Nama template
Template ACS-RAM-ApproveAttachCustomPolicyToUser memberikan izin kustom kepada pengguna RAM yang membuat eksekusi setelah permintaan disetujui.
Deskripsi template
Memberikan izin kustom kepada pengguna RAM yang membuat eksekusi, setelah permintaan disetujui.
Tipe template
Otomatis
Pemilik
Alibaba Cloud
Parameter input
Parameter | Deskripsi | Tipe data | Diperlukan | Nilai default | Batasan |
policyDocument | Skrip JSON dari kebijakan kustom yang ingin Anda lampirkan ke peran RAM. | String | Ya | ||
policyName | Nama dari kebijakan kustom yang ingin Anda lampirkan ke peran RAM. | String | Ya | ||
webHookUrl | URL webhook dari chatbot DingTalk. | String | Ya | ||
atMobiles | Tidak ada | Daftar | Ya | ||
approvers | Pemberi persetujuan izin. | Daftar | Ya | ||
atAll | Sebutkan semua orang | String | Tidak | false | |
minRequiredApprovals | Jumlah minimum pemberi persetujuan yang diperlukan untuk persetujuan izin. | Angka | Tidak | 1 | |
OOSAssumeRole | Peran RAM yang diasumsikan oleh CloudOps Orchestration Service (OOS). | String | Tidak | "" |
Parameter output
Parameter | Deskripsi | Tipe data |
stackId | String |
Kebijakan izin yang diperlukan untuk mengeksekusi template
{
"Version": "1",
"Statement": [
{
"Action": [
"ram:GetPolicy"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ros:CreateStack",
"ros:GetStack"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
Detail
ACS-RAM-ApproveAttachCustomPolicyToUser
Isi Template
FormatVersion: OOS-2019-06-01
Description:
en: After approval, grants a custom permission to the RAM user who initiated the execution.
name-en: ACS-RAM-ApproveAttachCustomPolicyToUser
categories:
- security
Parameters:
policyDocument:
Label:
en: PolicyDocument
Description:
en: 'For example: { "Version": "1", "Statement": [ { "Action": [ "oos:List*", "oos:Get*" ], "Resource": "*", "Effect": "Allow" } ] }'
Type: String
AssociationProperty: Code
policyName:
Label:
en: PolicyName
Type: String
webHookUrl:
Label:
en: WebHookUrl
Description:
en: >-
For example: https://oapi.dingtalk.com/robot/send?access_token=1234zxcvaksdq31414. For more information about how to obtain a DingTalk webhook, see https://www.alibabacloud.com/help/document_detail/144679.html#h2--2-webhook-5.
Type: String
atMobiles:
Label:
en: AtMobiles
Description:
en: The mobile numbers of DingTalk group members to mention in the notification. For example: 138ALBB1234.
Type: List
atAll:
Label:
en: AtAll
Description:
en: 'Specifies whether to mention all members in the DingTalk group when the assistant sends an approval notification.'
Type: String
Default: 'false'
approvers:
Label:
en: Approvers
Description:
en: Enter the part of the RAM user's username that comes before the at sign (@). For example, if the RAM user is user001@companyAlias.onaliyun.com, enter user001.
Type: List
AssociationProperty: ALIYUN::RAM::User
minRequiredApprovals:
Label:
en: MinRequiredApprovals
Type: Number
Default: 1
OOSAssumeRole:
Label:
en: OOSAssumeRole
Type: String
Default: ''
RamRole: '{{ OOSAssumeRole }}'
Conditions:
isExisted:
'Fn::Equals':
- '{{ checkPolicyExist.existed }}'
- 'true'
notExisted:
'Fn::Equals':
- '{{ checkPolicyExist.existed }}'
- 'false'
Tasks:
- Name: approveAttachPolicy
Action: 'ACS::Approve'
Description:
en: Grants permission after approval.
Properties:
Approvers: '{{approvers}}'
MinRequiredApprovals: '{{minRequiredApprovals}}'
NotifyType: WebHook
WebHook:
URI: '{{webhookUrl}}'
Headers:
Content-Type: application/json
Content:
msgtype: text
text:
content: |
Notice: Please approve the task execution to attach custom policy {{policyName}}
{{policyDocument}}
for target user {{ACS::ExecuteUser}}.
sent by {{ACS::RegionId}} oos {{ACS::ExecutionId}}.
at:
atMobiles: '{{atMobiles}}'
isAtAll: '{{atAll}}'
- Name: checkPolicyExist
Action: ACS::CheckFor
Description:
en: Checks whether the custom policy exists.
Properties:
Service: RAM
API: GetPolicy
Parameters:
PolicyType: 'Custom'
PolicyName: '{{ policyName }}'
DesiredValues:
- 'true'
- 'false'
PropertySelector: '.DefaultPolicyVersion != null|tostring'
Outputs:
existed:
Type: String
ValueSelector: .DefaultPolicyVersion == null|tostring
- Name: createStack
Action: 'ACS::Template'
When: notExisted
Description:
en: Grants permissions to the role using a ROS stack.
Properties:
TemplateName: 'ACS::ROS::CreateStack'
Parameters:
stackName:
Fn::Replace:
- .: _
- OOS-{{ACS::ExecutionId}}
disableRollback: true
parameters:
- ParameterKey: PolicyType
ParameterValue: 'Custom'
- ParameterKey: UserName
ParameterValue: '{{ACS::ExecuteUser}}'
- ParameterKey: PolicyName
ParameterValue: '{{ policyName }}'
templateBody: |
{
"Parameters": {
"PolicyType": {
"Type": "String",
"Description": "Authorization policy type. Value: \"System\" or \"Custom\"."
},
"UserName": {
"Type": "String",
"Description": "User name."
},
"PolicyName": {
"Type": "String",
"Description": "Authorization policy name."
}
},
"ROSTemplateFormatVersion": "2015-09-01",
"Outputs": {},
"Resources": {
"AttachPolicyToUser": {
"Type": "ALIYUN::RAM::AttachPolicyToUser",
"Properties": {
"PolicyType": {
"Ref": "PolicyType"
},
"UserName": {
"Ref": "UserName"
},
"PolicyName": {
"Ref": "PolicyName"
}
}
}
}
}
Outputs:
stackId:
Type: String
ValueSelector: stackId
- Name: createStackForNewPolicy
Action: 'ACS::Template'
When: isExisted
Description:
en: If the policy does not exist, grants permissions to the role using a ROS stack.
Properties:
TemplateName: 'ACS::ROS::CreateStack'
Parameters:
stackName:
Fn::Replace:
- .: _
- OOS-{{ACS::ExecutionId}}
disableRollback: true
parameters:
- ParameterKey: PolicyDocument
ParameterValue: '{{ policyDocument }}'
- ParameterKey: Users
ParameterValue: '{{ACS::ExecuteUser}}'
- ParameterKey: PolicyName
ParameterValue: '{{ policyName }}'
templateBody: |
{
"ROSTemplateFormatVersion": "2015-09-01",
"Resources": {
"Policy": {
"Type": "ALIYUN::RAM::ManagedPolicy",
"Properties": {
"PolicyName": {
"Ref": "PolicyName"
},
"PolicyDocumentUnchecked": {
"Ref": "PolicyDocument"
},
"Users": {
"Ref": "Users"
}
}
}
},
"Parameters": {
"PolicyName": {
"Type": "String",
"Description": "Specifies the authorization policy name, containing up to 128 characters."
},
"PolicyDocument": {
"Type": "Json",
"Description": "A policy document that describes what actions are allowed on which resources."
},
"Users": {
"Type": "CommaDelimitedList",
"Description": "The names of users to attach to this policy."
}
},
"Outputs": {
"PolicyName": {
"Description": "When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the ARN.",
"Value": {
"Fn::GetAtt": [
"Policy",
"PolicyName"
]
}
}
},
"Metadata": {
"ALIYUN::ROS::Interface": {
"TemplateTags": [
"acs:integrate:oos:ram_approve_attach_custom_policy_to_user"
]
}
}
}
Outputs:
stackId:
Type: String
ValueSelector: stackId
Outputs:
stackId:
Type: String
Value: '{{createStack.stackId}}'