Terraform - 将策略附加到 s3 存储桶

【问题标题】:Terraform - attach policy to s3 bucketTerraform - 将策略附加到 s3 存储桶
【发布时间】:2019-05-15 03:53:02
【问题描述】:

我创建了一个较早的帖子来解决在不尝试复制代码的情况下创建多个 s3 存储桶的问题。效果很好!

Terraform - creating multiple buckets

aws_iam_policy 如下所示:

resource "aws_iam_policy" "user_policy" {
  count         = "${length(var.s3_bucket_name)}"
  name          = "UserPolicy"

policy                    = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutObjectTagging",
"s3:GetObjectTagging",
"s3:DeleteObjectTagging"
],
"Resource": [
"arn:aws:s3:::${var.s3_bucket_name[count.index]}",
"arn:aws:s3:::${var.s3_bucket_name[count.index]}/*"
]
}
]
}
EOF
}

这是我附加政策的方式:

resource "aws_iam_user_policy_attachment" "user_policy_attach" {
    user       = "${aws_iam_user.user.name}"
    policy_arn = "${aws_iam_policy.user_policy.arn}"
}

不幸的是,附加 IAM 用户策略会给我一个错误,因为它必须遍历索引:

Resource 'aws_iam_policy.user_policy' not found for variable 'aws_iam_policy.user_policy.arn'

【问题讨论】:

    标签: amazon-web-services amazon-s3 terraform


    【解决方案1】:

    我认为您不能像这样在策略中内联变量。相反,您需要创建一个template_file,并将模板的结果提供给策略。

    这将为每个存储桶创建一个策略(名称取自上一个问题)

    • UserPolicy-prod_bucket
    • UserPolicy-stage-bucket
    • UserPolicy-qa-bucket

    然后,您需要再次使用 count 将每个策略附加到 aws_iam_user.user.name。像这样

    data "template_file" "policy" {
  count = "${length(var.s3_bucket_name)}"

  template = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject",
        "s3:ListBucket",
        "s3:GetLifecycleConfiguration",
        "s3:PutLifecycleConfiguration",
        "s3:PutObjectTagging", "s3:GetObjectTagging", "s3:DeleteObjectTagging" ],
      "Resource": [
        "arn:aws:s3:::$${bucket}",
        "arn:aws:s3:::$${bucket}/*"
      ]
    }
  ]
}
EOF

  vars {
    bucket = "${var.s3_bucket_name[count.index]}"
  }
}

resource "aws_iam_policy" "user_policy" {
  count = "${length(var.s3_bucket_name)}"
  name  = "UserPolicy-${element(var.s3_bucket_name, count.index)}"

  policy = "${element(data.template_file.policy.*.rendered, count.index)}"
}

resource "aws_iam_user_policy_attachment" "user_policy_attach" {
  count      = "${length(var.s3_bucket_name)}"
  user       = "${aws_iam_user.user.name}"
  policy_arn = "${element(aws_iam_policy.user_policy.*.arn, count.index)}"
}

    【讨论】:

    • 使用policy = "${template_file.policy[count.index]}" 访问"aws_iam_policy" "user_policy" 中的策略不起作用resource variables must be three parts: TYPE.NAME.ATTR in: ${template_file.policy[count.index]}
    • 哎呀。忘了.rendered
    • 在你提到之前我试过了,我得到了Error reading config for aws_iam_policy[user_policy]: parse error at 1:36: expected "}" but found "."
    猜你喜欢
    • 1970-01-01
    • 2020-11-05
    • 2021-04-04
    • 1970-01-01
    • 2021-08-14
    • 2022-11-03
    • 2011-09-10
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode