テンプレート名
ACS-RAM-ApproveAttachPolicyToUser
テンプレートの説明
権限の承認後に実行を作成した RAM ユーザーにカスタムポリシーをアタッチします。
テンプレートの種類
自動化
所有者
Alibaba Cloud
入力パラメーター
パラメーター | 説明 | データ型 | 必須 | デフォルト値 | 制限 |
policyType | カスタムポリシーの種類。 | 文字列 | はい | ||
policyName | ポリシー名。 | 文字列 | はい | ||
webHookUrl | DingTalk チャットボットの Webhook URL。 | 文字列 | はい | ||
atMobiles | なし。 | リスト | はい | ||
approvers | 権限の承認者。 | リスト | はい | ||
atAll | アットマーク (@) を使用してすべてのメンバーに通知するかどうかを指定します。 | 文字列 | いいえ | false | |
minRequiredApprovals | 権限の承認に必要な承認者の最小数。 | 数値 | いいえ | 1 | |
OOSAssumeRole | CloudOps Orchestration Service (OOS) がアタッチする RAM ロール。 | 文字列 | いいえ | "" |
出力パラメーター
パラメーター | 説明 | データ型 |
statement | JSON | |
stackId | 文字列 |
テンプレートの実行に必要な権限ポリシー
{
"Version": "1",
"Statement": [
{
"Action": [
"ram:GetPolicy"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ros:CreateStack",
"ros:GetStack"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
参照
ACS-RAM-ApproveAttachPolicyToUser
テンプレートの内容
FormatVersion: OOS-2019-06-01
Description:
en: Attach policy to user that template executed by after approving
name-en: ACS-RAM-ApproveAttachPolicyToUser
categories:
- security
Parameters:
policyType:
Label:
en: TpolicyType
Description:
en: The policy type to add, the optioanl is Custom or System
Type: String
AllowedValues:
- Custom
- System
policyName:
Label:
en: PolicyName
Type: String
webHookUrl:
Label:
en: WebHookUrl
Description:
en: >-
e.g.https://oapi.dingtalk.com/robot/send?access_token=1234zxcvaksdq31414,acquiring DingTalk webhook please refer to second appendix in https://www.alibabacloud.com/help/en/oos/use-cases/use-oos-to-configure-the-approval-process?spm=a3c0i.23458820.2359477120.1.55a06e9bkNIXn3.
Type: String
atMobiles:
Label:
en: AtMobiles
Description:
en: The dingtalk phone numbers of who be @ in notification,e.g.138ALBB1234
Type: List
atAll:
Label:
en: AtAll
Description:
en: 'Whether assistant @ all members in dingtalk group or not notification comes'
Type: String
Default: 'false'
approvers:
Label:
en: Approvers
Description:
en: The name to fill is the front part of @ in the RAM user name,if RAM user is user001@companyAlias.onaliyun.com, then fill user001 in list
Type: List
AssociationProperty: ALIYUN::RAM::User
minRequiredApprovals:
Label:
en: MinRequiredApprovals
Type: Number
Default: 1
OOSAssumeRole:
Label:
en: OOSAssumeRole
Type: String
Default: ''
RamRole: '{{ OOSAssumeRole }}'
Tasks:
- Name: approveAttachPolicy
Action: 'ACS::Approve'
Description:
en: Approve task add policy
Properties:
Approvers: '{{approvers}}'
MinRequiredApprovals: '{{minRequiredApprovals}}'
NotifyType: WebHook
WebHook:
URI: '{{webhookUrl}}'
Headers:
Content-Type: application/json
Content:
msgtype: text
text:
content: |
Notice: Please approve the task execution to attach {{policyType}} policy {{policyName}}
for target user {{ACS::ExecuteUser}}
sent by {{ACS::RegionId}} oos {{ACS::ExecutionId}}
at:
atMobiles: '{{atMobiles}}'
isAtAll: '{{atAll}}'
- Name: checkPolicyExist
Action: ACS::CheckFor
Description:
en: Check for the existence of policy
Properties:
Service: RAM
API: GetPolicy
Parameters:
PolicyType: '{{ policyType }}'
PolicyName: '{{ policyName }}'
DesiredValues:
- 'true'
PropertySelector: '.DefaultPolicyVersion != null|tostring'
Outputs:
policyDocumentToAttach:
Type: Json
ValueSelector: .DefaultPolicyVersion.PolicyDocument
- Name: createStack
Action: 'ACS::Template'
Description:
en: Attach policy by Ros resource stack
Properties:
TemplateName: 'ACS::ROS::CreateStack'
Parameters:
stackName:
Fn::Replace:
- .: _
- OOS-{{ACS::ExecutionId}}
disableRollback: true
parameters:
- ParameterKey: PolicyType
ParameterValue: '{{ policyType }}'
- ParameterKey: UserName
ParameterValue: '{{ACS::ExecuteUser}}'
- ParameterKey: PolicyName
ParameterValue: '{{ policyName }}'
templateBody: |
{
"Parameters": {
"PolicyType": {
"Type": "String",
"Description": "Authorization policy type. Value: \"System\" or \"Custom\"."
},
"UserName": {
"Type": "String",
"Description": "User name."
},
"PolicyName": {
"Type": "String",
"Description": "Authorization policy name."
}
},
"ROSTemplateFormatVersion": "2015-09-01",
"Outputs": {},
"Resources": {
"AttachPolicyToUser": {
"Type": "ALIYUN::RAM::AttachPolicyToUser",
"Properties": {
"PolicyType": {
"Ref": "PolicyType"
},
"UserName": {
"Ref": "UserName"
},
"PolicyName": {
"Ref": "PolicyName"
}
}
}
},
"Metadata": {
"ALIYUN::ROS::Interface": {
"TemplateTags": [
"acs:integrate:oos:ram_approve_attach_policy_to_user"
]
}
}
}
Outputs:
stackId:
Type: String
ValueSelector: stackId
Outputs:
statement:
Type: Json
Value: "{{ checkPolicyExist.policyDocumentToAttach }}"
stackId:
Type: String
Value: '{{createStack.stackId}}'