Search code examples
amazon-web-servicesaws-cloudformationaws-policies

AWS CloudFormation create RDS cluster and add its ARN to a policy in the same template

I'm creating an RDS cluster and, in the same template, a policy with some permissions to allow particular actions over that cluster.

Statement:
  - Effect: Allow
    Actions:
      - 'rds-data:BatchExecuteStatement'
      - 'rds-data:ExecuteStatement'
    Resource: 'arn:aws:rds:us-east-1:1111111111:cluster:production-mycluster-rdscluster-no1yzvzs29sq'

The problem is that AWS::RDS::DBCluster does not support Fn::GetAtt ARN, and, since RDS add that random string at the end of the ARN, in this example no1yzvzs29sq I don't know how can I use something like a wildcard to "whitelist" part of the name.

I would like something like arn:aws:rds:us-east-1:1111111111:cluster:production-mycluster-rdscluster-*

But it doesn't work. I will appreciate help!

Solution

  • You can construct the ARN based on the Cluster name yourself.

    For example:

    Statement:
  - Effect: Allow
    Actions:
      - 'rds-data:BatchExecuteStatement'
      - 'rds-data:ExecuteStatement'
    Resource: !Sub 'arn:${AWS::Partition}:rds:${AWS::Region}:${AWS::AccountId}:cluster:${MyDBCluster}'