StateMachine-Auth - AWS Serverless Application Model Developer Guide

The following example speciﬁes authorization at the state machine level.

YAML

Auth:

ApiKeyRequired: true Authorizer: NONE

ResourcePolicyStatement

Conﬁgures a resource policy for all methods and paths of an API. For more information about resource policies, see Controlling access to an API with API Gateway resource policies in the API Gateway Developer Guide.

Syntax

To declare this entity in your AWS Serverless Application Model (AWS SAM) template, use the following syntax.

YAML

AwsAccountBlacklist: List AwsAccountWhitelist: List CustomStatements: List IntrinsicVpcBlacklist: List IntrinsicVpcWhitelist: List IntrinsicVpceBlacklist: List IntrinsicVpceWhitelist: List IpRangeBlacklist: List IpRangeWhitelist: List SourceVpcBlacklist: List SourceVpcWhitelist: List

Properties

AwsAccountBlacklist The AWS accounts to block.

Type: List Required: No

AWS CloudFormation compatibility: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent.

AwsAccountWhitelist

The AWS accounts to allow. For an example use of this property, see the Examples section at the bottom of this page.

Type: List Required: No

AWS CloudFormation compatibility: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent.

CustomStatements

A list of custom resource policy statements to apply to this API. For an example use of this property, see the Examples section at the bottom of this page.

Type: List Required: No

AWS CloudFormation compatibility: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent.

IntrinsicVpcBlacklist

The list of virtual private clouds (VPCs) to block, where each VPC is speciﬁed as a reference such as a dynamic reference or the Ref intrinsic function. For an example use of this property, see the Examples section at the bottom of this page.

Type: List Required: No

AWS CloudFormation compatibility: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent.

IntrinsicVpcWhitelist

The list of VPCs to allow, where each VPC is speciﬁed as a reference such as a dynamic reference or the Ref intrinsic function.

Type: List Required: No

AWS CloudFormation compatibility: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent.

IntrinsicVpceBlacklist

The list of VPC endpoints to block, where each VPC endpoint is speciﬁed as a reference such as a dynamic reference or the Ref intrinsic function.

Type: List Required: No

AWS CloudFormation compatibility: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent.

IntrinsicVpceWhitelist

The list of VPC endpoints to allow, where each VPC endpoint is speciﬁed as a reference such as a dynamic reference or the Ref intrinsic function. For an example use of this property, see the Examples section at the bottom of this page.

Type: List Required: No

AWS CloudFormation compatibility: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent.

IpRangeBlacklist

The IP addresses or address ranges to block. For an example use of this property, see the Examples section at the bottom of this page.

Type: List Required: No

AWS CloudFormation compatibility: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent.

IpRangeWhitelist

The IP addresses or address ranges to allow.

Type: List Required: No

AWS CloudFormation compatibility: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent.

SourceVpcBlacklist

The source VPC or VPC endpoints to block. Source VPC names must start with "vpc-" and source VPC endpoint names must start with "vpce-". For an example use of this property, see the Examples section at the bottom of this page.

Type: List Required: No

AWS CloudFormation compatibility: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent.

SourceVpcWhitelist

The source VPC or VPC endpoints to allow. Source VPC names must start with "vpc-" and source VPC endpoint names must start with "vpce-".

Type: List Required: No

AWS CloudFormation compatibility: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent.

Examples

Resource Policy Example

The following example blocks two IP addresses and a source VPC, and allows an AWS account.

YAML

Auth:

ResourcePolicy:

CustomStatements: [{

"Effect": "Allow", "Principal": "*",

"Action": "execute-api:Invoke",

"Resource": "execute-api:/Prod/GET/pets", "Condition": {

"IpAddress": {

"aws:SourceIp": "1.2.3.4"

} } }]

IpRangeBlacklist:

- "10.20.30.40"

- "1.2.3.4"

SourceVpcBlacklist:

- "vpce-1a2b3c4d"

AwsAccountWhitelist:

- "111122223333"

IntrinsicVpcBlacklist:

- "{{resolve:ssm:SomeVPCReference:1}}"

- !Ref MyVPC

IntrinsicVpceWhitelist:

- "{{resolve:ssm:SomeVPCEReference:1}}"

- !Ref MyVPCE

CloudWatchEvent

The object describing a CloudWatchEvent event source type.

AWS Serverless Application Model (AWS SAM) generates an AWS::Events::Rule resource when this event type is set.

Important Note: EventBridgeRule (p. 173) is the preferred event source type to use, instead of CloudWatchEvent. EventBridgeRule and CloudWatchEvent use the same underlying service, API, and AWS CloudFormation resources. However, AWS SAM will add support for new features only to EventBridgeRule.

Syntax

To declare this entity in your AWS Serverless Application Model (AWS SAM) template, use the following syntax.

YAML

EventBusName: String Input: String InputPath: String Pattern: EventPattern

Properties

EventBusName

The event bus to associate with this rule. If you omit this property, AWS SAM uses the default event bus.

Type: String Required: No

Default: Default event bus

AWS CloudFormation compatibility: This property is passed directly to the EventBusName property of an AWS::Events::Rule resource.

Input

Valid JSON text passed to the target. If you use this property, nothing from the event text itself is passed to the target.

Type: String Required: No

AWS CloudFormation compatibility: This property is passed directly to the Input property of an AWS::Events::Rule Target resource.

InputPath

When you don't want to pass the entire matched event to the target, use the InputPath property to describe which part of the event to pass.

Type: String Required: No

AWS CloudFormation compatibility: This property is passed directly to the InputPath property of an AWS::Events::Rule Target resource.

Pattern

Describes which events are routed to the speciﬁed target. For more information, see Events and Event Patterns in EventBridge in the Amazon EventBridge User Guide.

Type: EventPattern Required: Yes

AWS CloudFormation compatibility: This property is passed directly to the EventPattern property of an AWS::Events::Rule resource.

Examples

CloudWatchEvent

The following is an example of a CloudWatchEvent event source type.

YAML

CWEvent:

Type: CloudWatchEvent Properties:

Input: '{"Key": "Value"}' Pattern:

detail:

state:

- terminated

EventBridgeRule

The object describing an EventBridgeRule event source type, which sets your state machine as the target for an Amazon EventBridge rule. For more information, see What Is Amazon EventBridge? in the Amazon EventBridge User Guide.

AWS SAM generates an AWS::Events::Rule resource when this event type is set.

Syntax

To declare this entity in your AWS Serverless Application Model (AWS SAM) template, use the following syntax.

YAML

DeadLetterConfig: DeadLetterConfig (p. 175) EventBusName: String

Input: String InputPath: String Pattern: EventPattern RetryPolicy: RetryPolicy

Properties

DeadLetterConfig

Conﬁgure the Amazon Simple Queue Service (Amazon SQS) queue where EventBridge sends events after a failed target invocation. Invocation can fail, for example, when sending an event to a Lambda function that doesn't exist, or when EventBridge has insuﬃcient permissions to invoke the Lambda function. For more information, see Event retry policy and using dead-letter queues in the Amazon EventBridge User Guide.

Type: DeadLetterConﬁg (p. 175) Required: No

AWS CloudFormation compatibility: This property is similar to the DeadLetterConfig property of the AWS::Events::Rule Target data type. The AWS SAM version of this property includes additional subproperties, in case you want AWS SAM to create the dead-letter queue for you.

EventBusName

The event bus to associate with this rule. If you omit this property, AWS SAM uses the default event bus.

Type: String Required: No

Default: Default event bus

AWS CloudFormation compatibility: This property is passed directly to the EventBusName property of an AWS::Events::Rule resource.

Input

Valid JSON text passed to the target. If you use this property, nothing from the event text itself is passed to the target.

Type: String Required: No

AWS CloudFormation compatibility: This property is passed directly to the Input property of an AWS::Events::Rule Target resource.

InputPath

When you don't want to pass the entire matched event to the target, use the InputPath property to describe which part of the event to pass.

Type: String Required: No

AWS CloudFormation compatibility: This property is passed directly to the InputPath property of an AWS::Events::Rule Target resource.

Pattern

Describes which events are routed to the speciﬁed target. For more information, see Events and Event Patterns in EventBridge in the Amazon EventBridge User Guide.

Type: EventPattern Required: Yes

AWS CloudFormation compatibility: This property is passed directly to the EventPattern property of an AWS::Events::Rule resource.

RetryPolicy

A RetryPolicy object that includes information about the retry policy settings. For more information, see Event retry policy and using dead-letter queues in the Amazon EventBridge User Guide.

Type: RetryPolicy Required: No

AWS CloudFormation compatibility: This property is passed directly to the RetryPolicy property of the AWS::Events::Rule Target data type.

Examples EventBridgeRule

The following is an example of an EventBridgeRule event source type.

YAML

EBRule:

Type: EventBridgeRule Properties:

Input: '{"Key": "Value"}' Pattern:

detail:

state:

- terminated

DeadLetterConﬁg

The object used to specify the Amazon Simple Queue Service (Amazon SQS) queue where EventBridge sends events after a failed target invocation. Invocation can fail, for example, when sending an event to a state machine that doesn’t exist, or insuﬃcient permissions to invoke the state machine. For more information, see Event retry policy and using dead-letter queues in the Amazon EventBridge User Guide.

Syntax

To declare this entity in your AWS Serverless Application Model (AWS SAM) template, use the following syntax.

YAML

Arn: String

QueueLogicalId: String Type: String

Properties

Arn

The Amazon Resource Name (ARN) of the Amazon SQS queue speciﬁed as the target for the dead-letter queue.

Note: Specify either the Type property or Arn property, but not both.

Type: String Required: No

AWS CloudFormation compatibility: This property is passed directly to the Arn property of the AWS::Events::Rule DeadLetterConfig data type.

QueueLogicalId

The custom name of the dead letter queue that AWS SAM creates if Type is speciﬁed.

Note: If the Type property is not set, this property is ignored.

Type: String Required: No

AWS CloudFormation compatibility: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent.

Type

The type of the queue. When this property is set, AWS SAM automatically creates a dead-letter queue and attaches necessary resource-based policy to grant permission to rule resource to send events to the queue.

Note: Specify either the Type property or Arn property, but not both.

Valid values: SQS Type: String Required: No

AWS CloudFormation compatibility: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent.

Examples

DeadLetterConﬁg

YAML

DeadLetterConfig:

Type: SQS

QueueLogicalId: MyDLQ

Schedule

The object describing a Schedule event source type, which sets your state machine as the target of an EventBridge rule that triggers on a schedule. For more information, see What Is Amazon EventBridge? in the Amazon EventBridge User Guide.

AWS Serverless Application Model (AWS SAM) generates an AWS::Events::Rule resource when this event type is set.

Syntax

To declare this entity in your AWS Serverless Application Model (AWS SAM) template, use the following syntax.

YAML

DeadLetterConfig: DeadLetterConfig (p. 178) Description: String

Enabled: Boolean Input: String Name: String

RetryPolicy: RetryPolicy Schedule: String

Properties

DeadLetterConfig

Type: DeadLetterConﬁg (p. 178) Required: No

Description

A description of the rule.

Type: String Required: No

AWS CloudFormation compatibility: This property is passed directly to the Description property of an AWS::Events::Rule resource.

Enabled

Indicates whether the rule is enabled.

To disable the rule, set this property to false.

Type: Boolean Required: No

AWS CloudFormation compatibility: This property is similar to the State property of an AWS::Events::Rule resource. If this property is set to true then AWS SAM passes ENABLED, otherwise it passes DISABLED.

Input

Valid JSON text passed to the target. If you use this property, nothing from the event text itself is passed to the target.

Type: String Required: No

AWS CloudFormation compatibility: This property is passed directly to the Target property of an AWS::Events::Rule Target resource.

Name

The name of the rule. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the rule name.

Type: String Required: No

AWS CloudFormation compatibility: This property is passed directly to the Name property of an AWS::Events::Rule resource.

RetryPolicy

A RetryPolicy object that includes information about the retry policy settings. For more information, see Event retry policy and using dead-letter queues in the Amazon EventBridge User Guide.

Type: RetryPolicy Required: No

AWS CloudFormation compatibility: This property is passed directly to the RetryPolicy property of the AWS::Events::Rule Target data type.

Schedule

The scheduling expression that determines when and how often the rule runs. For more information, see Schedule Expressions for Rules.

Type: String Required: Yes

AWS CloudFormation compatibility: This property is passed directly to the ScheduleExpression property of an AWS::Events::Rule resource.

Examples

CloudWatch Schedule Event

CloudWatch Schedule Event Example

YAML

CWSchedule:

Type: Schedule Properties:

Schedule: 'rate(1 minute)' Name: TestSchedule

Description: test schedule Enabled: false

DeadLetterConﬁg

Syntax

To declare this entity in your AWS Serverless Application Model (AWS SAM) template, use the following syntax.

YAML

Arn: String

QueueLogicalId: String Type: String

Properties

Arn

The Amazon Resource Name (ARN) of the Amazon SQS queue speciﬁed as the target for the dead-letter queue.

Note: Specify either the Type property or Arn property, but not both.

Type: String Required: No

AWS CloudFormation compatibility: This property is passed directly to the Arn property of the AWS::Events::Rule DeadLetterConfig data type.

QueueLogicalId

The custom name of the dead letter queue that AWS SAM creates if Type is speciﬁed.

Note: If the Type property is not set, this property is ignored.

Type: String Required: No

AWS CloudFormation compatibility: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent.

Type

Note: Specify either the Type property or Arn property, but not both.

Valid values: SQS Type: String Required: No

AWS CloudFormation compatibility: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent.

Examples

DeadLetterConﬁg

YAML

DeadLetterConfig:

Type: SQS

QueueLogicalId: MyDLQ

For reference information for all the AWS resource and property types that are supported by AWS CloudFormation and AWS SAM, see AWS Resource and Property Types Reference in the AWS CloudFormation User Guide.

在文檔中 AWS Serverless Application Model Developer Guide (頁 174-186)