全部產品
Search
文件中心

CloudOps Orchestration Service:ACS-RAM-ApproveAttachCustomPolicyToUser

更新時間:Sep 06, 2024

模板名稱

ACS-RAM-ApproveAttachCustomPolicyToUser 審批通過後授予自訂許可權給建立執行的子使用者

立即執行

模板描述

審批通過後授予自訂許可權給建立執行的子使用者

模板類型

自動化

所有者

Alibaba Cloud

輸入參數

參數名稱

描述

類型

是否必填

預設值

約束

policyDocument

將授權的自訂權限原則的json指令碼

String

policyName

將建立並授予的自訂權限原則名稱

String

webHookUrl

DingTalk群助手的webhook地址

String

atMobiles

None

List

approvers

可以審批授權的使用者

List

atAll

是否@所有人

String

false

minRequiredApprovals

最低需要通過審批的數量

Number

1

OOSAssumeRole

OOS扮演的RAM角色

String

""

輸出參數

參數名稱

描述

類型

stackId

String

執行此模板需要的權限原則

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ram:GetPolicy"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ros:CreateStack",
                "ros:GetStack"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

詳情

ACS-RAM-ApproveAttachCustomPolicyToUser詳情

模板內容

FormatVersion: OOS-2019-06-01
Description:
  en: Attach custom policy to user that template executed by after approving
  zh-cn: 審批通過後授予自訂許可權給建立執行的子使用者
  name-en: ACS-RAM-ApproveAttachCustomPolicyToUser
  name-zh-cn: 審批通過後授予自訂許可權給建立執行的子使用者
  categories:
    - security
Parameters:
  policyDocument:
    Label:
      en: PolicyDocument
      zh-cn: 將授權的自訂權限原則的json指令碼
    Description:
      en: 'e.g.{ "Version": "1", "Statement": [ { "Action": [ "oos:List*", "oos:Get*" ], "Resource": "*", "Effect": "Allow" } ] }'
      zh-cn: '如{ "Version": "1", "Statement": [ { "Action": [ "oos:List*", "oos:Get*" ], "Resource": "*", "Effect": "Allow" } ] }'
    Type: String
    AssociationProperty: Code
  policyName:
    Label:
      en: PolicyName
      zh-cn: 將建立並授予的自訂權限原則名稱
    Type: String
  webHookUrl:
    Label:
      en: WebHookUrl
      zh-cn: DingTalk群助手的webhook地址
    Description:
      en: >-
        e.g.https://oapi.dingtalk.com/robot/send?access_token=1234zxcvaksdq31414,acquiring DingTalk webhook please refer to second appendix in https://help.aliyun.com/document_detail/144679.html.
      zh-cn: >-
        形如https://oapi.dingtalk.com/robot/send?access_token=1234zxcvaksdq31414,具體DingTalkWebHook擷取請參考https://help.aliyun.com/document_detail/144679.html#h2--2-webhook-5。
    Type: String
  atMobiles:
    Label:
      en: AtMobiles
      zn-cn: DingTalk手機號
    Description:
      en: The dingtalk phone numbers of who be @ in notification,e.g.138ALBB1234
      zh-cn: 審批通知中被@的群成員的DingTalk手機號,比如138ALBB1234
    Type: List
  atAll:
    Label:
      en: AtAll
      zh-cn: 是否@所有人
    Description:
      en: 'Whether assistant @ all members in dingtalk group or not notification comes'
      zh-cn: 當群助手向DingTalk群中發送審批通知時是否@所有人
    Type: String
    Default: 'false'
  approvers:
    Label:
      en: Approvers
      zh-cn: 可以審批授權的使用者
    Description:
      en: The name to fill is the front part of @ in the RAM user name,if  RAM user is user001@companyAlias.onaliyun.com, then fill  user001  in list
      zh-cn: 使用者名稱是RAM子使用者名稱稱中@前面的部分,比如RAM子使用者為user001@companyAlias.onaliyun.com,那麼列表中填寫user001即可
    Type: List
    AssociationProperty: ALIYUN::RAM::User
  minRequiredApprovals:
    Label:
      en: MinRequiredApprovals
      zh-cn: 最低需要通過審批的數量
    Type: Number
    Default: 1
  OOSAssumeRole:
    Label:
      en: OOSAssumeRole
      zh-cn: OOS扮演的RAM角色
    Type: String
    Default: ''
RamRole: '{{ OOSAssumeRole }}'
Tasks:
  - Name: approveAttachPolicy
    Action: 'ACS::Approve'
    Description:
      en: Approve task add policy
      zh-cn: 審批後授權
    Properties:
      Approvers: '{{approvers}}'
      MinRequiredApprovals: '{{minRequiredApprovals}}'
      NotifyType: WebHook
      WebHook:
        URI: '{{webhookUrl}}'
        Headers:
          Content-Type: application/json
        Content:
          msgtype: text
          text:
            content: |
              Notice: Please approve the task execution to attach custom policy {{policyName}}
              {{policyDocument}}
              for target user {{ACS::ExecuteUser}}.
              sent by {{ACS::RegionId}} oos {{ACS::ExecutionId}}.
          at:
            atMobiles: '{{atMobiles}}'
            isAtAll: '{{atAll}}'
  - Name: checkPolicyExist
    Action:  ACS::CheckFor
    Description:
      en: Check for the inexistence of policy
      zh-cn: 判斷自訂權限原則名稱存在性
    Properties:
      Service: RAM
      API: GetPolicy
      Parameters:
        PolicyType: 'Custom'
        PolicyName: '{{ policyName }}'
      DesiredValues:
      - 'true'
      - 'false'
      PropertySelector: '.DefaultPolicyVersion != null|tostring'
    Outputs:
      existed:
        Type: String
        ValueSelector: .DefaultPolicyVersion == null|tostring
  - Name: createStack
    Action: 'ACS::Template'
    When:
      'Fn::Equals':
        - '{{ checkPolicyExist.existed }}'
        - 'false'
    Description:
      en: Attach policy by Ros resource stack
      zh-cn: 通過Ros資源棧為角色授權
    Properties:
      TemplateName: 'ACS::ROS::CreateStack'
      Parameters:
        stackName:
          Fn::Replace:
            - .: _
            - OOS-{{ACS::ExecutionId}}
        disableRollback: true
        parameters:
          - ParameterKey: PolicyType
            ParameterValue: 'Custom'
          - ParameterKey: UserName
            ParameterValue: '{{ACS::ExecuteUser}}'
          - ParameterKey: PolicyName
            ParameterValue: '{{ policyName }}'
        templateBody: |
          {
            "Parameters": {
              "PolicyType": {
                "Type": "String",
                "Description": "Authorization policy type. Value: \"System\" or \"Custom\"."
              },
              "UserName": {
                "Type": "String",
                "Description": "User name."
              },
              "PolicyName": {
                "Type": "String",
                "Description": "Authorization policy name."
              }
            },
            "ROSTemplateFormatVersion": "2015-09-01",
            "Outputs": {},
            "Resources": {
              "AttachPolicyToUser": {
                "Type": "ALIYUN::RAM::AttachPolicyToUser",
                "Properties": {
                  "PolicyType": {
                    "Ref": "PolicyType"
                  },
                  "UserName": {
                    "Ref": "UserName"
                  },
                  "PolicyName": {
                    "Ref": "PolicyName"
                  }
                }
              }
            }
          }
    Outputs:
      stackId:
        Type: String
        ValueSelector: stackId
  - Name: createStackForNewPolicy
    Action: 'ACS::Template'
    When:
      'Fn::Equals':
        - '{{ checkPolicyExist.existed }}'
        - 'true'
    Description:
      en: Attach policy by Ros resource stack when policy is not exist
      zh-cn: 當policy不存在時,通過Ros資源棧為角色授權
    Properties:
      TemplateName: 'ACS::ROS::CreateStack'
      Parameters:
        stackName:
          Fn::Replace:
            - .: _
            - OOS-{{ACS::ExecutionId}}
        disableRollback: true
        parameters:
          - ParameterKey: PolicyDocument
            ParameterValue: '{{ policyDocument }}'
          - ParameterKey: Users
            ParameterValue: '{{ACS::ExecuteUser}}'
          - ParameterKey: PolicyName
            ParameterValue: '{{ policyName }}'
        templateBody: |
          {
            "ROSTemplateFormatVersion": "2015-09-01",
            "Resources": {
              "Policy": {
                "Type": "ALIYUN::RAM::ManagedPolicy",
                "Properties": {
                  "PolicyName": {
                    "Ref": "PolicyName"
                  },
                  "PolicyDocumentUnchecked": {
                    "Ref": "PolicyDocument"
                  },
                  "Users": {
                    "Ref": "Users"
                  }
                }
              }
            },
            "Parameters": {
              "PolicyName": {
                "Type": "String",
                "Description": "Specifies the authorization policy name, containing up to 128 characters."
              },
              "PolicyDocument": {
                "Type": "Json",
                "Description": "A policy document that describes what actions are allowed on which resources."
              },
              "Users": {
                "Type": "CommaDelimitedList",
                "Description": "The names of users to attach to this policy."
              }
            },
            "Outputs": {
              "PolicyName": {
                "Description": "When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the ARN.",
                "Value": {
                  "Fn::GetAtt": [
                    "Policy",
                    "PolicyName"
                  ]
                }
              }
            },
            "Metadata": {
              "ALIYUN::ROS::Interface": {
                "TemplateTags": [
                  "acs:integrate:oos:ram_approve_attach_custom_policy_to_user"
                ]
              }
            }
          }
    Outputs:
      stackId:
        Type: String
        ValueSelector: stackId
Outputs:
  stackId:
    Type: String
    Value: '{{createStack.stackId}}'