I understand that SAM is built on top of CloudFormation, and there are some facilities within SAM to make it easier to construct the stack template.
I created a SAM Condition like:
Conditions:
ProductTag: !Equals
- 'aws:ResourceTag/Joba:Product'
- !Ref Product
EnvironmentTag: !Equals
- 'aws:ResourceTag/Joba:Environment'
- !Ref Environment
TagsPolicy: !And
- !Condition ProductTag
- !Condition EnvironmentTag
And I tried to reference the TagsPolicy
in the AWS::IAM::Role
policies (last line).
DownloadBrokerageNotesStateMachineExecutionRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- !Sub states.${AWS::Region}.amazonaws.com
Action: "sts:AssumeRole"
Path: "/"
Policies:
- PolicyName: LambdaExecute
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "lambda:InvokeFunction"
Resource:
- !GetAtt RicoRobotAuthenticateFunction.Arn
Condition: TagsPolicy
Running sam validate --link
gives me:
template.yaml is a valid SAM Template. This is according to basic SAM Validation
W8001 Condition TagsPolicy not used.
But running sam deploy
, throws the following error:
Syntax errors in policy. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: d215f541-4f16-4050-ac48-04bda830e9dc; Proxy: null)
The following resource(s) failed to create: [DownloadBrokerageNotesStateMachineExecutionRole]. Rollback requested by user.
How can I reference the TagsPolicy
there?
CodePudding user response:
The Condition
key has several distinct usages in a template. You're mixing them up a bit.
- The template's top-level
Condition
section defines rules governing the conditional creation of resources. The conditions are then optionally applied within resource definitions, also using theCondition
key. CloudFormation evaluates these conditions at deploy-time, deploying only those resources where the condition is true. This isn't what you want. - IAM policy statements accept an optional, unrelated
Condition
element to narrow the policy's applicability. Define the policy conditions in the statement itself. The conditions are part of the policy definition and are applied at run-time when the policy is evaluated.
DownloadBrokerageNotesStateMachineExecutionRole:
Type: "AWS::IAM::Role"
# Meaning #1: Applies a defined condition. Role is created only if the condition is true.
# Not what you want
Condition: IsProduction
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- !Sub states.${AWS::Region}.amazonaws.com
Action: "sts:AssumeRole"
Path: "/"
Policies:
- PolicyName: LambdaExecute
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "lambda:InvokeFunction"
Resource:
- !GetAtt RicoRobotAuthenticateFunction.Arn
# Meaning #2: Defines the conditions under which the IAM policy applies.
# This is what you want
Condition:
StringEquals:
"aws:ResourceTag/Joba:Product": !Ref Product
"aws:ResourceTag/Joba:Environment": !Ref Environment