AWS::VerifiedPermissions::PolicyTemplate - AWS CloudFormation
SyntaxPropertiesReturn valuesExamples

AWS::VerifiedPermissions::PolicyTemplate

Creates a policy template. A template can use placeholders for the principal and resource. A template must be instantiated into a policy by associating it with specific principals and resources to use for the placeholders. That instantiated policy can then be considered in authorization decisions. The instantiated policy works identically to any other policy, except that it is dynamically linked to the template. If the template changes, then any policies that are linked to that template are immediately updated as well.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::VerifiedPermissions::PolicyTemplate",
  "Properties" : {
      "Description" : String,
      "PolicyStoreId" : String,
      "Statement" : String
    }
}

YAML

Type: AWS::VerifiedPermissions::PolicyTemplate
Properties:
  Description: String
  PolicyStoreId: String
  Statement: String

Properties

Description

The description to attach to the new or updated policy template.

Required: No

Type: String

Minimum: 0

Maximum: 150

Update requires: No interruption

PolicyStoreId

The unique identifier of the policy store that contains the template.

Required: Yes

Type: String

Pattern: ^[a-zA-Z0-9-]*$

Minimum: 1

Maximum: 200

Update requires: Replacement

Statement

Specifies the content that you want to use for the new policy template, written in the Cedar policy language.

Required: Yes

Type: String

Minimum: 1

Maximum: 10000

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the unique id of the policy store followed by '|' and the unique id of the new or updated policy template. For example:

{ "Ref": "POLICYSTOREabcde111111|POLICYTEMPLATEab111111" }

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

PolicyTemplateId

The unique identifier of the new or modified policy template.

Examples

Creating a policy template

The following example creates a policy template with the specified statement.

JSON

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "AWS CloudFormation sample template for creating a policy template for Verified Permissions.",
    "Parameters": {
        "PolicyStoreId": {
            "Type": "String"
        },
        "Description": {
            "Type": "String"
        },
        "Statement": {
            "Type": "String"
        }
    },
    "Resources": {
        "PolicyTemplate": {
            "Type": "AWS::VerifiedPermissions::PolicyTemplate",
            "Properties": {
                "PolicyStoreId": {
                    "Ref": "PolicyStoreId"
                },
                "Description": {
                    "Ref": "Description"
                },
                "Statement": {
                    "Ref": "Statement"
                }
            }
        }
    },
    "Outputs": {
        "PolicyTemplateId": {
            "Value": {
                "Fn::GetAtt": [
                    "PolicyTemplate",
                    "PolicyTemplateId"
                ]
            }
        }
    }
}

YAML

AWSTemplateFormatVersion: 2010-09-09
Description: >-
  Description": "AWS CloudFormation sample template for creating a policy template for Verified Permissions." 
Parameters:
  PolicyStoreId:
    Type: String
  Description:
    Type: String
  Statement:
    Type: String
Resources:
  PolicyTemplate:
    Type: AWS::VerifiedPermissions::PolicyTemplate
    Properties:
      PolicyStoreId: !Ref PolicyStoreId
      Description: !Ref Description
      Statement: !Ref Statement
Outputs:
  PolicyTemplateId:
    Value: !GetAtt PolicyTemplate.PolicyTemplateId