x89*_*x89 6 amazon-web-services terraform terraform-provider-aws aws-policies terraform-aws-modules
我正在尝试使用 terraform 创建一个状态函数。首先,我创建一个策略并将其分配给现有角色processing_lambda_role。
resource "aws_iam_role_policy" "sfn_policy" {\n policy = jsonencode(\n{\n "Version": "2012-10-17",\n "Statement": [\n {\n "Effect": "Allow",\n "Principal": {\n "Service": "states.amazonaws.com"\n },\n "Action": "sts:AssumeRole"\n },\n {\n "Sid": "VisualEditor0",\n "Effect": "Allow",\n "Action": [\n "lambda:InvokeFunction",\n "lambda:InvokeAsync"\n ],\n "Resource": "*"\n }\n ]\n}\n )\n role = aws_iam_role.processing_lambda_role.id\n}\n\n\nresource "aws_sfn_state_machine" "sfn_state_machine" {\n name = local.step_function_name\n role_arn = aws_iam_role.processing_lambda_role.arn\n\n definition = <<EOF\n{\n "Comment": "Get Incoming Files",\n "StartAt": "GetIncomingFiles",\n "States": {\n "GetIncomingFiles": {\n "Type": "Task",\n "Resource": "${aws_lambda_function.get_incoming_lambda.arn}",\n "ResultPath": "$.Output",\n "End": true\n }\n }\n}\nEOF\n}\n我收到此错误:
\nError: Error putting IAM role policy terraform-20211117095209110000000005: MalformedPolicyDocument: Policy document should not specify a principal.\n\xe2\x94\x82 status code: 400, request id: 1dd8ac18-a514-4ef3-93ae-91383e5baa07\n\xe2\x94\x82 \n\xe2\x94\x82 with module.ingest_system["ems"].aws_iam_role_policy.sfn_policy,\n\xe2\x94\x82 on ../../modules/ingest_system/step_function.tf line 1, in resource "aws_iam_role_policy" "sfn_policy":\n\xe2\x94\x82 1: resource "aws_iam_role_policy" "sfn_policy" {\n这就是这个角色最初的定义:
\nresource "aws_iam_role" "processing_lambda_role" {\n name = local.processing_lambda_role_name\n path = "/service-role/"\n\n assume_role_policy = jsonencode({\n Version = "2012-10-17"\n Statement = [\n {\n Effect = "Allow"\n Principal = { Service = "lambda.amazonaws.com" }\n Action = "sts:AssumeRole"\n }\n ]\n })\n}\nsts:AssumeRole应该在角色中assume_role_policy。例如,如果您想sfn_role为您的 sfn 创建,则:
resource "aws_iam_role" "sfn_role" {
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = { Service = "states.amazonaws.com" }
Action = "sts:AssumeRole"
}
]
})
}
resource "aws_iam_role_policy" "sfn_policy" {
policy = jsonencode(
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync"
],
"Resource": "*"
}
]
}
)
role = aws_iam_role.sfn_role.id
}
resource "aws_sfn_state_machine" "sfn_state_machine" {
name = local.step_function_name
role_arn = aws_iam_role.sfn_role.arn
# ....
}
| 归档时间: |
|
| 查看次数: |
7296 次 |
| 最近记录: |