如何使Cloudformation提供更详细的调试输出?

huangapple go评论69阅读模式
英文:

How do I make Cloudformation give more verbose debugging output?

问题

I'm attempting to automate creation of some IAM policies (technically, these are KMS key policies, but I think that doesn't matter in this case) in Cloudformation in a way that is that avoids any real hard-coded strings. However, this entails a lot of Joins and References, and while I can validate that the yaml is well-formed and the stack will execute, it fails and the policy that is being generated is returning the MalformedPolicyDocument Exception.

Is it possible to have Cloudformation print or log the resultant policy it generates so that I can see what the discrepancy is?

Here's a small snippet, I've double-checked that the parameters referenced here are defined correctly:

- Sid: "Allow security roles in all accounts to encrypt data"
  Effect: "Allow"
  Principal:
    AWS:
      - !Join
        - ''
        - - 'arn:aws:iam::'
          - !Ref "AWS::AccountId"
          - ':role/'
          - !Ref SecurityRolePrefix
      - !Join
        - ''
        - - 'arn:aws:iam::'
          - !Ref AdditionalAccount1
          - ':role/'
          - !Ref SecurityRolePrefix
      - !Join
        - ''
        - - 'arn:aws:iam::'
          - !Ref AdditionalAccount2
          - ':role/'
          - !Ref SecurityRolePrefix
    Action: "kms:GenerateDataKey*"
    Resource: '*'
英文:

I'm attempting to automate creation of some IAM policies (technically, these are KMS key policies, but I think that doesn't matter in this case) in Cloudformation in a way that is that avoids any real hard-coded strings. However, this entails a lot of Joins and References, and while I can validate that the yaml is well-formed and the stack will execute, it fails and the policy that is being generated is returning the MalformedPolicyDocument Exception.

Is it possible to have Cloudformation print or log the resultant policy it generates so that I can see what the discrepancy is?

Here's a small snippet, I've double-checked that the parameters referenced here are defined correctly:

- Sid: "Allow security roles in all accounts to encrypt data"
  Effect: "Allow"
  Principal:
    AWS:
      - !Join
        - ''
        - - 'arn:aws:iam::'
          - !Ref "AWS::AccountId"
          - ':role/'
          - !Ref SecurityRolePrefix
      - !Join
        - ''
        - - 'arn:aws:iam::'
          - !Ref AdditionalAccount1
          - ':role/'
          - !Ref SecurityRolePrefix
      - !Join
        - ''
        - - 'arn:aws:iam::'
          - !Ref AdditionalAccount2
          - ':role/'
          - !Ref SecurityRolePrefix
    Action: "kms:GenerateDataKey*"
    Resource: '*'

答案1

得分: 2

Fn::SubFn::Join 更容易使用,如果你要连接空字符串:

!Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${SecurityRolePrefix}

IAM ARNs documentation


CloudFormation Linter 及其 Visual Studio Code extension 可帮助您在编写模板时进行调试。

您还可以在 CloudTrail 中查看 CloudFormation 执行的确切 API 调用。

某些资源,如 EC2 和 Lambda 资源,还可以发出 CloudWatch 日志。

英文:

Fn::Sub has easier syntax than Fn::Join if you're joining with empty strings:

!Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${SecurityRolePrefix}

IAM ARNs documentation


The CloudFormation Linter and its Visual Studio Code extension can help you debug while you write your template

You can also see the exact API calls CloudFormation made in CloudTrail

Some resources like EC2 and Lambda resources may also emit CloudWatch logs

huangapple
  • 本文由 发表于 2020年1月7日 01:49:24
  • 转载请务必保留本文链接:https://go.coder-hub.com/59616672.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定