ACS-RAM-ApproveAttachCustomPolicyToUser

模板名称

ACS-RAM-ApproveAttachCustomPolicyToUser 审批通过后授予自定义权限给创建执行的子用户

立即执行

模板描述

审批通过后授予自定义权限给创建执行的子用户

模板类型

自动化

所有者

Alibaba Cloud

输入参数

参数名称

描述

类型

是否必填

默认值

约束

policyDocument

将授权的自定义权限策略的json脚本

String

policyName

将新建并授予的自定义权限策略名称

String

webHookUrl

钉钉群助手的webhook地址

String

atMobiles

None

List

approvers

可以审批授权的用户

List

atAll

是否@所有人

String

false

minRequiredApprovals

最低需要通过审批的数量

Number

1

OOSAssumeRole

OOS扮演的RAM角色

String

""

输出参数

参数名称

描述

类型

stackId

String

执行此模板需要的权限策略

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ram:GetPolicy"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ros:CreateStack",
                "ros:GetStack"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

详情

ACS-RAM-ApproveAttachCustomPolicyToUser详情

模板内容

FormatVersion: OOS-2019-06-01
Description:
  en: Attach custom policy to user that template executed by after approving
  zh-cn: 审批通过后授予自定义权限给创建执行的子用户
  name-en: ACS-RAM-ApproveAttachCustomPolicyToUser
  name-zh-cn: 审批通过后授予自定义权限给创建执行的子用户
  categories:
    - security
Parameters:
  policyDocument:
    Label:
      en: PolicyDocument
      zh-cn: 将授权的自定义权限策略的json脚本
    Description:
      en: 'e.g.{ "Version": "1", "Statement": [ { "Action": [ "oos:List*", "oos:Get*" ], "Resource": "*", "Effect": "Allow" } ] }'
      zh-cn: '如{ "Version": "1", "Statement": [ { "Action": [ "oos:List*", "oos:Get*" ], "Resource": "*", "Effect": "Allow" } ] }'
    Type: String
    AssociationProperty: Code
  policyName:
    Label:
      en: PolicyName
      zh-cn: 将新建并授予的自定义权限策略名称
    Type: String
  webHookUrl:
    Label:
      en: WebHookUrl
      zh-cn: 钉钉群助手的webhook地址
    Description:
      en: >-
        e.g.https://oapi.dingtalk.com/robot/send?access_token=1234zxcvaksdq31414,acquiring DingTalk webhook please refer to second appendix in https://help.aliyun.com/document_detail/144679.html.
      zh-cn: >-
        形如https://oapi.dingtalk.com/robot/send?access_token=1234zxcvaksdq31414,具体钉钉WebHook获取请参考https://help.aliyun.com/document_detail/144679.html#h2--2-webhook-5。
    Type: String
  atMobiles:
    Label:
      en: AtMobiles
      zn-cn: 钉钉手机号
    Description:
      en: The dingtalk phone numbers of who be @ in notification,e.g.138ALBB1234
      zh-cn: 审批通知中被@的群成员的钉钉手机号,比如138ALBB1234
    Type: List
  atAll:
    Label:
      en: AtAll
      zh-cn: 是否@所有人
    Description:
      en: 'Whether assistant @ all members in dingtalk group or not notification comes'
      zh-cn: 当群助手向钉钉群中发送审批通知时是否@所有人
    Type: String
    Default: 'false'
  approvers:
    Label:
      en: Approvers
      zh-cn: 可以审批授权的用户
    Description:
      en: The name to fill is the front part of @ in the RAM user name,if  RAM user is user001@companyAlias.onaliyun.com, then fill  user001  in list
      zh-cn: 用户名是RAM子用户名称中@前面的部分,比如RAM子用户为user001@companyAlias.onaliyun.com,那么列表中填写user001即可
    Type: List
    AssociationProperty: ALIYUN::RAM::User
  minRequiredApprovals:
    Label:
      en: MinRequiredApprovals
      zh-cn: 最低需要通过审批的数量
    Type: Number
    Default: 1
  OOSAssumeRole:
    Label:
      en: OOSAssumeRole
      zh-cn: OOS扮演的RAM角色
    Type: String
    Default: ''
RamRole: '{{ OOSAssumeRole }}'
Tasks:
  - Name: approveAttachPolicy
    Action: 'ACS::Approve'
    Description:
      en: Approve task add policy
      zh-cn: 审批后授权
    Properties:
      Approvers: '{{approvers}}'
      MinRequiredApprovals: '{{minRequiredApprovals}}'
      NotifyType: WebHook
      WebHook:
        URI: '{{webhookUrl}}'
        Headers:
          Content-Type: application/json
        Content:
          msgtype: text
          text:
            content: |
              Notice: Please approve the task execution to attach custom policy {{policyName}}
              {{policyDocument}}
              for target user {{ACS::ExecuteUser}}.
              sent by {{ACS::RegionId}} oos {{ACS::ExecutionId}}.
          at:
            atMobiles: '{{atMobiles}}'
            isAtAll: '{{atAll}}'
  - Name: checkPolicyExist
    Action:  ACS::CheckFor
    Description:
      en: Check for the inexistence of policy
      zh-cn: 判断自定义权限策略名称存在性
    Properties:
      Service: RAM
      API: GetPolicy
      Parameters:
        PolicyType: 'Custom'
        PolicyName: '{{ policyName }}'
      DesiredValues:
      - 'true'
      - 'false'
      PropertySelector: '.DefaultPolicyVersion != null|tostring'
    Outputs:
      existed:
        Type: String
        ValueSelector: .DefaultPolicyVersion == null|tostring
  - Name: createStack
    Action: 'ACS::Template'
    When:
      'Fn::Equals':
        - '{{ checkPolicyExist.existed }}'
        - 'false'
    Description:
      en: Attach policy by Ros resource stack
      zh-cn: 通过Ros资源栈为角色授权
    Properties:
      TemplateName: 'ACS::ROS::CreateStack'
      Parameters:
        stackName:
          Fn::Replace:
            - .: _
            - OOS-{{ACS::ExecutionId}}
        disableRollback: true
        parameters:
          - ParameterKey: PolicyType
            ParameterValue: 'Custom'
          - ParameterKey: UserName
            ParameterValue: '{{ACS::ExecuteUser}}'
          - ParameterKey: PolicyName
            ParameterValue: '{{ policyName }}'
        templateBody: |
          {
            "Parameters": {
              "PolicyType": {
                "Type": "String",
                "Description": "Authorization policy type. Value: \"System\" or \"Custom\"."
              },
              "UserName": {
                "Type": "String",
                "Description": "User name."
              },
              "PolicyName": {
                "Type": "String",
                "Description": "Authorization policy name."
              }
            },
            "ROSTemplateFormatVersion": "2015-09-01",
            "Outputs": {},
            "Resources": {
              "AttachPolicyToUser": {
                "Type": "ALIYUN::RAM::AttachPolicyToUser",
                "Properties": {
                  "PolicyType": {
                    "Ref": "PolicyType"
                  },
                  "UserName": {
                    "Ref": "UserName"
                  },
                  "PolicyName": {
                    "Ref": "PolicyName"
                  }
                }
              }
            }
          }
    Outputs:
      stackId:
        Type: String
        ValueSelector: stackId
  - Name: createStackForNewPolicy
    Action: 'ACS::Template'
    When:
      'Fn::Equals':
        - '{{ checkPolicyExist.existed }}'
        - 'true'
    Description:
      en: Attach policy by Ros resource stack when policy is not exist
      zh-cn: 当policy不存在时,通过Ros资源栈为角色授权
    Properties:
      TemplateName: 'ACS::ROS::CreateStack'
      Parameters:
        stackName:
          Fn::Replace:
            - .: _
            - OOS-{{ACS::ExecutionId}}
        disableRollback: true
        parameters:
          - ParameterKey: PolicyDocument
            ParameterValue: '{{ policyDocument }}'
          - ParameterKey: Users
            ParameterValue: '{{ACS::ExecuteUser}}'
          - ParameterKey: PolicyName
            ParameterValue: '{{ policyName }}'
        templateBody: |
          {
            "ROSTemplateFormatVersion": "2015-09-01",
            "Resources": {
              "Policy": {
                "Type": "ALIYUN::RAM::ManagedPolicy",
                "Properties": {
                  "PolicyName": {
                    "Ref": "PolicyName"
                  },
                  "PolicyDocumentUnchecked": {
                    "Ref": "PolicyDocument"
                  },
                  "Users": {
                    "Ref": "Users"
                  }
                }
              }
            },
            "Parameters": {
              "PolicyName": {
                "Type": "String",
                "Description": "Specifies the authorization policy name, containing up to 128 characters."
              },
              "PolicyDocument": {
                "Type": "Json",
                "Description": "A policy document that describes what actions are allowed on which resources."
              },
              "Users": {
                "Type": "CommaDelimitedList",
                "Description": "The names of users to attach to this policy."
              }
            },
            "Outputs": {
              "PolicyName": {
                "Description": "When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the ARN.",
                "Value": {
                  "Fn::GetAtt": [
                    "Policy",
                    "PolicyName"
                  ]
                }
              }
            },
            "Metadata": {
              "ALIYUN::ROS::Interface": {
                "TemplateTags": [
                  "acs:integrate:oos:ram_approve_attach_custom_policy_to_user"
                ]
              }
            }
          }
    Outputs:
      stackId:
        Type: String
        ValueSelector: stackId
Outputs:
  stackId:
    Type: String
    Value: '{{createStack.stackId}}'