I have below CFN template which is working fine, however as i am stiull learning and want my Mappings
to be parametrized that's i'm not getting the way to do it. Secondly, the PermissionBoundary
parameter i am not able to use it like Default: !Sub arn:aws:iam::${AWS::AccountId}:policy/CCoEPermissionBoundary
as it probably doesn't like the !Sub
function to be called and then referenced in the AWS::IAM::Role
hence i am for now directly using it like `PermissionsBoundary: !Sub 'arn:aws:iam::${AWS::AccountId}:policy/CCoEPermissionBoundary' which indeed works well.
Can someone please help me on ..
- get the
Mapping
to be parametrized and
- How to to use
PermissionBoundary
parameter as a reference while using ${AWS::AccountId}
in it.
below is the working code and commented portion is the one which doesn't work.
AWSTemplateFormatVersion: "2010-09-09"
Description: >
This AWS Backup template deploys AWS backup-Plan for the FSx cloud resources.
Parameters:
FsxIAMBackupRole:
Type: String
Default: 'test-fsx-backup-role'
Description: 'IAM Role for FsxN backup Service.'
FsxBackupVaultName:
Type: String
Default: 'test-fsx-backup-vault'
Description: 'Provide the name of the backup-vault.'
FsxBackupPlanName:
Type: String
Default: 'test-fsx-backup-plan'
Description: 'Provide the name of the backup-plan.'
FsxBackupRuleName:
Type: String
Default: 'test-fsx-backup-rule'
Description: 'Provide the name of the backup-rule.'
FsxBackupSelectionName:
Type: String
Default: 'test-fsx-backup-selection'
Description: 'Provide the name of the backup-selection.'
FsxBackupDeleteAfterDays:
Type: Number
Default: 22
Description: 'Days to expire backups from vault.'
FsxVaultMinRetentionDays:
Type: Number
Default: 21
Description: 'Retention period in days that the vault retains backup data.'
FsxVaultChangeableForDays:
Type: Number
Default: 3
Description: 'Number of days before the vault lock. After this period, Vault Lock becomes immutable and cannot be changed or deleted.'
# PermissionBoundary:
# Type: String
# #Default: !Sub arn:aws:iam::${AWS::AccountId}:policy/CCoEPermissionBoundary
# Description: 'Provide Permission Boundary Name'
#
Mappings:
RegionMap:
us-east-1:
schedulexpr: "cron(00 19 * * ? *)"
us-west-1:
schedulexpr: "cron(00 18 * * ? *)"
eu-west-1:
schedulexpr: "cron(00 17 * * ? *)"
ap-southeast-1:
schedulexpr: "cron(00 16 * * ? *)"
ap-northeast-1:
schedulexpr: "cron(00 15 * * ? *)"
Resources:
FSxBackupIAMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- backup.amazonaws.com
Action:
- 'sts:AssumeRole'
Description: Create IAM role for backup service
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup
- arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores
Path: "/"
PermissionsBoundary: !Sub 'arn:aws:iam::${AWS::AccountId}:policy/CCoEPermissionBoundary'
RoleName: !Ref FsxIAMBackupRole
FSxBackupsVault:
Type: "AWS::Backup::BackupVault"
Properties:
BackupVaultName: !Ref FsxBackupVaultName
FSxBackupPlan:
Type: "AWS::Backup::BackupPlan"
Properties:
BackupPlan:
BackupPlanName: !Ref FsxBackupPlanName
BackupPlanRule:
-
RuleName: !Ref FsxBackupRuleName
TargetBackupVault: !Ref FSxBackupsVault
ScheduleExpression: !Ref FsxBackupScheduleExpression
StartWindowMinutes: 240
ScheduleExpression: !FindInMap
- RegionMap
- !Ref 'AWS::Region'
- schedulexpr
Lifecycle:
DeleteAfterDays: !Ref FsxBackupDeleteAfterDays
FsxTagBasedBackupSelection:
Type: AWS::Backup::BackupSelection
Properties:
BackupPlanId:
Fn::GetAtt:
- FSxBackupPlan
- BackupPlanId
BackupSelection:
IamRoleArn:
Fn::GetAtt:
- FSxBackupIAMRole
- Arn
Conditions:
StringEquals:
- ConditionKey: aws:ResourceTag/storage
ConditionValue: backup-production
Resources:
- arn:aws:fsx:*
SelectionName: !Ref FsxBackupSelectionName
Thnx, I have ended-up with using like below which is partially using Parameter:
and then