Terraform：AWS Redshift IAM 角色

Question

我正在尝试设置一个 redshift 集群和一个有权访问该集群的 IAM 角色。我为此使用 terraform。根据documentation，我需要创建一个服务角色并将 AmazonS3ReadOnlyAccess 策略附加到它。我的 terraform 脚本中有以下配置：

resource "aws_iam_role" "my_admin_role" {
  name = "my-role"
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*",
        "redshift:*"
      ],
      "Resource": "*"
    }
  ]
}
EOF
}

但是这给了我一个错误：

错误：

  * aws_iam_role.my_admin_role: "assume_role_policy": required field is not set
  * aws_iam_role.my_admin_role: : invalid or unknown key: policy

如何为 redshift 设置服务角色？

Answer 1

你混合资源aws_iam_role和aws_iam_role_policy

资源aws_iam_role的使用示例

resource "aws_iam_role" "test_role" {
  name = "test_role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

资源aws_iam_role_policy的使用示例

resource "aws_iam_role_policy" "test_policy" {
  name = "test_policy"
  role = "${aws_iam_role.test_role.id}"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}