這是 AWS CDK v2 開發人員指南。較舊的 CDK v1 已於 2022 年 6 月 1 日進入維護,並於 2023 年 6 月 1 日結束支援。
本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 淡化
漸層是將資源與應用程式的其他部分連線的類別。每個外觀都以一種資源類型為目標。例如, 類別會命名為 ,`BucketGrants`因為它會授予 Amazon S3 儲存貯體的存取權。淡入會同時使用 L1 (CloudFormation 層級) 和 L2 (意圖型) 建構。
系統會產生一些淡出圖,並準備好用於大多數資源,例如指標和反射類別。其他則針對需要自訂邏輯的資源手動編寫,例如授與類別。
## 授予類別
最廣泛使用的 Facades 是 Grants 類別。它們可讓您使用簡單的方法來授予 AWS 資源的存取權。例如,您可以將 `BucketGrants`用於 Amazon S3 儲存貯體,將 `TopicGrants`用於 Amazon SNS 主題。
L2 建構具有`grants`屬性,可輕鬆存取。您也可以使用其原廠方法,從 L1 建構模組建立授與類別。下列範例顯示這兩種方法:
**Example**
```
import * as s3 from 'aws-cdk-lib/aws-s3';
import * as iam from 'aws-cdk-lib/aws-iam';
// myRole is an IAM role defined elsewhere in your app
// Using grants on an L2 construct (via the grants property)
const l2Bucket = new s3.Bucket(this, 'L2Bucket');
l2Bucket.grants.read(myRole);
// Using grants on an L1 construct (via the factory method)
const l1Bucket = new s3.CfnBucket(this, 'L1Bucket');
s3.BucketGrants.fromBucket(l1Bucket).read(myRole);
```
```
const s3 = require('aws-cdk-lib/aws-s3');
const iam = require('aws-cdk-lib/aws-iam');
// myRole is an IAM role defined elsewhere in your app
// Using grants on an L2 construct (via the grants property)
const l2Bucket = new s3.Bucket(this, 'L2Bucket');
l2Bucket.grants.read(myRole);
// Using grants on an L1 construct (via the factory method)
const l1Bucket = new s3.CfnBucket(this, 'L1Bucket');
s3.BucketGrants.fromBucket(l1Bucket).read(myRole);
```
```
import aws_cdk.aws_s3 as s3
import aws_cdk.aws_iam as iam
# my_role is an IAM role defined elsewhere in your app
# Using grants on an L2 construct (via the grants property)
l2_bucket = s3.Bucket(self, "L2Bucket")
l2_bucket.grants.read(my_role)
# Using grants on an L1 construct (via the factory method)
l1_bucket = s3.CfnBucket(self, "L1Bucket")
s3.BucketGrants.from_bucket(l1_bucket).read(my_role)
```
```
import software.amazon.awscdk.services.s3.*;
import software.amazon.awscdk.services.iam.*;
// myRole is an IAM role defined elsewhere in your app
// Using grants on an L2 construct (via the grants property)
Bucket l2Bucket = new Bucket(this, "L2Bucket");
l2Bucket.getGrants().read(myRole);
// Using grants on an L1 construct (via the factory method)
CfnBucket l1Bucket = new CfnBucket(this, "L1Bucket");
BucketGrants.fromBucket(l1Bucket).read(myRole);
```
```
using Amazon.CDK.AWS.S3;
using Amazon.CDK.AWS.IAM;
// myRole is an IAM role defined elsewhere in your app
// Using grants on an L2 construct (via the grants property)
var l2Bucket = new Bucket(this, "L2Bucket");
l2Bucket.Grants.Read(myRole);
// Using grants on an L1 construct (via the factory method)
var l1Bucket = new CfnBucket(this, "L1Bucket");
BucketGrants.FromBucket(l1Bucket).Read(myRole);
```
```
import (
"github.com/aws/jsii-runtime-go"
awss3 "github.com/aws/aws-cdk-go/awscdk/v2/awss3"
)
// myRole is an IAM role defined elsewhere in your app
l2Bucket := awss3.NewBucket(stack, jsii.String("L2Bucket"), nil)
l2Bucket.Grants().Read(myRole, nil)
l1Bucket := awss3.NewCfnBucket(stack, jsii.String("L1Bucket"), nil)
awss3.BucketGrants_FromBucket(l1Bucket).Read(myRole, nil)
```
如需授予和許可的詳細資訊,請參閱[授予](permissions.md#permissions-grants)。
## 搭配 混音使用淡入
您可以將 Facades 與 [Mixins](mixins.md) 結合,以獲得 LL1L2-like體驗。使用 Mixins 來設定資源,並使用 Facades 來授予存取權:
**Example**
```
import * as s3 from 'aws-cdk-lib/aws-s3';
import * as iam from 'aws-cdk-lib/aws-iam';
// Configure the resource with Mixins
const bucket = new s3.CfnBucket(this, 'MyBucket')
.with(new s3.mixins.BucketVersioning())
.with(new s3.mixins.BucketBlockPublicAccess());
// Grant permissions using a Facade
const role = new iam.Role(this, 'MyRole', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
});
s3.BucketGrants.fromBucket(bucket).read(role);
```
```
const s3 = require('aws-cdk-lib/aws-s3');
const iam = require('aws-cdk-lib/aws-iam');
// Configure the resource with Mixins
const bucket = new s3.CfnBucket(this, 'MyBucket')
.with(new s3.mixins.BucketVersioning())
.with(new s3.mixins.BucketBlockPublicAccess());
// Grant permissions using a Facade
const role = new iam.Role(this, 'MyRole', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
});
s3.BucketGrants.fromBucket(bucket).read(role);
```
```
import aws_cdk.aws_s3 as s3
import aws_cdk.aws_iam as iam
# Configure the resource with Mixins
bucket = s3.CfnBucket(self, "MyBucket") \
.with_(s3.mixins.BucketVersioning()) \
.with_(s3.mixins.BucketBlockPublicAccess())
# Grant permissions using a Facade
role = iam.Role(self, "MyRole",
assumed_by=iam.ServicePrincipal("lambda.amazonaws.com"),
)
s3.BucketGrants.from_bucket(bucket).read(role)
```
```
import software.amazon.awscdk.services.s3.*;
import software.amazon.awscdk.services.iam.*;
// Configure the resource with Mixins
CfnBucket bucket = new CfnBucket(this, "MyBucket");
bucket.with(new BucketVersioning());
bucket.with(new BucketBlockPublicAccess());
// Grant permissions using a Facade
Role role = Role.Builder.create(this, "MyRole")
.assumedBy(new ServicePrincipal("lambda.amazonaws.com"))
.build();
BucketGrants.fromBucket(bucket).read(role);
```
```
using Amazon.CDK.AWS.S3;
using Amazon.CDK.AWS.IAM;
// Configure the resource with Mixins
var bucket = new CfnBucket(this, "MyBucket");
bucket.With(new BucketVersioning());
bucket.With(new BucketBlockPublicAccess());
// Grant permissions using a Facade
var role = new Role(this, "MyRole", new RoleProps
{
AssumedBy = new ServicePrincipal("lambda.amazonaws.com")
});
BucketGrants.FromBucket(bucket).Read(role);
```
```
bucket := awss3.NewCfnBucket(stack, jsii.String("MyBucket"), nil)
bucket.With(awss3.NewBucketVersioning())
bucket.With(awss3.NewBucketBlockPublicAccess())
role := awsiam.NewRole(stack, jsii.String("MyRole"), &awsiam.RoleProps{
AssumedBy: awsiam.NewServicePrincipal(jsii.String("lambda.amazonaws.com"), nil),
})
awss3.BucketGrants_FromBucket(bucket).Read(role, nil)
```
## 相關資源
+ [混合](mixins.md) – 將可重複使用的功能新增至 L1 和 L2 建構。
+ [授予](permissions.md#permissions-grants) – 在資源之間授予許可。
+ [建構](constructs.md) – 了解 L1, L2 和 L3 建構。