ACS-OSS-PutBucketEncryption - CloudOps Orchestration Service

模板名稱

ACS-OSS-PutBucketEncryption 配置OSSBucket加密規則

立即執行

模板描述

配置OSSBucket的加密規則

模板類型

自動化

所有者

Alibaba Cloud

輸入參數

參數名稱	描述	類型	是否必填	預設值	約束
SSEAlgorithm	SSE加密方式	String	是
bucketName	OSS bucket 名稱	String	是
regionId	地區ID	String	否	{{ ACS::RegionId }}
KMSMasterKeyID	KMS密鑰ID	String	否	False
OOSAssumeRole	OOS扮演的RAM角色	String	否	""

輸出參數

無

執行此模板需要的權限原則

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:PutBucketEncryption"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

詳情

ACS-OSS-PutBucketEncryption詳情

模板內容

FormatVersion: OOS-2019-06-01
Description:
  en: Encryption rules for configuring buckets
  zh-cn: 配置OSSBucket的加密規則
  name-en: ACS-OSS-PutBucketEncryption
  name-zh-cn: 配置OSSBucket加密規則
  categories:
    - security
Parameters:
  regionId:
    Type: String
    Label:
      en: RegionId
      zh-cn: 地區ID
    AssociationProperty: RegionId
    Default: '{{ ACS::RegionId }}'
  SSEAlgorithm:
    Label:
      en: SSEAlgorithm
      zh-cn: SSE加密方式
    Description:
      en: Set the default encryption method of the server
      zh-cn: 設定服務端預設加密方式
    Type: String
    AllowedValues:
      - KMS
      - AES256
  KMSMasterKeyID:
    Label:
      en: KMSMasterKeyID
      zh-cn: KMS密鑰ID
    Description:
      en: >-
        When the ssealgorithm value is KMS, you need to enter the key ID,
        otherwise, it must be empty(Default No is empty)
      zh-cn: 當SSEAlgorithm值為KMS時，需輸入KMSMasterKeyID，其他情況下，必須為空白(No 代表為空白)
    Type: String
    Default: No
  bucketName:
    Label:
      en: BucketName
      zh-cn: OSS bucket 名稱
    Type: String
    AssociationProperty: ALIYUN::OSS::Bucket::BucketName
    AssociationPropertyMetadata:
      RegionId: regionId
  OOSAssumeRole:
    Label:
      en: OOSAssumeRole
      zh-cn: OOS扮演的RAM角色
    Type: String
    Default: ''
RamRole: '{{ OOSAssumeRole }}'
Tasks:
  - Name: chooseWetherHasKMSMasterKeyIDTask
    Action: 'ACS::Choice'
    Properties:
      DefaultTask: putBucketEncryptionNoKeyId
      Choices:
        - When:
            'Fn::Equals':
              - KMS
              - '{{ SSEAlgorithm }}'
          NextTask: putBucketEncryption
        - When:
            'Fn::Equals':
              - AES256
              - '{{ SSEAlgorithm }}'
          NextTask: putBucketEncryptionNoKeyId
  - Name: putBucketEncryptionNoKeyId
    Action: 'ACS::ExecuteAPI'
    Description:
      en: 'Encryption rules for configuring buckets(AES256)'
      zh-cn: 用於配置Bucket的加密規則（AES256）
    OnSuccess: 'ACS::END'
    Properties:
      Service: OSS
      API: PutBucketEncryption
      Method: PUT
      URI: '?encryption'
      Headers:
        Content-MD5: ""
        Content-Type: application/xml
      Parameters:
        RegionId: '{{ regionId }}'
        BucketName: '{{ bucketName }}'
      Body: '<?xml version="1.0" encoding="UTF-8"?>
             <ServerSideEncryptionRule>
               <ApplyServerSideEncryptionByDefault>
                 <SSEAlgorithm>{{ SSEAlgorithm }}</SSEAlgorithm>
                 <KMSMasterKeyID></KMSMasterKeyID>
               </ApplyServerSideEncryptionByDefault>
             </ServerSideEncryptionRule>'
  - Name: putBucketEncryption
    Action: 'ACS::ExecuteAPI'
    Description:
      en: Encryption rules for configuring buckets(KMS)
      zh-cn: 用於配置Bucket的加密規則（KMS）
    Properties:
      Service: OSS
      API: PutBucketEncryption
      Method: PUT
      URI: '?encryption'
      Headers:
        Content-MD5: ""
        Content-Type: application/xml
      Parameters:
        RegionId: '{{ regionId }}'
        BucketName: '{{ bucketName }}'
      Body: '<?xml version="1.0" encoding="UTF-8"?>
             <ServerSideEncryptionRule>
               <ApplyServerSideEncryptionByDefault>
                 <SSEAlgorithm>{{ SSEAlgorithm }}</SSEAlgorithm>
                 <KMSMasterKeyID>{{ KMSMasterKeyID }}</KMSMasterKeyID>
               </ApplyServerSideEncryptionByDefault>
             </ServerSideEncryptionRule>'