自定义资源cloudformation的堆栈策略

debugcn 发表于 Dev

斯塔夫罗斯·扎夫拉卡斯（Stavros Zavrakas）

我已经定义了像这样的cloudformation模板：

AWSTemplateFormatVersion: 2010-09-09
Description: Auth stack
Transform: AWS::Serverless-2016-10-31

Parameters:
  DeveloperProviderName:
    Description: Developer provider name
    Type: String

Conditions:
  Never:
    !Equals [ "true", "false" ]

Resources:
  CognitoIdentityPool:
    Type: Custom::CognitoIdentityPool
    Version: '1.0'
    Properties:
      IdentityPoolName: !Sub "${AWS::StackName}-cognito-idp"
      DeveloperProviderName: !Ref DeveloperProviderName
      ServiceToken: !GetAtt CreateIdentityPoolFunction.Arn

.
.
more stuff here for the lambda function etc
.
.

然后，我想添加一个堆栈策略，并拒绝替换和删除：

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "Update:*",
      "Principal": "*",
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": [
        "Update:Replace",
        "Update:Delete"
      ],
      "Principal": "*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ResourceType": [
            "Custom::CognitoIdentityPool"
          ]
        }
      }
    }
  ]
}

这就是我设置堆栈策略的方式：

aws cloudformation set-stack-policy \
    --stack-name ${stackName} \
    --stack-policy-body file://${policyPath}

这是设置堆栈策略时遇到的错误：

An error occurred (ValidationError) when calling the SetStackPolicy operation: Error validating stack policy: Unknown resource type 'Custom::CognitoIdentityPool' in statement {}

有什么想法如何使用堆栈策略保护这些自定义资源？

马辛

我认为您无法使用自定义资源。该AWS文档：