allow consumer to receive and delete messages). However, my current solution simply overrides the existing policy instead of appending it (i. e., only consumer service role remains in the policy).
这是生产者的Cloudformation模板SQS部分:
This is Cloudformation template SQS part for producer:
ProducerQueuePolicy:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Version: '2012-10-17'
Id: SQSPolicy
Statement:
- Effect: Allow
Principal:
AWS:
- !GetAtt ServiceRole.Arn
Resource: !GetAtt ProducerQueue.Arn
Action:
- 'sqs:DeleteMessage'
- 'sqs:ReceiveMessage'
- 'sqs:ListQueues'
- 'sqs:SendMessage'
- 'sqs:GetQueueUrl'
- 'sqs:GetQueueAttributes'
Queues: [ !Ref ProducerQueue ]
ProducerDeadLetterQueue:
Type: 'AWS::SQS::Queue'
Properties:
QueueName: !Sub "${AWS::StackName}-ProducerDLQ.fifo"
FifoQueue: true
ContentBasedDeduplication: false
ProducerQueue:
Type: 'AWS::SQS::Queue'
Properties:
QueueName: !Sub "${AWS::StackName}-ProducerQueue.fifo"
FifoQueue: true
MessageRetentionPeriod: 1209600
ContentBasedDeduplication: false
RedrivePolicy:
deadLetterTargetArn: !GetAtt ProducerDeadLetterQueue.Arn
maxReceiveCount: 9
# Outputs -------------------------------------------------------------------------
Outputs:
ProducerQueueUrl:
Value: !Ref ProducerQueue
Export:
Name: ProducerQueueUrl
ProducerQueueArn:
Value: !GetAtt ProducerQueue.Arn
Export:
Name: ProducerQueueArn
这是面向消费者的Cloudformation:
And this is Cloudformation for consumer:
#SQS policy configuration for consumer
ProducerQueueConsumptionPolicy:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Version: '2012-10-17'
Id: SQSConsumptionPolicy
Statement:
- Effect: Allow
Principal:
AWS:
- !GetAtt ServiceRole.Arn
Resource:
Fn::ImportValue: ProducerQueueArn
Action:
- 'sqs:DeleteMessage'
- 'sqs:ReceiveMessage'
- 'sqs:GetQueueUrl'
- 'sqs:GetQueueAttributes'
Queues:
- Fn::ImportValue: ProducerQueueUrl
要更改此行为需要做什么?
What needs to be done to change this behavior?
推荐答案
如果您只想合并队列策略,请编写一个cloudformation宏,该宏从模板中读取策略定义并将其与现有队列策略合并.会为宏提供模板的json版本,您可以在lambda中随意操作它,以便检查现有的队列策略并适当地更新模板.
If you just want to merge the queue policies, write a cloudformation macro that reads a policy definition from the template and merges it with the existing queue policy. The macro gets given a json version of the template and you can manipulate it how you like in a lambda so you can check for an existing queue policy and update the template appropriately.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-macros.html
另一种方法是削弱队列策略,以便帐户中的任何内容都允许大多数操作.然后,通过单独的角色向正在读写队列的任何对象(例如lambda)添加权限.因此,进行阅读的lambda将使用允许阅读的角色,而进行书写的lambda将使用允许写作的角色.
An alternative approach is just weaken the queue policy so that most operations are allowed by anything in the account. Then add permissions to whatever is reading and writing to the queue (eg lambdas) through separate roles. So the lambda doing the reading would use one role that allowed reading and the lambda doing the writing would use a different role that allowed writing.
很显然,这可能与您的安排方式不符,因此可能不适合您.
Obviously that might not fit in with how you've arranged you're security so might not be suitable.
这篇关于如何从另一个模板向现有SQS QueuePolicy添加新语句?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
