如何在AWS CDK Policy Statement AddAction方法中嵌套键值对?
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了如何在AWS CDK Policy Statement AddAction方法中嵌套键值对?相关的知识,希望对你有一定的参考价值。
我目前正在尝试使用带有.NET应用程序的AWS CDK复制另一个开发人员的powershell脚本功能。他正在使用VaporShell生成CloudFormation模板(YAML)。我在下面放了CloudFormation模板(我已经为这篇文章制作了许多通用名称)。我放了一个指向键值对的箭头让我头疼。
Resources:
rSNSTopic:
Type: AWS::SNS::Topic
Properties:
DisplayName: 'SNS topic'
TopicName: 'SNS Topic'
rSNSPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
Topics:
- !Ref 'rSNSTopic'
PolicyDocument:
Statement:
- Condition:
StringEquals:
AWS:SourceOwner: 'CurrentAcct' <=== This is the key/value pair.
Action:
- SNS:Publish
- SNS:RemovePermission
- SNS:SetTopicAttributes
- SNS:DeleteTopic
- SNS:ListSubscriptionsByTopic
- SNS:GetTopicAttributes
- SNS:Receive
- SNS:AddPermission
- SNS:Subscribe
Resource: !Ref 'rSNSTopic'
Effect: Allow
Sid: Default
Principal:
AWS: '*'
Version: '2012-10-17'
我已经能够使用C#app和AWS CDK生成另一个CloudFormation模板。除了生成上面突出显示的键值对之外,它几乎完全有效。我尝试使用数组,生成一个新的策略声明对象并使用.NET中的键/值对对象。我将在下面列出这三个尝试中的每一个的示例和相应的输出。有没有人知道以上面显示的相同方式生成键/值对的方法?当然使用CDK和C#。
尝试1:使用字符串数组。
C#代码(下):
var topic = new Topic(this, "rSNSTopic", new TopicProps
{
DisplayName = "SNS topic",
TopicName = "SNS topic"
});
var topicPolicyStatement1 = new PolicyStatement(0)
.Describe("Default")
.AddAwsPrincipal("*")
.AddActions("- SNS:Publish
" +
"- SNS:RemovePermission
" +
"- SNS:SetTopicAttributes
" +
"- SNS:DeleteTopic
" +
"- SNS:ListSubscriptionsByTopic
" +
"- SNS:GetTopicAttributes
" +
"- SNS:Receive
" +
"- SNS:AddPermission
" +
"- SNS:Subscribe
")
.AddCondition("StringEquals",
new [] {"AWS:SourceOwner", "pTestAccnt"}) <=== Using an array as the second .AddCondition parameter.
.AddCondition("aws:SourceArn", topic.TopicArn)
.AddResource(topic.TopicArn);
topic.AddToResourcePolicy(topicPolicyStatement1);
topic.AddToResourcePolicy(topicPolicyStatement2);
CloudFormation模板的生成键/值对部分(如下):
Condition:
StringEquals:
- AWS:SourceOwner
- TestAccnt
尝试2:使用新的策略声明对象。
C#代码(下):
var topic = new Topic(this, "rSNSTopic", new TopicProps
{
DisplayName = "SNS topic",
TopicName = "SNS topic"
});
var topicPolicyStatement1 = new PolicyStatement(0)
.Describe("Default")
.AddAwsPrincipal("*")
.AddActions("- SNS:Publish
" +
"- SNS:RemovePermission
" +
"- SNS:SetTopicAttributes
" +
"- SNS:DeleteTopic
" +
"- SNS:ListSubscriptionsByTopic
" +
"- SNS:GetTopicAttributes
" +
"- SNS:Receive
" +
"- SNS:AddPermission
" +
"- SNS:Subscribe
")
.AddCondition("StringEquals",
new PolicyStatement(0).AddCondition("AWS:SourceOwner", "pTestAccnt")) <=== Using a policy statement as the second .AddCondition parameter.
.AddCondition("aws:SourceArn", topic.TopicArn)
.AddResource(topic.TopicArn);
topic.AddToResourcePolicy(topicPolicyStatement1);
topic.AddToResourcePolicy(topicPolicyStatement2);
CloudFormation模板的生成键/值对部分(如下):
Condition:
StringEquals:
Condition: <=== This solution creates a second condition key which throws an error in AWS CloudFormation.
AWS:SourceOwner: TestAccnt <=== This key value pair looks correct.
尝试3:使用.NETnew策略语句对象中的键/值对象。
C#代码(下):
var topic = new Topic(this, "rSNSTopic", new TopicProps
{
DisplayName = "SNS topic",
TopicName = "SNS topic"
});
var topicPolicyStatement1 = new PolicyStatement(0)
.Describe("Default")
.AddAwsPrincipal("*")
.AddActions("- SNS:Publish
" +
"- SNS:RemovePermission
" +
"- SNS:SetTopicAttributes
" +
"- SNS:DeleteTopic
" +
"- SNS:ListSubscriptionsByTopic
" +
"- SNS:GetTopicAttributes
" +
"- SNS:Receive
" +
"- SNS:AddPermission
" +
"- SNS:Subscribe
")
.AddCondition("StringEquals",
new KeyValuePair<string, string>("AWS:SourceOwner", "pTestAccnt")) <=== Using a policy statement as the second .AddCondition parameter.
.AddCondition("aws:SourceArn", topic.TopicArn)
.AddResource(topic.TopicArn);
topic.AddToResourcePolicy(topicPolicyStatement1);
topic.AddToResourcePolicy(topicPolicyStatement2);
这种方法会引发错误。我怀疑它与JSII运行时编译/解释我在C#应用程序中使用的键/值对对象有关。
命令行的整个输出(如下):
Unhandled Exception: System.ArgumentException: Could not infer JSII type for .NET type 'KeyValuePair`2'
Parameter name: type
at Amazon.JSII.Runtime.Services.Converters.FrameworkToJsiiConverter.InferType(IReferenceMap referenceMap, Type type)
at Amazon.JSII.Runtime.Services.Converters.ValueConverter.ConvertAny(IReferenceMap referenceMap, Object value)
at Amazon.JSII.Runtime.Services.Converters.ValueConverter.TryConvertPrimitive(IReferenceMap referenceMap, Object value, Boolean isOptional, PrimitiveType primitiveType, Object& result)
at Amazon.JSII.Runtime.Services.Converters.ValueConverter.TryConvert(TypeReference typeReference, IReferenceMap referenceMap, Object value, Object& result)
at Amazon.JSII.Runtime.Deputy.DeputyBase.<>c__DisplayClass20_0.<ConvertArguments>b__0(Parameter parameter, Object frameworkArgument)
at System.Linq.Enumerable.ZipIterator[TFirst,TSecond,TResult](IEnumerable`1 first, IEnumerable`1 second, Func`3 resultSelector)+MoveNext()
at System.Collections.Generic.LargeArrayBuilder`1.AddRange(IEnumerable`1 items)
at System.Collections.Generic.EnumerableHelpers.ToArray[T](IEnumerable`1 source)
at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
at Amazon.JSII.Runtime.Deputy.DeputyBase.<InvokeMethodCore>g__GetResult|18_0[T](<>c__DisplayClass18_0`1& )
at Amazon.JSII.Runtime.Deputy.DeputyBase.InvokeMethodCore[T](JsiiMethodAttribute methodAttribute, Object[] arguments, Func`3 beginFunc, Func`3 invokeFunc)
at Amazon.JSII.Runtime.Deputy.DeputyBase.InvokeInstanceMethod[T](Object[] arguments, String methodName)
at HelloCdk.TestStack..ctor(App parent, String name, IStackProps props) in C:UsersSomeUserDocumentsgitSomeGITRepoSingleStackGeneratorsrcHelloCdkTestStack.cs:line 57
at HelloCdk.Program.Main(String[] args) in C:UsersSomeUserDocumentsgitSomeGITRepoSingleStackGeneratorsrcHelloCdkProgram.cs:line 18
(node:39548) UnhandledPromiseRejectionWarning: Error: EPIPE: broken pipe, write
at Object.writeSync (fs.js:569:3)
at t.SyncStdio.writeBuffer (C:UsersSomeUserAppDataLocalTempgnh3dhha.5kfjsii-runtime.js:1:165352)
at t.SyncStdio.writeLine (C:UsersSomeUserAppDataLocalTempgnh3dhha.5kfjsii-runtime.js:1:164892)
at t.InputOutput.write (C:UsersSomeUserAppDataLocalTempgnh3dhha.5kfjsii-runtime.js:1:164341)
at t.KernelHost.writeError (C:UsersSomeUserAppDataLocalTempgnh3dhha.5kfjsii-runtime.js:1:79440)
at i.then.catch.e (C:UsersSomeUserAppDataLocalTempgnh3dhha.5kfjsii-runtime.js:1:79101)
(node:39548) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 1)
(node:39548) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.
Subprocess exited with error 3762504530
我想出了一个解决方案。 C#中的“dictionary”对象是完美的,JSII运行时也会编译它。
以上是关于如何在AWS CDK Policy Statement AddAction方法中嵌套键值对?的主要内容,如果未能解决你的问题,请参考以下文章
如何在 AWS CDK 的“CodeBuildAction”中指定区域?
如何在部署前从@aws-cdk/aws-appsync 检索 schema.graphql 文件
如何使用 aws-cdk 从 AWS Secrets Manager 导入 EKS 密钥?