如何在 CloudFormation 中獲取 SSM 文檔的 ARN？

Question

我有一個 CloudFormation 模板，它創建了一個AWS::Events::Rule和一個AWS::SSM::Document 。 我需要為SSM::Rule提供Targets列表，但每個目標都需要一個ARN ：

mySSMDocument:
  Type: AWS::SSM::Document
  Properties:
    DocumentType: 'Command'
    Content:
      schemaVersion: '2.2'
      description: "Code that will be run on EC2"
      mainSteps:
        - action: "aws:runShellScript"
          name: runShellScript
          inputs:
            runCommand:
              - 'Some command to execute'
myEventRule:
  Type: AWS::Events::Rule
  Properties:
    Description: "A description for the Rule."
    EventPattern: 
      source:
        - "aws.autoscaling"
      detail-type:
        - "EC2 Instance-terminate Lifecycle Action"
      detail:
        AutoScalingGroupName:
          - !Ref 'someAutoScalingGroupInThisTemplate'
    RoleArn: 'some role ARN'
    State: "ENABLED"
    Targets:
      - Id: "some-unique-id"
        Arn: <-- This is the value that I need to fill in.
        RunCommandParameters:
          RunCommandTargets:
            - Key: "tag: Name"
              Values:
                - 'The name of the EC2 machine'

我認為我需要用mySSMDocument的ARN替換<-- This is the value that I need to fill in. ，但我沒有看到任何方法可以從模板本身中檢索此值。 該文檔沒有在SSM::Document上指定任何允許獲取ARN GetAtt功能。 有誰知道如何解決這個問題？

Answer 1

這是文檔的 ARN 模式

arn:${Partition}:ssm:${Region}:${Account}:document/${DocumentName}

例子：

arn:aws:ssm:us-east-2:12345678912:document/demooo

您可以使用Ref函數獲取文檔名稱，然后使用Sub創建最終的 ARN

參考： https : //docs.aws.amazon.com/IAM/latest/UserGuide/list_awssystemsmanager.html#awssystemsmanager-resources-for-iam-policies

Answer 2

!Sub arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:document/${mySSMDocument}

您可以產生的ARN格式AWS::SSM::Document使用的返回值的AWS::SSM::Document ，該偽參數分區，區域和ACCOUNTID和Sub內在功能