/AWS1/CL_REHPERMISSIONMODEL¶
Defines the roles and credentials that Resilience Hub would use while creating the application, importing its resources, and running an assessment.
CONSTRUCTOR¶
IMPORTING¶
Required arguments:¶
iv_type TYPE /AWS1/REHPERMISSIONMODELTYPE /AWS1/REHPERMISSIONMODELTYPE¶
Defines how Resilience Hub scans your resources. It can scan for the resources by using a pre-existing role in your Amazon Web Services account, or by using the credentials of the current IAM user.
Optional arguments:¶
iv_invokerrolename TYPE /AWS1/REHIAMROLENAME /AWS1/REHIAMROLENAME¶
Existing Amazon Web Services IAM role name in the primary Amazon Web Services account that will be assumed by Resilience Hub Service Principle to obtain a read-only access to your application resources while running an assessment.
If your IAM role includes a path, you must include the path in the
invokerRoleNameparameter. For example, if your IAM role's ARN isarn:aws:iam:123456789012:role/my-path/role-name, you should passmy-path/role-name.
You must have
iam:passRolepermission for this role while creating or updating the application.Currently,
invokerRoleNameaccepts only[A-Za-z0-9_+=,.@-]characters.
it_crossaccountrolearns TYPE /AWS1/CL_REHIAMROLEARNLIST_W=>TT_IAMROLEARNLIST TT_IAMROLEARNLIST¶
Defines a list of role Amazon Resource Names (ARNs) to be used in other accounts. These ARNs are used for querying purposes while importing resources and assessing your application.
These ARNs are required only when your resources are in other accounts and you have different role name in these accounts. Else, the invoker role name will be used in the other accounts.
These roles must have a trust policy with
iam:AssumeRolepermission to the invoker role in the primary account.
Queryable Attributes¶
type¶
Defines how Resilience Hub scans your resources. It can scan for the resources by using a pre-existing role in your Amazon Web Services account, or by using the credentials of the current IAM user.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_TYPE() |
Getter for TYPE, with configurable default |
ASK_TYPE() |
Getter for TYPE w/ exceptions if field has no value |
HAS_TYPE() |
Determine if TYPE has a value |
invokerRoleName¶
Existing Amazon Web Services IAM role name in the primary Amazon Web Services account that will be assumed by Resilience Hub Service Principle to obtain a read-only access to your application resources while running an assessment.
If your IAM role includes a path, you must include the path in the
invokerRoleNameparameter. For example, if your IAM role's ARN isarn:aws:iam:123456789012:role/my-path/role-name, you should passmy-path/role-name.
You must have
iam:passRolepermission for this role while creating or updating the application.Currently,
invokerRoleNameaccepts only[A-Za-z0-9_+=,.@-]characters.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_INVOKERROLENAME() |
Getter for INVOKERROLENAME, with configurable default |
ASK_INVOKERROLENAME() |
Getter for INVOKERROLENAME w/ exceptions if field has no val |
HAS_INVOKERROLENAME() |
Determine if INVOKERROLENAME has a value |
crossAccountRoleArns¶
Defines a list of role Amazon Resource Names (ARNs) to be used in other accounts. These ARNs are used for querying purposes while importing resources and assessing your application.
These ARNs are required only when your resources are in other accounts and you have different role name in these accounts. Else, the invoker role name will be used in the other accounts.
These roles must have a trust policy with
iam:AssumeRolepermission to the invoker role in the primary account.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_CROSSACCOUNTROLEARNS() |
Getter for CROSSACCOUNTROLEARNS, with configurable default |
ASK_CROSSACCOUNTROLEARNS() |
Getter for CROSSACCOUNTROLEARNS w/ exceptions if field has n |
HAS_CROSSACCOUNTROLEARNS() |
Determine if CROSSACCOUNTROLEARNS has a value |