aws_iam_policy 和 aws_iam_role_policy 之间的区别
Mat*_*t W 20 amazon-web-services amazon-iam terraform-provider-aws terraform0.14.7
我有一个aws_iam_role想要添加策略的项目。通常,我会创建一个策略aws_iam_role并将其附加到角色aws_iam_role_policy_attachment。
然而,我看过一些文档,aws_iam_role_policy在我看来,它似乎做了同样的事情。
我是正确的还是我错过了细微的差别?
sam*_*ler 28
区别在于托管策略和内联策略
当您创建 时aws_iam_policy,它就是一个托管策略并且可以重复使用。
当您创建一个aws_iam_role_policy内联策略时
对于给定角色,aws_iam_role_policy
aws_iam_role资源与使用资源参数不兼容inline_policy。当使用该参数和该资源时,两者都将尝试管理角色的内联策略,并且 Terraform 将显示永久差异。
重现上述状态的代码
resource "aws_iam_role_policy" "test_policy" {
name = "test_policy"
role = aws_iam_role.test_role.id
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:Describe*",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
resource "aws_iam_role" "test_role" {
name = "test_role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "ec2.amazonaws.com"
}
},
]
})
}
resource "aws_iam_role" "role" {
name = "test-role1"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "test-attach" {
role = aws_iam_role.role.name
policy_arn = aws_iam_policy.policy.arn
}
| 归档时间: |
|
| 查看次数: |
11000 次 |
| 最近记录: |