examples/security/stack-group-aliyun-ros-stack-group-execution-role.yml

ROSTemplateFormatVersion: '2015-09-01'
Description:
  zh-cn: 创建角色AliyunROSStackGroupExecutionRole并绑定管理员权限，允许账户作为ROS资源栈组目标账户使用。
  en: The action of creating the role named "AliyunROSStackGroupExecutionRole" and
    binding it with administrative privileges is performed. This role, empowered with
    administrator permissions, allows the account to act as the target account for
    ROS resource stack groups, thereby enabling the usage of ROS resources within
    the defined scope of operations.
Conditions:
  CurrentAccount:
    Fn::Equals:
    - Ref: AdministrationAccountId
    - ''
Parameters:
  ExecutionRoleName:
    Type: String
    Description:
      en: Execution role name of target account
      zh-cn: 为目标账号创建执行角色的名称
    Default: AliyunROSStackGroupExecutionRole
  AdministrationAccountId:
    Type: String
    Description:
      zh-cn: 管理员主账号ID，不填则授权给当前账号
      en: Administration account ID. If not, authorize the current account
    Default: ''
Resources:
  AliyunROSStackGroupExecutionRole:
    Type: ALIYUN::RAM::Role
    Properties:
      RoleName:
        Ref: ExecutionRoleName
      AssumeRolePolicyDocument:
        Version: 1
        Statement:
        - Action: sts:AssumeRole
          Effect: Allow
          Principal:
            RAM:
            - Fn::Join:
              - ''
              - - 'acs:ram::'
                - Fn::If:
                  - CurrentAccount
                  - Ref: ALIYUN::TenantId
                  - Ref: AdministrationAccountId
                - :root
  AttachPolicy:
    Type: ALIYUN::RAM::AttachPolicyToRole
    Properties:
      PolicyName: AdministratorAccess
      PolicyType: System
      RoleName:
        Fn::GetAtt:
        - AliyunROSStackGroupExecutionRole
        - RoleName
Outputs:
  ExecutionRoleName:
    Value:
      Fn::GetAtt:
      - AliyunROSStackGroupExecutionRole
      - RoleName
Metadata:
  ALIYUN::ROS::Interface:
    ParameterGroups:
    - Parameters:
      - ExecutionRoleName
      - AdministrationAccountId
      Label:
        default: RAM
    TemplateTags:
    - acs:example:安全:创建StackGroup目标账号权限
  ALIYUN::ROS::Composer:
    77e9e9ce:
      Rect:
        - 359
        - 270
        - 40
        - 100
        - 1
        - 0
      ResT: Composer::ROSParameter::AlibabaCloud
    16dc4fe1:
      Parent: 77e9e9ce
      Rect:
        - 292
        - 175
        - 60
        - 150
        - 2
        - 0
      ResT: Composer::ROSParameter::Region
    ac65b239:
      Res:
        - AliyunROSStackGroupExecutionRole
      Parent: 16dc4fe1
      Rect:
        - 40
        - 40
        - 239
        - 200
        - 3
        - 0
    694523d8:
      Res:
        - AttachPolicy
      Parent: 16dc4fe1
      Rect:
        - 40
        - 40
        - 135
        - 200
        - 3
        - 0
    8a037c73:
      Parent: 16dc4fe1
      Edge:
        - 694523d8
        - ac65b239
      Line: 0:0:0:gray:0