2 Answers
- Newest
- Most votes
- Most comments
1
In the IAM User template you have created resource FuncUser
, in this resource you are referencing both FuncUserPolicy
and FuncUserPolicy2
via:
ManagedPolicyArns:
- Fn::GetAtt:
- FuncUserPolicy
- Outputs.AccessPolicyArn
- Fn::GetAtt:
- FuncUserPolicy2
- Outputs.AccessPolicy2Arn
If your condition OnlyInAccount2
evaluate to false your resource FuncUserPolicy2
is not created and therefor the reference to it will create the error.
Try and surround your GetAtt with an !IF
like you do in AccessPolicy1
0
This is the updated IAM user template:
# version: 1.0
AWSTemplateFormatVersion: 2010-09-09
Description: >
This Template Deploys Basic AWS Functional User along with s3 bucket read/write access
Parameters:
StackNameTag:
Type: String
Description: Name of stack as entered above
TemplateUsedTag:
Type: String
Description: Template used in creating this stack
FuncUsername:
Type: String
Description: Name for Functional user
s3ReadBucketArn:
Type: String
Description: Comma delimited list of s3 bucket Arn for read access
s3WriteBucketArn:
Type: String
Description: Comma delimited list of s3 bucket Arn for read/write access
kmskeyArn:
Type: String
Description: Comma delimited list of kms key Arn
PrimaryOwner:
Type: String
Description: Primary Owner for this user
SecondaryOwner:
Type: String
Description: Secondary Owner for this user
CostCentre:
Type: String
Description: Cost Centre
BusinessUnit:
Type: String
Description: Business Unit
Account1:
Type: String
Description: AWS Account1
Account2:
Type: String
Description: AWS Account2
Conditions:
OnlyInAccount1: !Equals
- !Ref Account1
- !Ref 'AWS::AccountId'
OnlyInAccount2: !Equals
- !Ref Account2
- !Ref 'AWS::AccountId'
#OnlyInAccount1: !Not [!Equals [!Ref Account1, ""]]
#OnlyInAccount2: !Not [!Equals [!Ref Account2, ""]]
# Condition1and2:
# Fn::And:
# - Condition: OnlyInAccount1
# - Condition: OnlyInAccount2
Resources:
FuncUser:
Type: AWS::IAM::User
Properties:
UserName: !Ref FuncUsername
ManagedPolicyArns:
- !If
- OnlyInAccount1
- !GetAtt [FuncUserPolicy, Outputs.AccessPolicyArn]
- !Ref "AWS::NoValue"
- !If
- OnlyInAccount2
- !GetAtt [FuncUserPolicy2, Outputs.AccessPolicyArn]
- !Ref "AWS::NoValue"
Tags:
- Key: primary_owner
Value: !Ref PrimaryOwner
- Key: secondary_owner
Value: !Ref SecondaryOwner
- Key: cost_centre
Value: !Ref CostCentre
- Key: business_unit
Value: !Ref BusinessUnit
- Key: Creation_Stack
Value: !Ref StackNameTag
- Key: Stack_Template
Value: !Ref TemplateUsedTag
FuncUserPolicy:
Type: AWS::CloudFormation::Stack
Condition: OnlyInAccount1
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
Properties:
TemplateURL: https://aws-billing-report-csv-format-report.s3.amazonaws.com/create-iam-policy1.yaml
Parameters:
ReadOnlyBucketARN: !Ref s3ReadBucketArn
s3WriteBucketAccess: !Ref s3WriteBucketArn
KMSKeyArn: !Ref kmskeyArn
FuncUsername: !Ref FuncUsername
FuncUserPolicy2:
Type: AWS::CloudFormation::Stack
Condition: OnlyInAccount2
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
Properties:
TemplateURL: https://aws-billing-report-csv-format-report.s3.amazonaws.com/create-iam-policy2.yaml
Parameters:
FuncUsername: !Ref FuncUsername
It worked for me. Thanks @JimmyDqv. However I have one another question if we have to deploy this template as a StackSet targeting two accounts where I need to attach policy1 to account1 and policy2 to account2, then the ManagedPolicyArns condition should be modified to:
ManagedPolicyArns:
- !If
- OnlyInAccount1
- !GetAtt [FuncUserPolicy, Outputs.AccessPolicyArn]
- !Ref "AWS::NoValue"
- !If
- OnlyInAccount2
- !GetAtt [FuncUserPolicy2, Outputs.AccessPolicy**2**Arn]
- !Ref "AWS::NoValue"
Please acknowledge.
answered a year ago
Relevant content
- asked 6 months ago
- asked 3 months ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
Hi @JimmyDqv, I have tried using !If condition but getting unresolved dependency error. Mind if you can modify the code using !If condition as suggested by you above.
I have not tested but this should hopefully work.
ManagedPolicyArns: