【发布时间】:2020-07-09 07:40:13
【问题描述】:
我正在尝试将 serverless framework YML 文件转换为 Terraform 脚本。
这是我第一次使用terraform,我对基础设施也没有太多经验。
我的 Terraform 出现了一些错误,但我的问题更多是关于我的方法。
是否有更好/更简单/更智能的方式在 Terraform 中编写相同的无服务器 yml?
也许有一些模块可以让我的生活更轻松。
地形
# Lambda invoke function role data
data "aws_iam_policy_document" "lambda_invoke_function_role" {
version = "2012-10-17"
statement {
sid = ""
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
service = "lambda.amazonaws.com"
}
}
}
# Lambda ec2
data "aws_iam_policy_document" "ec2_lambda_policies_role" {
version = "2012-10-17"
statement {
sid = ""
effect = "Allow"
actions = [
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DetachNetworkInterface",
"ec2:DeleteNetworkInterface"
]
resources = "*"
}
}
# Lambda allow invoke
data "aws_iam_policy_document" "allow_invoke_role" {
version = "2012-10-17"
statement {
sid = ""
effect = "Allow"
actions = [
"lambda:InvokeFunction"
]
resources = "*"
}
}
# Lambda invoke function role
resource "aws_iam_role" "lambda_invoke_function_role" {
name = "lambdaRole"
assume_role_policy = "${data.aws_iam_policy_document.lambda_invoke_function_role.json}"
}
# EC2 ##############################################################################
resource "aws_iam_policy" "ec2_lambda_policies_policy" {
name = "ec2LambdaPolicy"
assume_role_policy = "${data.aws_iam_policy_document.ec2_lambda_policies_role.json}"
}
resource "aws_iam_role_policy_attachment" "ec2_lambda_policies_policy_attachment" {
role = "${aws_iam_role.lambda_invoke_function_role.name}"
policy_arn = "${aws_iam_policy.ec2_lambda_policies_policy.arn}"
}
###############################################################################
# Allow Invoke #####################################################################
resource "aws_iam_policy" "allow_invoke_policy" {
name = "allowInvokePolicy"
assume_role_policy = "${data.aws_iam_policy_document.allow_invoke_role.json}"
}
resource "aws_iam_role_policy_attachment" "allow_invoke_policy_attachment" {
role = "${aws_iam_role.lambda_invoke_function_role.name}"
policy_arn = "${aws_iam_policy.allow_invoke_policy.arn}"
}
###############################################################################
# Lambda invoke function role policy attachment
resource "aws_iam_role_policy_attachment" "aws_lambda_basic_execution_role" {
role = "${aws_iam_role.lambda_invoke_function_role.name}"
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}
# Lambda invoke function role policy attachment
resource "aws_iam_role_policy_attachment" "aws_lambda_vpc_access_execution_role" {
role = "${aws_iam_role.lambda_invoke_function_role.name}"
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}
无服务器 YML(云形成)
LambdaRole:
Type: AWS::IAM::Role
Properties:
Path: '/'
RoleName: LambdaRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: ec2LambdaPolicies
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ec2:CreateNetworkInterface
- ec2:DescribeNetworkInterfaces
- ec2:DetachNetworkInterface
- ec2:DeleteNetworkInterface
Resource: "*"
- PolicyName: 'AllowInvoke'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: 'Allow'
Action: 'lambda:InvokeFunction'
Resource: '*'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
- arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
【问题讨论】:
-
很公平。我会更新问题。
-
我正在经历错误。这就是为什么我想找到更好的方法。这似乎是一件很常见的事情。那么,为什么不对这些东西进行重用呢。
-
我做了一些研究试图找到流行的模块,但没有幸运
-
删除任何与错误相关的内容以避免误解
标签: amazon-web-services terraform amazon-cloudformation serverless-framework