我正在创建一个CFN模板,我在其中启用API网关的日志 . 它创造了这样的角色
"ApiGatewayCloudWatchLogsRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": { "Service": ["apigateway.amazonaws.com"] },
"Action": ["sts:AssumeRole"]
}]
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess"
],
"Policies": [{
"PolicyName": "ApiGatewayLogsPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
"logs:GetLogEvents",
"logs:FilterLogEvents"
],
"Resource": "*"
}]
}
}]
}
}
我按照这个doc添加到 AWS::ApiGateway::Account
"ApiGatewayAccount": {
"Type" : "AWS::ApiGateway::Account",
"Properties" : {
"CloudWatchRoleArn" : {"Fn::GetAtt" : ["ApiGatewayCloudWatchLogsRole", "Arn"] }
}
},
在 AWS::ApiGateway::Account 的文档中 . 他们指定如下:
重要如果从未在您的AWS账户中创建API网关资源,则必须在另一个API网关资源上添加依赖关系,例如AWS :: ApiGateway :: RestApi或AWS :: ApiGateway :: ApiKey资源 . 如果您的AWS账户中已创建API网关资源,则不需要依赖项(即使资源已被删除) .
这是我对上述说明的理解,如果我的CFN没有 AWS::ApiGateway::Resource 那么我需要以这样的方式为我的 AWS::ApiGateway::Account 添加一个依赖,只有在``AWS :: ApiGateway :: RestApi之后才需要创建AWS::ApiGateway::Account` 资源 . 创建 .
所以,我改变了cfn片段,就像这样
"ApiGatewayAccount": {
"Type" : "AWS::ApiGateway::Account",
"DependsOn": [
"CFNTest" -->This is a`AWS::ApiGateway::RestApi`
],
"Properties" : {
"CloudWatchRoleArn" : {"Fn::GetAtt" : ["ApiGatewayCloudWatchLogsRole", "Arn"] }
}
},
我的理解是对的吗?
谢谢