terraform，s3 存储桶策略

Question

terraform，s3 存储桶策略

我正在使用此模块https://github.com/turnerlabs/terraform-s3-user创建一些 s3 存储桶和相关的 iam 用户。

这工作正常：

module "my_bucket" {
  source = "github.com/turnerlabs/terraform-s3-user?ref=v2.1"

  bucket_name = "my-bucket"

  tag_team          = "developers"
  tag_contact-email = "xxxxx"
  tag_application   = "xxxxx"
  tag_environment   = "prod"
  tag_customer      = "xxxxx"
}

Run Code Online (Sandbox Code Playgroud)

现在我想修复此模块创建的 s3 存储桶的默认策略。

terrafom show给我看看这个：

module.my_bucket.aws_s3_bucket_policy.bucket_policy:
  id = my-bucket
  bucket = my-bucket
  policy = {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::____________:user/srv_my-bucket"
      },
      "Action": [ "s3:*" ],
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ]
    }
  ]
}

Run Code Online (Sandbox Code Playgroud)

我应该如何修改我的 .tf 以获得另一个策略？

Answer 1

Nag*_*gev 6

我喜欢使用 IAM 角色。例如，如果使用 kubernetes，您可以为您的 pod 分配一个 IAM 角色。

下面的基本示例展示了如何向 S3 存储桶授予读取权限。为了简单起见，对值进行硬编码，但最好使用合适的变量。

resource "aws_iam_role_policy" "my-s3-read-policy" {
  name   = "inline-policy-name-that-will-show-on-aws"
  role   = "some-existing-iam-role-name"
  policy = data.aws_iam_policy_document.s3_read_permissions.json
}


data "aws_iam_policy_document" "s3_read_permissions" {
  statement {
    effect = "Allow"

    actions = [
      "s3:GetObject",
      "s3:GetObjectAcl",
      "s3:ListBucket",
    ]

    resources = ["arn:aws:s3:::my-bucket-1",
                  "arn:aws:s3:::my-bucket-1/*",
                  "arn:aws:s3:::my-bucket-2",
                  "arn:aws:s3:::mybucket-2/*",
    ]
  }
}

Run Code Online (Sandbox Code Playgroud)

您可以按如下方式进行有针对性的操作plan：

terraform plan -target=aws_iam_role_policy.my-s3-read-policy

Run Code Online (Sandbox Code Playgroud)

这会输出：

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_iam_role_policy.my-s3-read-policy will be created
  + resource "aws_iam_role_policy" "my-s3-read-policy" {
      + id     = (known after apply)
      + name   = "inline-policy-name-that-will-show-on-aws"
      + policy = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "s3:ListBucket",
                          + "s3:GetObjectAcl",
                          + "s3:GetObject",
                        ]
                      + Effect   = "Allow"
                      + Resource = [
                          + "arn:aws:s3:::mybucket-2/*",
                          + "arn:aws:s3:::my-bucket-2",
                          + "arn:aws:s3:::my-bucket-1/*",
                          + "arn:aws:s3:::my-bucket-1",
                        ]
                      + Sid      = ""
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + role   = "some-existing-iam-role-name"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Run Code Online (Sandbox Code Playgroud)

归档时间：	6 年，3 月前
查看次数：	31764 次
最近记录：	4 年，9 月前