mel*_*ous 5 terraform terraform-provider-aws
我想将托管 IAM 策略 ARN(如AmazomS3FullAccess)和内联/自定义 IAM 策略(在 terraform 文件中以 JSON 编写)附加到单个 IAM 角色。
通过使用,aws_iam_role_policy_attachment我只能附加一项保单,如何附加两项保单?
variables.tf
------------
variable "iam_policy_arn" {
description = "IAM Policy to be attached to role"
type = list(string)
default = ["arn:aws:iam::aws:policy/AWSLambdaFullAccess", "arn:aws:iam::aws:policy/AmazonSSMFullAccess", "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess"]
}
main.tf
-------
resource "aws_iam_role" "test_role" {
name = "test_role"
assume_role_policy = <<-EOF
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"ec2.amazonaws.com"
},
"Action":"sts:AssumeRole"
},
{
"Effect":"Allow",
"Principal":{
"Service":"sagemaker.amazonaws.com",
"AWS":"*"
},
"Action":"sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "role_policy_attachment" {
role = "${aws_iam_role.test_role.name}"
count = "${length(var.iam_policy_arn)}"
policy_arn = "${element(var.iam_policy_arn,count.index)}"
}
resource "aws_iam_instance_profile" "test_profile" {
name = "test_profile"
role = "${aws_iam_role.test_role.name}"
}
现在我想将如下所示的自定义策略附加到该角色
resource "aws_iam_role_policy" "test_policy" {
name = "test_policy"
role = aws_iam_role.test_role.id
policy = <<-EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
如何将托管 IAM 策略和自定义 IAM 策略附加到 IAM 角色?
我能够使用以下代码将托管 IAM 策略和内联/自定义 IAM 策略附加到 IAM 角色。
# variables.tf
variable "cloudwatch_lambda_iam_policy_arn" {
type = list(string)
description = "IAM Policy to be attached to AWS CloudWatch Lambda role"
default = ["arn:aws:iam::aws:policy/AmazonEC2FullAccess", "arn:aws:iam::aws:policy/AWSLambdaExecute", "arn:aws:iam::aws:policy/AmazonCloudDirectoryFullAccess", "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"]
}
#------------------------------------------------------------
# lambda.tf
resource "aws_iam_role" "awsmetrics_exec_role" {
name = "awsmetrics-exec-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
# custom/inline policy
resource "aws_iam_role_policy" "sts_assumerole_lambda" {
name = "sts-assumerole-lambda"
role = aws_iam_role.awsmetrics_exec_role.id
policy = <<-EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:DecodeAuthorizationMessage",
"sts:AssumeRoleWithSAML",
"sts:AssumeRoleWithWebIdentity"
],
"Resource": "*"
}
]
}
EOF
}
# AWS managed policies
resource "aws_iam_role_policy_attachment" "awsmetrics_role_policy_attachment" {
role = aws_iam_role.awsmetrics_exec_role.name
count = length(var.cloudwatch_lambda_iam_policy_arn)
policy_arn = element(var.cloudwatch_lambda_iam_policy_arn, count.index)
}
| 归档时间: |
|
| 查看次数: |
11053 次 |
| 最近记录: |