Reputation: 298
I am trying to create a cloudformation template which creates a role and I want to include managed policies in the role but only if a condition is true, but cloudformation doesn't allow to do something like this:
"MyRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"ManagedPolicyArns": [
"Condition": "MyCondition":
{
"Ref": "EMRFullAccessManagedPolicy"
}
],
"RoleName": {
myRole
}
}
}
Is there a way to use conditions in properties this way?
Upvotes: 0
Views: 605
Reputation: 104196
You could use Fn::If:
"ManagedPolicyArns":
{"Fn::If" : [
"MyCondition",
["Ref": "EMRFullAccessManagedPolicy"],
[]
]}
or
"ManagedPolicyArns":
{ "Fn::If":
["AddSageMakerAccess",
["arn:aws:iam::aws:policy/AmazonSageMakerFullAccess" ],
{ "Fn::If":
["AddEMRFullAccessPolicy",
["arn:aws:iam::aws:policy/AmazonEMRFullAccessPolicy_v2" ],
[]
]
}
]
},
The above will work if AddSageMakerAccess and AddEMRFullAccessPolicy are mutually exclusive.
Upvotes: 1