如何从另一个模板向现有SQS QueuePolicy添加新语句?

本文介绍了如何从另一个模板向现有SQS QueuePolicy添加新语句?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我有2个具有不同Cloudformation YAML模板的服务，并想向生产者服务中定义的队列策略添加另一个策略(以允许消费者接收和删除消息).但是，我当前的解决方案只是覆盖现有策略，而不是附加现有策略(即，仅消费者服务角色保留在策略中).

I have 2 services with different Cloudformation YAML templates and want to add another policy to a queue policy defined in producer service (to allow consumer to receive and delete messages). However, my current solution simply overrides the existing policy instead of appending it (i. e., only consumer service role remains in the policy).

这是生产者的Cloudformation模板SQS部分:

This is Cloudformation template SQS part for producer:

ProducerQueuePolicy: Type: AWS::SQS::QueuePolicy Properties: PolicyDocument: Version: '2012-10-17' Id: SQSPolicy Statement: - Effect: Allow Principal: AWS: - !GetAtt ServiceRole.Arn Resource: !GetAtt ProducerQueue.Arn Action: - 'sqs:DeleteMessage' - 'sqs:ReceiveMessage' - 'sqs:ListQueues' - 'sqs:SendMessage' - 'sqs:GetQueueUrl' - 'sqs:GetQueueAttributes' Queues: [ !Ref ProducerQueue ] ProducerDeadLetterQueue: Type: 'AWS::SQS::Queue' Properties: QueueName: !Sub "${AWS::StackName}-ProducerDLQ.fifo" FifoQueue: true ContentBasedDeduplication: false ProducerQueue: Type: 'AWS::SQS::Queue' Properties: QueueName: !Sub "${AWS::StackName}-ProducerQueue.fifo" FifoQueue: true MessageRetentionPeriod: 1209600 ContentBasedDeduplication: false RedrivePolicy: deadLetterTargetArn: !GetAtt ProducerDeadLetterQueue.Arn maxReceiveCount: 9 # Outputs ------------------------------------------------------------------------- Outputs: ProducerQueueUrl: Value: !Ref ProducerQueue Export: Name: ProducerQueueUrl ProducerQueueArn: Value: !GetAtt ProducerQueue.Arn Export: Name: ProducerQueueArn

这是面向消费者的Cloudformation:

And this is Cloudformation for consumer:

#SQS policy configuration for consumer ProducerQueueConsumptionPolicy: Type: AWS::SQS::QueuePolicy Properties: PolicyDocument: Version: '2012-10-17' Id: SQSConsumptionPolicy Statement: - Effect: Allow Principal: AWS: - !GetAtt ServiceRole.Arn Resource: Fn::ImportValue: ProducerQueueArn Action: - 'sqs:DeleteMessage' - 'sqs:ReceiveMessage' - 'sqs:GetQueueUrl' - 'sqs:GetQueueAttributes' Queues: - Fn::ImportValue: ProducerQueueUrl

要更改此行为需要做什么?

What needs to be done to change this behavior?

推荐答案

如果您只想合并队列策略，请编写一个cloudformation宏，该宏从模板中读取策略定义并将其与现有队列策略合并.会为宏提供模板的json版本，您可以在lambda中随意操作它，以便检查现有的队列策略并适当地更新模板.

If you just want to merge the queue policies, write a cloudformation macro that reads a policy definition from the template and merges it with the existing queue policy. The macro gets given a json version of the template and you can manipulate it how you like in a lambda so you can check for an existing queue policy and update the template appropriately.

docs.aws.amazon/AWSCloudFormation/latest/UserGuide/template-macros.html

另一种方法是削弱队列策略，以便帐户中的任何内容都允许大多数操作.然后，通过单独的角色向正在读写队列的任何对象(例如lambda)添加权限.因此，进行阅读的lambda将使用允许阅读的角色，而进行书写的lambda将使用允许写作的角色.

An alternative approach is just weaken the queue policy so that most operations are allowed by anything in the account. Then add permissions to whatever is reading and writing to the queue (eg lambdas) through separate roles. So the lambda doing the reading would use one role that allowed reading and the lambda doing the writing would use a different role that allowed writing.

很显然，这可能与您的安排方式不符，因此可能不适合您.

Obviously that might not fit in with how you've arranged you're security so might not be suitable.