Menu
I have a bunch of cloud formation templates that have conditional resources in them for alerting. Only the prod stacks get these resources created. I need my IAM policy I am creating in the stack to reflect those conditional resources. So far I am not finding a way to do this. I have tried using Condition: in a separate policy document and it seems to ignore it.
222
I'd check out the Fn::If intrinsic function. It's really useful for stuff like this. For example, if I have an ShouldGenerateBucket condition, and two buckets, constant-bucket that will always be created and conditional-bucket that might be, I can use that in my policy like:
Type: "AWS::IAM::Policy"
Properties:
PolicyName: "RoleAccess"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action: "s3:*""
Resource:
- arn:aws:s3:::constant-bucket
- !If
- ShouldGenerateBucket
- arn:aws:s3:::conditional-bucket
- !Ref AWS::NoValue
This will add the additional resource resource if ShouldGenerateBucket is true, but ignore it otherwise.
197
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
