利用 Amazon CloudFormation 模板创建向 Amazon SQS 队列发送消息的主题 - Amazon Simple Notification Service
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

利用 Amazon CloudFormation 模板创建向 Amazon SQS 队列发送消息的主题

利用 Amazon CloudFormation,您可以使用模板文件,创建并配置 Amazon 资源作为单一单元。通过本部分提供的模板示例,您可以轻松部署向队列发布的主题。模板通过以下操作协助您处理设置步骤,即创建两个队列、创建订阅队列的主题、添加策略至队列,以便主题能够向队列发送消息,以及创建 IAM 用户和群组,控制对这些资源的访问。

有关使用 Amazon CloudFormation 模板部署 Amazon 资源的更多信息,请参阅 Amazon CloudFormation 用户指南中的入门

利用 Amazon CloudFormation 模板在 Amazon Web Services 账户 内设置主题和队列

该模板示例创建一个 Amazon SNS 主题,该主题能够向具备相应权限的两个 Amazon SQS 队列发送信息,以便一个 IAM 组的成员能够向该主题发布消息,而另一个组则从该队列读取消息。模板还用于创建可添加至各个群组的 IAM 用户。

您可以将模板内容复制到文件中,也可以从 Amazon CloudFormation 模板页面下载模板。在模板页面上,选择 Browse sample templates by Amazon service(按 Amazon 服务浏览示例模板),然后选择 Amazon Simple Queue Service

MySNSTopic 设定为发布到两个已订阅终端节点,这两个节点为两个 Amazon SQS 队列(MyQueue1 和 MyQueue2)。MyPublishTopicGroup 是 IAM 组,该组的成员拥有通过 Publish API 操作或 sns-publish 命令向 MySNSTopic 进行发布的权限。模板将创建 IAM 用户 MyPublishUser 和 MyQueueUser,并为上述用户提供登录界面和访问密钥。通过该模板创建堆栈的用户将指定登录界面密码作为输入参数。模板为拥有 MyPublishUserKey 和 MyQueueUserKey 的两个 IAM 用户创建访问密钥。AddUserToMyPublishTopicGroup 将 MyPublishUser 添加到 MyPublishTopicGroup,以便用户拥有分配至该群组的权限。

MyRDMessageQueueGroup 是一个 IAM 组,其成员有权使用 ReceiveMessageDeleteMessage API 操作从两个 Amazon SQS 队列中读取和删除消息。AddUserToMyQueueGroup 将 MyQueueUser 添加到 MyRDMessageQueueGroup,以便用户拥有分配至该群组的权限。MyQueuePolicy 分配 MySNSTopic 权限,以便向两个队列发布通知。

以下列示内容显示了 Amazon CloudFormation 模板内容。

{ "AWSTemplateFormatVersion" : "2010-09-09", "Description" : "AWS CloudFormation Sample Template SNSToSQS: This Template creates an SNS topic that can send messages to two SQS queues with appropriate permissions for one IAM user to publish to the topic and another to read messages from the queues. MySNSTopic is set up to publish to two subscribed endpoints, which are two SQS queues (MyQueue1 and MyQueue2). MyPublishUser is an IAM user that can publish to MySNSTopic using the Publish API. MyTopicPolicy assigns that permission to MyPublishUser. MyQueueUser is an IAM user that can read messages from the two SQS queues. MyQueuePolicy assigns those permissions to MyQueueUser. It also assigns permission for MySNSTopic to publish its notifications to the two queues. The template creates access keys for the two IAM users with MyPublishUserKey and MyQueueUserKey. ***Warning*** you will be billed for the Amazon resources used if you create a stack from this template.", "Parameters": { "MyPublishUserPassword": { "NoEcho": "true", "Type": "String", "Description": "Password for the IAM user MyPublishUser", "MinLength": "1", "MaxLength": "41", "AllowedPattern": "[a-zA-Z0-9]*", "ConstraintDescription": "must contain only alphanumeric characters." }, "MyQueueUserPassword": { "NoEcho": "true", "Type": "String", "Description": "Password for the IAM user MyQueueUser", "MinLength": "1", "MaxLength": "41", "AllowedPattern": "[a-zA-Z0-9]*", "ConstraintDescription": "must contain only alphanumeric characters." } }, "Resources": { "MySNSTopic": { "Type": "AWS::SNS::Topic", "Properties": { "Subscription": [{ "Endpoint": { "Fn::GetAtt": ["MyQueue1", "Arn"] }, "Protocol": "sqs" }, { "Endpoint": { "Fn::GetAtt": ["MyQueue2", "Arn"] }, "Protocol": "sqs" } ] } }, "MyQueue1": { "Type": "AWS::SQS::Queue" }, "MyQueue2": { "Type": "AWS::SQS::Queue" }, "MyPublishUser": { "Type": "AWS::IAM::User", "Properties": { "LoginProfile": { "Password": { "Ref": "MyPublishUserPassword" } } } }, "MyPublishUserKey": { "Type": "AWS::IAM::AccessKey", "Properties": { "UserName": { "Ref": "MyPublishUser" } } }, "MyPublishTopicGroup": { "Type": "AWS::IAM::Group", "Properties": { "Policies": [{ "PolicyName": "MyTopicGroupPolicy", "PolicyDocument": { "Statement": [{ "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": { "Ref": "MySNSTopic" } }] } }] } }, "AddUserToMyPublishTopicGroup": { "Type": "AWS::IAM::UserToGroupAddition", "Properties": { "GroupName": { "Ref": "MyPublishTopicGroup" }, "Users": [{ "Ref": "MyPublishUser" }] } }, "MyQueueUser": { "Type": "AWS::IAM::User", "Properties": { "LoginProfile": { "Password": { "Ref": "MyQueueUserPassword" } } } }, "MyQueueUserKey": { "Type": "AWS::IAM::AccessKey", "Properties": { "UserName": { "Ref": "MyQueueUser" } } }, "MyRDMessageQueueGroup": { "Type": "AWS::IAM::Group", "Properties": { "Policies": [{ "PolicyName": "MyQueueGroupPolicy", "PolicyDocument": { "Statement": [{ "Effect": "Allow", "Action": [ "sqs:DeleteMessage", "sqs:ReceiveMessage" ], "Resource": [{ "Fn::GetAtt": ["MyQueue1", "Arn"] }, { "Fn::GetAtt": ["MyQueue2", "Arn"] } ] }] } }] } }, "AddUserToMyQueueGroup": { "Type": "AWS::IAM::UserToGroupAddition", "Properties": { "GroupName": { "Ref": "MyRDMessageQueueGroup" }, "Users": [{ "Ref": "MyQueueUser" }] } }, "MyQueuePolicy": { "Type": "AWS::SQS::QueuePolicy", "Properties": { "PolicyDocument": { "Statement": [{ "Effect": "Allow", "Principal": { "Service": "sns.amazonaws.com" }, "Action": ["sqs:SendMessage"], "Resource": "*", "Condition": { "ArnEquals": { "aws:SourceArn": { "Ref": "MySNSTopic" } } } }] }, "Queues": [{ "Ref": "MyQueue1" }, { "Ref": "MyQueue2" }] } } }, "Outputs": { "MySNSTopicTopicARN": { "Value": { "Ref": "MySNSTopic" } }, "MyQueue1Info": { "Value": { "Fn::Join": [ " ", [ "ARN:", { "Fn::GetAtt": ["MyQueue1", "Arn"] }, "URL:", { "Ref": "MyQueue1" } ] ] } }, "MyQueue2Info": { "Value": { "Fn::Join": [ " ", [ "ARN:", { "Fn::GetAtt": ["MyQueue2", "Arn"] }, "URL:", { "Ref": "MyQueue2" } ] ] } }, "MyPublishUserInfo": { "Value": { "Fn::Join": [ " ", [ "ARN:", { "Fn::GetAtt": ["MyPublishUser", "Arn"] }, "Access Key:", { "Ref": "MyPublishUserKey" }, "Secret Key:", { "Fn::GetAtt": ["MyPublishUserKey", "SecretAccessKey"] } ] ] } }, "MyQueueUserInfo": { "Value": { "Fn::Join": [ " ", [ "ARN:", { "Fn::GetAtt": ["MyQueueUser", "Arn"] }, "Access Key:", { "Ref": "MyQueueUserKey" }, "Secret Key:", { "Fn::GetAtt": ["MyQueueUserKey", "SecretAccessKey"] } ] ] } } } }