那些遇到过的问题

如何解决错误:使用 IAM 角色时在 Terraform 中循环

gof*_*160 0 amazon-web-services terraform

我有一个 aws_scheduler_schedule,计划每分钟向 Lambda 函数发送一条消息,如下所示:

resource "aws_scheduler_schedule" "event_scheduler" {
  name       = "${var.environment}-${var.account_name}-${var.service_name}-scheduler"

  flexible_time_window {
    mode = "OFF"
  }

  schedule_expression = "rate(1 minute)"

  target {
    arn      = var.lambda_arn
    role_arn = aws_iam_role.iam_for_eventbridge.arn

    input = jsonencode({
      MessageBody = "check_expired"
    })
  }
}
Run Code Online (Sandbox Code Playgroud)

我想限制 aws_scheduler_schedule 的 aws_iam_role,这样它只允许上述调度程序进行 sts:AssumeRole。这是我的 aws_iam_role 代码:

resource "aws_iam_role" "iam_for_eventbridge" {
  name                = "${var.environment}-${var.account_name}-${var.service_name}-eventbridge-role"
  assume_role_policy  = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "scheduler.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
              "ArnEquals": {
                "aws:SourceArn": "${aws_scheduler_schedule.event_scheduler.arn}"
            }
        }
    ]
}
EOF
}
Run Code Online (Sandbox Code Playgroud)

我收到此错误:

错误:周期:aws_scheduler_schedule.event_scheduler、aws_iam_role.iam_for_eventbridge

我理解这是因为角色需要调度程序而调度程序需要角色。我如何实现限制?

Unb*_*ess 5

这是一个常见问题,可以通过为 IAM 角色名称创建变量来解决:

data "aws_caller_identity" "current" {}

locals {
  role_name = "${var.environment}-${var.account_name}-${var.service_name}-eventbridge-role"
  role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${local.role_name}"
}

resource "aws_scheduler_schedule" "event_scheduler" {
  name       = "${var.environment}-${var.account_name}-${var.service_name}-scheduler"

  flexible_time_window {
    mode = "OFF"
  }

  schedule_expression = "rate(1 minute)"

  target {
    arn      = var.lambda_arn
    role_arn = local.role_arn

    input = jsonencode({
      MessageBody = "check_expired"
    })
  }
}

resource "aws_iam_role" "iam_for_eventbridge" {
  name                = local.role_name
  assume_role_policy  = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "scheduler.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
              "ArnEquals": {
                "iam:AssociatedResourceARN": [
                    "${aws_scheduler_schedule.event_scheduler.arn}"
                ]
            }
        }
    ]
}
EOF
}
Run Code Online (Sandbox Code Playgroud)

归档时间:

查看次数:

300 次

最近记录:

1 年,9 月 前
相关归档
API网关的自定义域返回403 22
使用boto3将文件上传到S3时,file_upload()和put_object()之间的区别是什么 21
我正在尝试将Bitbucket集成到AWS Code Pipeline中?什么是最好的方法? 20
意外令牌 { ../node_modules/fs-extra/lib/mkdirs/make-dir.js:85 } catch { 20
't2.micro'类型的实例需要虚拟化类型'hvm' 15
从AWS Lambda发布到SNS时超时 9
如何在 Terraform 条件中格式化字符串? 8
Amazon Redshift 的 JDBC 驱动程序与 Python 适配器之间的区别 6
Cloudwatch Insights 在多行日志中搜索 5
Terraform - AzureDataLake 创建错误未能响应请求:StatusCode=403 3
难疑归档
不区分大小写'包含(字符串)' 2785
"最小的惊讶"和可变的默认论证 2458
如何将列表拆分为大小均匀的块? 2068
如何在不安装Ms Office的情况下在C#中创建Excel(.XLS和.XLSX)文件? 1804
为什么在C++中读取stdin的行比Python要慢得多? 1738
我如何递归grep? 1619
如何将堆栈跟踪转换为字符串? 1435
如何从我的应用程序中在Android的Web浏览器中打开URL? 1282
简单的面试问题变得更难:给出数字1..100,找到丢失的数字 1115
获取插入行的标识的最佳方法是什么? 1056