自定义资源 cloudformation 的堆栈策略

Question

我已经定义了这样的 cloudformation 模板：

AWSTemplateFormatVersion: 2010-09-09
Description: Auth stack
Transform: AWS::Serverless-2016-10-31

Parameters:
  DeveloperProviderName:
    Description: Developer provider name
    Type: String

Conditions:
  Never:
    !Equals [ "true", "false" ]

Resources:
  CognitoIdentityPool:
    Type: Custom::CognitoIdentityPool
    Version: '1.0'
    Properties:
      IdentityPoolName: !Sub "${AWS::StackName}-cognito-idp"
      DeveloperProviderName: !Ref DeveloperProviderName
      ServiceToken: !GetAtt CreateIdentityPoolFunction.Arn

.
.
more stuff here for the lambda function etc
.
.

那我想加个栈策略，拒绝replace和delete：

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "Update:*",
      "Principal": "*",
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": [
        "Update:Replace",
        "Update:Delete"
      ],
      "Principal": "*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ResourceType": [
            "Custom::CognitoIdentityPool"
          ]
        }
      }
    }
  ]
}

这就是我设置堆栈策略的方式：

aws cloudformation set-stack-policy \
    --stack-name ${stackName} \
    --stack-policy-body file://${policyPath} 

这是我在设置堆栈策略时遇到的错误：

An error occurred (ValidationError) when calling the SetStackPolicy operation: Error validating stack policy: Unknown resource type 'Custom::CognitoIdentityPool' in statement {}

任何想法如何使用堆栈策略保护这些自定义资源？

Answer 1

我认为您不能使用自定义资源。 AWS docs：

指定策略适用的the resource type。要指定特定资源的逻辑 ID，请使用 Resource 元素。

其中“资源类型”是 AWS 提供的资源类型之一。