テンプレートは下記のような感じです。
suz-lab_iam-base.json
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "SUZ-LAB Formation IAM Base",
"Mappings": {
"AvailabilityZoneMap": {
"ap-northeast-1": {
"AzA": "ap-northeast-1a",
"AzB": "ap-northeast-1b",
"AzC": "ap-northeast-1c"
}
}
},
"Parameters": {
"PowerUserName": {
"Default": "power-user",
"Description": "Power User Name",
"Type": "String"
}
},
"Resources": {
"IAMRolePowerUser": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [ {
"Effect": "Allow",
"Principal": { "Service": [ "ec2.amazonaws.com" ] },
"Action": [ "sts:AssumeRole" ]
} ]
},
"Path": "/"
}
},
"IAMPolicyPowerUser": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": { "Ref": "PowerUserName" },
"PolicyDocument": {
"Statement": [ {
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
} ]
},
"Roles": [ { "Ref": "IAMRolePowerUser" } ]
}
},
"IAMInstanceProfilePowerUser": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ { "Ref": "IAMRolePowerUser" } ]
}
}
},
"Outputs": {
"GithubMarkdown": {
"Description": "Github Markdown",
"Value": "https://github.com/suz-lab/suz-lab-centos-ami/blob/master/share/cloudfromation/suz-lab_iam-base.md"
},
"GithubJson": {
"Description": "Github JSON",
"Value": "https://github.com/suz-lab/suz-lab-centos-ami/blob/master/share/cloudfromation/suz-lab_iam-base.json"
},
"S3JsonApNortheast1": {
"Description": "S3 JSON ap-northeast-1",
"Value": "http://ap-northeast-1.template.suz-lab.com.s3.amazonaws.com/template/suz-lab_iam-base/0.0.1.json"
},
"CacooImage": {
"Description": "Cacoo Image",
"Value": "https://cacoo.com/diagrams/XXXXXXXXXXXXXXXX-XXXXX.png"
}
}
}
上記のテンプレートでCloudFormationのスタックを下記のように作成してみます。
IAMの方も、該当Roleが作成されています。
当然、EC2起動時に、そのRoleを指定することもできます。
社内をヒアリングして、いつも作ってるIAMリソースを洗い出そう。
--------
http://www.suz-lab.com
0 コメント:
コメントを投稿