【发布时间】:2022-01-16 21:03:02
【问题描述】:
我有以下变量
variable "policies" {
type = list(string)
description = "List of policy document to attach to the IAM Role."
default = []
}
variable "policy_name" {
type = string
description = "Name of the policy attached to the IAM Role."
default = null
}
variable "policy_description" {
type = string
description = "Description of the policy attached to the IAM Role."
default = ""
}
由以下 Terraform 资源使用:
resource "aws_iam_role" "this" {
name = var.role_name
assume_role_policy = var.assume_role_policy
}
data "aws_iam_policy_document" "this" {
count = var.policies != [] ? 1 : 0
source_policy_documents = var.policies
}
resource "aws_iam_policy" "this" {
count = var.policies != [] ? 1 : 0
name = var.policy_name
description = var.policy_description
policy = data.aws_iam_policy_document.this[count.index].json
}
resource "aws_iam_role_policy_attachment" "this" {
count = var.policies != [] ? 1 : 0
policy_arn = aws_iam_policy.this[count.index].arn
role = aws_iam_role.this.name
}
现在,我的理解是 aws_iam_policy_document、aws_iam_policy 和 aws_iam_role_policy_attachment 只有在 var.policies 不为空时才会创建。
但是,这些资源在调用它们时仍然是计划创建的
module "iam_role_batch" {
source = "./resources/iam/role"
role_name = local.iam_role_batch_service_name
assume_role_policy = data.aws_iam_policy_document.batch_service.json
}
# module.iam_role_batch.aws_iam_policy.this[0] will be created
+ resource "aws_iam_policy" "this" {
+ arn = (known after apply)
+ id = (known after apply)
+ name = (known after apply)
+ path = "/"
+ policy = jsonencode(
{
+ Statement = null
+ Version = "2012-10-17"
}
)
+ policy_id = (known after apply)
+ tags_all = (known after apply)
}
# module.iam_role_batch.aws_iam_role_policy_attachment.this[0] will be created
+ resource "aws_iam_role_policy_attachment" "this" {
+ id = (known after apply)
+ policy_arn = (known after apply)
+ role = "xxxxxxx"
}
Plan: 2 to add, 0 to change, 0 to destroy.
为什么? AFAIK,policies 默认设置为[],因此不应计划创建资源。
我错过了什么?
【问题讨论】:
标签: amazon-web-services terraform terraform-provider-aws