Sas*_*432 7 amazon-web-services terraform
如何在“资源”部分转义包含 ${aws:username} 的 HCL 字符串?
我目前使用 Terraform 0.9.9 版通过以下方式在 main.tf 文件中创建 AWS 策略:
resource "aws_iam_group_policy" "AllowIndividualUserToSeeTheirAccountInformation" {
name = "AllowIndividualUserToSeeTheirAccountInformation"
group = "${aws_iam_group.pr_faas_developers.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:ChangePassword",
"iam:CreateLoginProfile",
"iam:DeleteLoginProfile",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetLoginProfile",
"iam:UpdateLoginProfile"
],
"Effect": "Allow",
"Resource":
[
"arn:aws:iam::XXXXXXXXX:user/${aws:username}"
]
}
]
}
EOF
}
这样做时,Terraform 尝试进行插值${aws:username}并且 terraform 将失败,如下所示
terraform.exe plan
Failed to load root config module: Error loading D:\amazonaws-root-master\main.t
f: Error reading config for aws_iam_group_policy[AllowIndividualUserToSeeTheirAc
countInformation]: parse error at 17:51: expected "}" but found ":"
当我按如下方式转义资源字符串时:
"Resource":
[
"arn:aws:iam::XXXXXXXXX:user/\\$\\{aws\\:username\\}"
]
"terraform plan"并且"terraform apply"会正常工作,但 AWS 显示策略中的结果是:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:ChangePassword",
"iam:CreateLoginProfile",
"iam:DeleteLoginProfile",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetLoginProfile",
"iam:UpdateLoginProfile"
],
"Effect": "Allow",
"Resource":
[
"arn:aws:iam::XXXXXXXXX:user/\\$\\{aws:username\\}"
]
}
]
}
这与预期的结果不同:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:ChangePassword",
"iam:CreateLoginProfile",
"iam:DeleteLoginProfile",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetLoginProfile",
"iam:UpdateLoginProfile"
],
"Effect": "Allow",
"Resource":
[
"arn:aws:iam::XXXXXXXXX:user/${aws:username}"
]
}
]
}
是否有任何解决方案可以"arn:aws:iam::XXXXXXXXX:user/${aws:username}"在 terraform main.tf 文件中逃脱以获得所需的结果?
BMW*_*BMW 10
你可以用双美元修理它 $$
参考:
您可以使用双美元符号来逃避插值:$${foo} 将呈现为文字 ${foo}。
https://github.com/hashicorp/terraform/issues/2965
| 归档时间: |
|
| 查看次数: |
2355 次 |
| 最近记录: |