模板名稱
ACS-RAM-ApproveAttachCustomPolicyToUser 審批通過後授予自訂許可權給建立執行的子使用者
模板描述
審批通過後授予自訂許可權給建立執行的子使用者
模板類型
自動化
所有者
Alibaba Cloud
輸入參數
參數名稱 | 描述 | 類型 | 是否必填 | 預設值 | 約束 |
policyDocument | 將授權的自訂權限原則的json指令碼 | String | 是 | ||
policyName | 將建立並授予的自訂權限原則名稱 | String | 是 | ||
webHookUrl | DingTalk群助手的webhook地址 | String | 是 | ||
atMobiles | None | List | 是 | ||
approvers | 可以審批授權的使用者 | List | 是 | ||
atAll | 是否@所有人 | String | 否 | false | |
minRequiredApprovals | 最低需要通過審批的數量 | Number | 否 | 1 | |
OOSAssumeRole | OOS扮演的RAM角色 | String | 否 | "" |
輸出參數
參數名稱 | 描述 | 類型 |
stackId | String |
執行此模板需要的權限原則
{
"Version": "1",
"Statement": [
{
"Action": [
"ram:GetPolicy"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ros:CreateStack",
"ros:GetStack"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
詳情
ACS-RAM-ApproveAttachCustomPolicyToUser詳情
模板內容
FormatVersion: OOS-2019-06-01
Description:
en: Attach custom policy to user that template executed by after approving
zh-cn: 審批通過後授予自訂許可權給建立執行的子使用者
name-en: ACS-RAM-ApproveAttachCustomPolicyToUser
name-zh-cn: 審批通過後授予自訂許可權給建立執行的子使用者
categories:
- security
Parameters:
policyDocument:
Label:
en: PolicyDocument
zh-cn: 將授權的自訂權限原則的json指令碼
Description:
en: 'e.g.{ "Version": "1", "Statement": [ { "Action": [ "oos:List*", "oos:Get*" ], "Resource": "*", "Effect": "Allow" } ] }'
zh-cn: '如{ "Version": "1", "Statement": [ { "Action": [ "oos:List*", "oos:Get*" ], "Resource": "*", "Effect": "Allow" } ] }'
Type: String
AssociationProperty: Code
policyName:
Label:
en: PolicyName
zh-cn: 將建立並授予的自訂權限原則名稱
Type: String
webHookUrl:
Label:
en: WebHookUrl
zh-cn: DingTalk群助手的webhook地址
Description:
en: >-
e.g.https://oapi.dingtalk.com/robot/send?access_token=1234zxcvaksdq31414,acquiring DingTalk webhook please refer to second appendix in https://help.aliyun.com/document_detail/144679.html.
zh-cn: >-
形如https://oapi.dingtalk.com/robot/send?access_token=1234zxcvaksdq31414,具體DingTalkWebHook擷取請參考https://help.aliyun.com/document_detail/144679.html#h2--2-webhook-5。
Type: String
atMobiles:
Label:
en: AtMobiles
zn-cn: DingTalk手機號
Description:
en: The dingtalk phone numbers of who be @ in notification,e.g.138ALBB1234
zh-cn: 審批通知中被@的群成員的DingTalk手機號,比如138ALBB1234
Type: List
atAll:
Label:
en: AtAll
zh-cn: 是否@所有人
Description:
en: 'Whether assistant @ all members in dingtalk group or not notification comes'
zh-cn: 當群助手向DingTalk群中發送審批通知時是否@所有人
Type: String
Default: 'false'
approvers:
Label:
en: Approvers
zh-cn: 可以審批授權的使用者
Description:
en: The name to fill is the front part of @ in the RAM user name,if RAM user is user001@companyAlias.onaliyun.com, then fill user001 in list
zh-cn: 使用者名稱是RAM子使用者名稱稱中@前面的部分,比如RAM子使用者為user001@companyAlias.onaliyun.com,那麼列表中填寫user001即可
Type: List
AssociationProperty: ALIYUN::RAM::User
minRequiredApprovals:
Label:
en: MinRequiredApprovals
zh-cn: 最低需要通過審批的數量
Type: Number
Default: 1
OOSAssumeRole:
Label:
en: OOSAssumeRole
zh-cn: OOS扮演的RAM角色
Type: String
Default: ''
RamRole: '{{ OOSAssumeRole }}'
Tasks:
- Name: approveAttachPolicy
Action: 'ACS::Approve'
Description:
en: Approve task add policy
zh-cn: 審批後授權
Properties:
Approvers: '{{approvers}}'
MinRequiredApprovals: '{{minRequiredApprovals}}'
NotifyType: WebHook
WebHook:
URI: '{{webhookUrl}}'
Headers:
Content-Type: application/json
Content:
msgtype: text
text:
content: |
Notice: Please approve the task execution to attach custom policy {{policyName}}
{{policyDocument}}
for target user {{ACS::ExecuteUser}}.
sent by {{ACS::RegionId}} oos {{ACS::ExecutionId}}.
at:
atMobiles: '{{atMobiles}}'
isAtAll: '{{atAll}}'
- Name: checkPolicyExist
Action: ACS::CheckFor
Description:
en: Check for the inexistence of policy
zh-cn: 判斷自訂權限原則名稱存在性
Properties:
Service: RAM
API: GetPolicy
Parameters:
PolicyType: 'Custom'
PolicyName: '{{ policyName }}'
DesiredValues:
- 'true'
- 'false'
PropertySelector: '.DefaultPolicyVersion != null|tostring'
Outputs:
existed:
Type: String
ValueSelector: .DefaultPolicyVersion == null|tostring
- Name: createStack
Action: 'ACS::Template'
When:
'Fn::Equals':
- '{{ checkPolicyExist.existed }}'
- 'false'
Description:
en: Attach policy by Ros resource stack
zh-cn: 通過Ros資源棧為角色授權
Properties:
TemplateName: 'ACS::ROS::CreateStack'
Parameters:
stackName:
Fn::Replace:
- .: _
- OOS-{{ACS::ExecutionId}}
disableRollback: true
parameters:
- ParameterKey: PolicyType
ParameterValue: 'Custom'
- ParameterKey: UserName
ParameterValue: '{{ACS::ExecuteUser}}'
- ParameterKey: PolicyName
ParameterValue: '{{ policyName }}'
templateBody: |
{
"Parameters": {
"PolicyType": {
"Type": "String",
"Description": "Authorization policy type. Value: \"System\" or \"Custom\"."
},
"UserName": {
"Type": "String",
"Description": "User name."
},
"PolicyName": {
"Type": "String",
"Description": "Authorization policy name."
}
},
"ROSTemplateFormatVersion": "2015-09-01",
"Outputs": {},
"Resources": {
"AttachPolicyToUser": {
"Type": "ALIYUN::RAM::AttachPolicyToUser",
"Properties": {
"PolicyType": {
"Ref": "PolicyType"
},
"UserName": {
"Ref": "UserName"
},
"PolicyName": {
"Ref": "PolicyName"
}
}
}
}
}
Outputs:
stackId:
Type: String
ValueSelector: stackId
- Name: createStackForNewPolicy
Action: 'ACS::Template'
When:
'Fn::Equals':
- '{{ checkPolicyExist.existed }}'
- 'true'
Description:
en: Attach policy by Ros resource stack when policy is not exist
zh-cn: 當policy不存在時,通過Ros資源棧為角色授權
Properties:
TemplateName: 'ACS::ROS::CreateStack'
Parameters:
stackName:
Fn::Replace:
- .: _
- OOS-{{ACS::ExecutionId}}
disableRollback: true
parameters:
- ParameterKey: PolicyDocument
ParameterValue: '{{ policyDocument }}'
- ParameterKey: Users
ParameterValue: '{{ACS::ExecuteUser}}'
- ParameterKey: PolicyName
ParameterValue: '{{ policyName }}'
templateBody: |
{
"ROSTemplateFormatVersion": "2015-09-01",
"Resources": {
"Policy": {
"Type": "ALIYUN::RAM::ManagedPolicy",
"Properties": {
"PolicyName": {
"Ref": "PolicyName"
},
"PolicyDocumentUnchecked": {
"Ref": "PolicyDocument"
},
"Users": {
"Ref": "Users"
}
}
}
},
"Parameters": {
"PolicyName": {
"Type": "String",
"Description": "Specifies the authorization policy name, containing up to 128 characters."
},
"PolicyDocument": {
"Type": "Json",
"Description": "A policy document that describes what actions are allowed on which resources."
},
"Users": {
"Type": "CommaDelimitedList",
"Description": "The names of users to attach to this policy."
}
},
"Outputs": {
"PolicyName": {
"Description": "When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the ARN.",
"Value": {
"Fn::GetAtt": [
"Policy",
"PolicyName"
]
}
}
},
"Metadata": {
"ALIYUN::ROS::Interface": {
"TemplateTags": [
"acs:integrate:oos:ram_approve_attach_custom_policy_to_user"
]
}
}
}
Outputs:
stackId:
Type: String
ValueSelector: stackId
Outputs:
stackId:
Type: String
Value: '{{createStack.stackId}}'