2012年12月26日水曜日

"IAM Role"をCloudFormationでつくってみた

スズキです。

テンプレートは下記のような感じです。

suz-lab_iam-base.json
{
    "AWSTemplateFormatVersion": "2010-09-09", 
    "Description": "SUZ-LAB Formation IAM Base", 
    "Mappings": {
        "AvailabilityZoneMap": {
            "ap-northeast-1": {
                "AzA": "ap-northeast-1a", 
                "AzB": "ap-northeast-1b", 
                "AzC": "ap-northeast-1c"
            }
        }
    }, 
    "Parameters": {
        "PowerUserName": {
            "Default": "power-user", 
            "Description": "Power User Name", 
            "Type": "String"
        }
    }, 
    "Resources": {
        "IAMRolePowerUser": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "AssumeRolePolicyDocument": {
                    "Statement": [ {
                        "Effect": "Allow",
                        "Principal": { "Service": [ "ec2.amazonaws.com" ] },
                        "Action": [ "sts:AssumeRole" ]
                    } ]
                },
                "Path": "/"
            }
        },
        "IAMPolicyPowerUser": {
            "Type": "AWS::IAM::Policy",
            "Properties": {
                "PolicyName": { "Ref": "PowerUserName" },
                "PolicyDocument": {
                    "Statement": [ {
                        "Effect": "Allow",
                        "NotAction": "iam:*",
                        "Resource": "*"
                    } ]
                },
                "Roles": [ { "Ref": "IAMRolePowerUser" } ]
            }
        },
        "IAMInstanceProfilePowerUser": {
            "Type": "AWS::IAM::InstanceProfile",
            "Properties": {
                "Path": "/",
                "Roles": [ { "Ref": "IAMRolePowerUser" } ]
            }
        }
    },
    "Outputs": {
        "GithubMarkdown": {
            "Description": "Github Markdown",
            "Value": "https://github.com/suz-lab/suz-lab-centos-ami/blob/master/share/cloudfromation/suz-lab_iam-base.md"
        }, 
        "GithubJson": {
            "Description": "Github JSON",
            "Value": "https://github.com/suz-lab/suz-lab-centos-ami/blob/master/share/cloudfromation/suz-lab_iam-base.json"
        }, 
        "S3JsonApNortheast1": {
            "Description": "S3 JSON ap-northeast-1",
            "Value": "http://ap-northeast-1.template.suz-lab.com.s3.amazonaws.com/template/suz-lab_iam-base/0.0.1.json"
        }, 
        "CacooImage": {
            "Description": "Cacoo Image",
            "Value": "https://cacoo.com/diagrams/XXXXXXXXXXXXXXXX-XXXXX.png"
        }
    } 
}

上記のテンプレートでCloudFormationのスタックを下記のように作成してみます。


IAMの方も、該当Roleが作成されています。


当然、EC2起動時に、そのRoleを指定することもできます。


社内をヒアリングして、いつも作ってるIAMリソースを洗い出そう。
--------
http://www.suz-lab.com

0 コメント: