Pra*_*rma 10 amazon-web-services amazon-iam terraform
我想将多个IAM策略ARN附加到单个IAM角色.
一种方法是创建具有所有策略(多个策略)特权的新策略.
但在AWS,我们有一些预定义的IAM策略,例如AmazonEC2FullAccess,AmazomS3FullAccess等我想用它们的组合为我的角色.
我在Terraform文档中找不到这样做的方法.
根据文档,我们可以使用aws_iam_role_policy_attachment将策略附加到角色,但不能将多个策略附加到角色,因为这可以通过AWS控制台获得.
如果有方法可以做同样的事情,或者它仍然是要添加的功能,请告诉我.
我使用的Terraform版本是 v0.9.5
Fal*_*zky 25
对于 Terraform 版本 >= 0.12,添加多个策略的最简洁方法可能是这样的:
resource "aws_iam_role_policy_attachment" "role-policy-attachment" {
for_each = toset([
"arn:aws:iam::aws:policy/AmazonEC2FullAccess",
"arn:aws:iam::aws:policy/AmazonS3FullAccess"
])
role = var.iam_role_name
policy_arn = each.value
}
如 Pranshu Verma 的回答所述,策略列表也可以放入变量中。
使用for_eachforcount的优点是,列表中的插入被 terraform 正确识别,因此它实际上只会添加一个策略,而 count 插入后的所有策略都将被更改(此博客文章中对此进行了详细描述)
Pra*_*rma 17
谢谢Krishna Kumar R的提示.
我从你的回答中得到了更好的回答.
# Define policy ARNs as list
variable "iam_policy_arn" {
description = "IAM Policy to be attached to role"
type = "list"
}
# Then parse through the list using count
resource "aws_iam_role_policy_attachment" "role-policy-attachment" {
role = "${var.iam_role_name}"
count = "${length(var.iam_policy_arn)}"
policy_arn = "${var.iam_policy_arn[count.index]}"
}
你尝试过这样的事情:
resource "aws_iam_role" "iam_role_name" {
name = "iam_role_name"
}
resource "aws_iam_role_policy_attachment" "mgd_pol_1" {
name = "mgd_pol_attach_name"
role = "${aws_iam_role.iam_role_name.name}"
policy_arn = "${aws_iam_policy.mgd_pol_1.arn}"
}
resource "aws_iam_role_policy_attachment" "mgd_pol_2" {
name = "mgd_pol_attach_name"
role = "${aws_iam_role.iam_role_name.name}"
policy_arn = "${aws_iam_policy.mgd_pol_2.arn}"
}
| 归档时间: |
|
| 查看次数: |
12016 次 |
| 最近记录: |