如何在CloudFormation中获取SSM文档的ARN?

问题描述 投票:0回答:2

我有一个 CloudFormation 模板,它创建一个 

AWS::Events::Rule
和一个 
AWS::SSM::Document
。我需要为 
Targets
提供 
SSM::Rule
列表,但每个目标都需要一个 
ARN
:

mySSMDocument:
  Type: AWS::SSM::Document
  Properties:
    DocumentType: 'Command'
    Content:
      schemaVersion: '2.2'
      description: "Code that will be run on EC2"
      mainSteps:
        - action: "aws:runShellScript"
          name: runShellScript
          inputs:
            runCommand:
              - 'Some command to execute'
myEventRule:
  Type: AWS::Events::Rule
  Properties:
    Description: "A description for the Rule."
    EventPattern: 
      source:
        - "aws.autoscaling"
      detail-type:
        - "EC2 Instance-terminate Lifecycle Action"
      detail:
        AutoScalingGroupName:
          - !Ref 'someAutoScalingGroupInThisTemplate'
    RoleArn: 'some role ARN'
    State: "ENABLED"
    Targets:
      - Id: "some-unique-id"
        Arn: <-- This is the value that I need to fill in.
        RunCommandParameters:
          RunCommandTargets:
            - Key: "tag: Name"
              Values:
                - 'The name of the EC2 machine'

我认为我需要将 

<-- This is the value that I need to fill in.
替换为 
ARN
mySSMDocument
,但我没有看到任何方法可以从模板本身中检索此值。 文档未在 
GetAtt
上指定任何允许获取 
SSM::Document
ARN
功能。有谁知道如何解决这个问题吗?

amazon-web-services aws-cloudformation ssm
2个回答
8
投票

这是文档的ARN模式

arn:${分区}:ssm:${区域}:${帐户}:文档/${文档名称}

示例:

arn:aws:ssm:us-east-2:12345678912:文档/demoooo

您可以使用 

Ref
函数获取文档名称,然后 
Sub
创建最终的 ARN

请参阅:https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssystemsmanager.html#awssystemsmanager-resources-for-iam-policies

7
投票
!Sub arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:document/${mySSMDocument}

使用AWS::SSM::Document

返回值、分区、区域和AccountId
的伪参数以及
AWS::SSM::Document内在函数生成
Sub
ARN格式
    

    

    


  

  

    
最新问题


  





  

    © www.soinside.com 2019 - 2024. All rights reserved.