利用 AWS CloudFormation 模板创建向 Amazon SQS 队列发送消息的主题 - Amazon Simple Notification Service
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

利用 AWS CloudFormation 模板创建向 Amazon SQS 队列发送消息的主题

利用 AWS CloudFormation,您可以使用模板文件,创建并配置 AWS 资源作为单一单元。通过本部分提供的模板示例,您可以轻松部署向队列发布的主题。模板通过以下操作协助您处理设置步骤,即创建两个队列、创建订阅队列的主题、添加策略至队列,以便主题能够向队列发送消息,以及创建 IAM 用户和群组,控制对这些资源的访问。

有关使用 AWS CloudFormation 模板,请参阅 开始AWS CloudFormation 用户指南.

利用 AWS CloudFormation 模板在 AWS 账户内设置主题和队列

该模板示例创建一个 Amazon SNS 主题,该主题能够向具备相应权限的两个 Amazon SQS 队列发送信息,以便一个 IAM 组的成员能够向该主题发布消息,而另一个组则从该队列读取消息。模板还用于创建可添加至各个群组的 IAM 用户。

您可以将模板内容复制到文件中,您还可以从 安信比 CloudFormation 模板页面. 在模板页面,选择 Browse sample templates by AWS service 然后选择 Amazon Simple Queue Service.

MySNSTopic 设置为发布到两个订阅的终端,即两个 Amazon SQS 队列(MyQueue1和 MyQueue2)。MyPublishTopicGroup 是 IAM 其成员具有发布权限的组 MySNSTopic 使用 发布 API操作或 sns-发布 命令。模板创建 IAM 用户 MyPublishUser 和 MyQueueUser 并为他们提供登录配置文件和访问密钥。通过该模板创建堆栈的用户将指定登录界面密码作为输入参数。该模板为两者创建访问密钥 IAM 用户 MyPublishUserKey 和 MyQueueUserKey。 AddUserToMyPublishTopicGroup 增加了 MyPublishUser 到 MyPublishTopicGroup 以便用户拥有分配给组的权限。

MyRDMessageQueueGroup 是 IAM 其成员有权读取和删除两者中的消息 Amazon SQS 使用 ReceiveMessageDeleteMessage API操作。AddUserToMyQueueGroup 增加了 MyQueueUser 到 MyRDMessageQueueGroup 以便用户拥有分配给组的权限。MyQueuePolicy 为分配权限 MySNSTopic 将其通知发布到两个队列。

以下列示内容显示了 AWS CloudFormation 模板内容。

{ "AWSTemplateFormatVersion" : "2010-09-09", "Description" : "AWS CloudFormation Sample Template SNSToSQS: This Template creates an SNS topic that can send messages to two SQS queues with appropriate permissions for one IAM user to publish to the topic and another to read messages from the queues. MySNSTopic is set up to publish to two subscribed endpoints, which are two SQS queues (MyQueue1 and MyQueue2). MyPublishUser is an IAM user that can publish to MySNSTopic using the Publish API. MyTopicPolicy assigns that permission to MyPublishUser. MyQueueUser is an IAM user that can read messages from the two SQS queues. MyQueuePolicy assigns those permissions to MyQueueUser. It also assigns permission for MySNSTopic to publish its notifications to the two queues. The template creates access keys for the two IAM users with MyPublishUserKey and MyQueueUserKey. ***Warning*** you will be billed for the AWS resources used if you create a stack from this template.", "Parameters": { "MyPublishUserPassword": { "NoEcho": "true", "Type": "String", "Description": "Password for the IAM user MyPublishUser", "MinLength": "1", "MaxLength": "41", "AllowedPattern": "[a-zA-Z0-9]*", "ConstraintDescription": "must contain only alphanumeric characters." }, "MyQueueUserPassword": { "NoEcho": "true", "Type": "String", "Description": "Password for the IAM user MyQueueUser", "MinLength": "1", "MaxLength": "41", "AllowedPattern": "[a-zA-Z0-9]*", "ConstraintDescription": "must contain only alphanumeric characters." } }, "Resources": { "MySNSTopic": { "Type": "AWS::SNS::Topic", "Properties": { "Subscription": [{ "Endpoint": { "Fn::GetAtt": ["MyQueue1", "Arn"] }, "Protocol": "sqs" }, { "Endpoint": { "Fn::GetAtt": ["MyQueue2", "Arn"] }, "Protocol": "sqs" } ] } }, "MyQueue1": { "Type": "AWS::SQS::Queue" }, "MyQueue2": { "Type": "AWS::SQS::Queue" }, "MyPublishUser": { "Type": "AWS::IAM::User", "Properties": { "LoginProfile": { "Password": { "Ref": "MyPublishUserPassword" } } } }, "MyPublishUserKey": { "Type": "AWS::IAM::AccessKey", "Properties": { "UserName": { "Ref": "MyPublishUser" } } }, "MyPublishTopicGroup": { "Type": "AWS::IAM::Group", "Properties": { "Policies": [{ "PolicyName": "MyTopicGroupPolicy", "PolicyDocument": { "Statement": [{ "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": { "Ref": "MySNSTopic" } }] } }] } }, "AddUserToMyPublishTopicGroup": { "Type": "AWS::IAM::UserToGroupAddition", "Properties": { "GroupName": { "Ref": "MyPublishTopicGroup" }, "Users": [{ "Ref": "MyPublishUser" }] } }, "MyQueueUser": { "Type": "AWS::IAM::User", "Properties": { "LoginProfile": { "Password": { "Ref": "MyQueueUserPassword" } } } }, "MyQueueUserKey": { "Type": "AWS::IAM::AccessKey", "Properties": { "UserName": { "Ref": "MyQueueUser" } } }, "MyRDMessageQueueGroup": { "Type": "AWS::IAM::Group", "Properties": { "Policies": [{ "PolicyName": "MyQueueGroupPolicy", "PolicyDocument": { "Statement": [{ "Effect": "Allow", "Action": [ "sqs:DeleteMessage", "sqs:ReceiveMessage" ], "Resource": [{ "Fn::GetAtt": ["MyQueue1", "Arn"] }, { "Fn::GetAtt": ["MyQueue2", "Arn"] } ] }] } }] } }, "AddUserToMyQueueGroup": { "Type": "AWS::IAM::UserToGroupAddition", "Properties": { "GroupName": { "Ref": "MyRDMessageQueueGroup" }, "Users": [{ "Ref": "MyQueueUser" }] } }, "MyQueuePolicy": { "Type": "AWS::SQS::QueuePolicy", "Properties": { "PolicyDocument": { "Statement": [{ "Effect": "Allow", "Principal": { "Service": "sns.amazonaws.com" }, "Action": ["sqs:SendMessage"], "Resource": "*", "Condition": { "ArnEquals": { "aws:SourceArn": { "Ref": "MySNSTopic" } } } }] }, "Queues": [{ "Ref": "MyQueue1" }, { "Ref": "MyQueue2" }] } } }, "Outputs": { "MySNSTopicTopicARN": { "Value": { "Ref": "MySNSTopic" } }, "MyQueue1Info": { "Value": { "Fn::Join": [ " ", [ "ARN:", { "Fn::GetAtt": ["MyQueue1", "Arn"] }, "URL:", { "Ref": "MyQueue1" } ] ] } }, "MyQueue2Info": { "Value": { "Fn::Join": [ " ", [ "ARN:", { "Fn::GetAtt": ["MyQueue2", "Arn"] }, "URL:", { "Ref": "MyQueue2" } ] ] } }, "MyPublishUserInfo": { "Value": { "Fn::Join": [ " ", [ "ARN:", { "Fn::GetAtt": ["MyPublishUser", "Arn"] }, "Access Key:", { "Ref": "MyPublishUserKey" }, "Secret Key:", { "Fn::GetAtt": ["MyPublishUserKey", "SecretAccessKey"] } ] ] } }, "MyQueueUserInfo": { "Value": { "Fn::Join": [ " ", [ "ARN:", { "Fn::GetAtt": ["MyQueueUser", "Arn"] }, "Access Key:", { "Ref": "MyQueueUserKey" }, "Secret Key:", { "Fn::GetAtt": ["MyQueueUserKey", "SecretAccessKey"] } ] ] } } } }