我想使用 Terraform 为 AWS IAM 角色配置其承担角色策略。我已经将策略声明为 JSON 文件。
从文档中我了解到模块aws_iam_role是提供 IAM 角色的,但正如我从注释中读到的:
take_role_policy 与标准 IAM 策略非常相似但略有不同,并且不能使用 aws_iam_policy 资源。但是,它可以使用 aws_iam_policy_document 数据源。请参阅上面的示例了解其工作原理。
这意味着我根据aws_iam_policy_document语法严格遵守 IAM 策略声明(这本身要求我手动转换为另一种格式),但我不知道如何从 JSON 文件导入策略来创建 IAM 角色需要 - 背后的原因是该策略非常广泛,我希望它位于单独的 JSON 文件中。
任何人都可以建议如何使用 JSON 文件中声明的策略来声明 IAM 角色吗?
amazon-web-services amazon-iam terraform terraform-provider-aws
我有一个映射变量来标识现有的 s3 存储桶:
resource "aws_s3_bucket" "bucket" {
for_each = var.s3_replication
bucket = each.value.source
#other configuration
}
variable "s3_replication" {
description = "Map of buckets to replicate"
type = map
default = {
logs = {
source = "logs_bucket",
destination = "central_logs_bucket"
},
security = {
source = "cloudtrail_bucket",
destination = "central_security_bucket"
}
}
}
由于这些存储桶已经存在,我正在尝试导入它们,然后将配置应用于它们以更新资源。不幸的是,我无法弄清楚如何对这些进行地形导入。我试过了:
terraform import aws_s3_bucket.bucket["logs"] logs_bucket
terraform import aws_s3_bucket.bucket[logs] logs_bucket
terraform import aws_s3_bucket.bucket[0] logs_bucket
terraform import aws_s3_bucket.bucket[0].source logs_bucket
terraform import aws_s3_bucket.bucket[0[source]] logs_bucket
全部失败并出现不同的错误。关于如何导入地图上列出的现有资源有什么想法吗?
dictionary amazon-s3 amazon-web-services terraform terraform-provider-aws
我正在使用 Terraform 部署需要在 AWS SecretsManager 中保存机密的 lambda。
我有以下缩写的 lambda:
拉姆达
resource "aws_lambda_function" "thisThing" {
function_name = "functionName"
runtime = "python3.8"
handler = "thisThing.handler"
role = aws_iam_role.lambda_exec.arn
}
resource "aws_iam_role" "lambda_exec" {
name = "serverless_lambda"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "lambda.amazonaws.com"
}
}
]
})
}
resource "aws_iam_role_policy_attachment" "lambda_policy" {
role = aws_iam_role.lambda_exec.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}
这是秘密
秘密
# Secrets
resource "aws_secretsmanager_secret" …amazon-web-services aws-lambda terraform terraform-provider-aws
我如何获取使用 for_each 创建的子网 ID 列表(需要在我的脚本底部):
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
}
provider "aws" {
region = "eu-west-1"
}
data "aws_availability_zones" "azs" {
state = "available"
}
locals {
az_names = data.aws_availability_zones.azs.names
}
variable "vpc_cidr" {
default = "10.0.0.0/16"
}
resource "aws_vpc" "main" {
cidr_block = var.vpc_cidr
}
resource "aws_subnet" "private" {
for_each = {for idx, az_name in local.az_names: idx => az_name}
vpc_id = aws_vpc.main.id
cidr_block = cidrsubnet(var.vpc_cidr, 8, each.key) …我有一个需要限制为特定用户的存储桶,我编写了以下脚本,但它似乎仍然允许所有用户对该存储桶进行操作。
resource "aws_s3_bucket" "vulnerability-scans" {
bucket = "vulnerability-scans"
}
resource "aws_s3_bucket_policy" "vulnerability-scans" {
bucket = aws_s3_bucket.vulnerability-scans.id
policy = data.aws_iam_policy_document.vulnerability-scans.json
}
data "aws_iam_policy_document" "vulnerability-scans" {
statement {
principals {
type = "AWS"
identifiers = [
aws_iam_user.circleci.arn,
]
}
actions = [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
]
resources = [
aws_s3_bucket.vulnerability-scans.arn,
"${aws_s3_bucket.vulnerability-scans.arn}/*",
]
}
}
amazon-s3 amazon-web-services terraform terraform-provider-aws
我的设置是:Terraform --> AWS ec2
使用 Terraform 创建具有 SSH 访问权限的 ec2 实例。
这
resource "aws_instance" "inst1" {
instance_type = "t2.micro"
ami = data.aws_ami.ubuntu.id
key_name = "aws_key"
subnet_id = ...
user_data = file("./deploy/templates/user-data.sh")
vpc_security_group_ids = [
... ,
]
provisioner "file" {
source = "./deploy/templates/ec2-caller.sh"
destination = "/home/ubuntu/ec2-caller.sh"
}
provisioner "remote-exec" {
inline = [
"chmod +x /home/ubuntu/ec2-caller.sh",
]
}
connection {
type = "ssh"
host = self.public_ip
user = "ubuntu"
private_key = file("./keys/aws_key_enc")
timeout = "4m"
}
}
上述位有效,我可以看到配置程序复制并执行“ec2-caller.sh”。我不想将我的私钥以明文形式传递给 Terraform 配置程序。无论如何,我们是否可以在不使用配置程序或不将私钥传递给配置程序的情况下将文件复制到新创建的 …
amazon-ec2 amazon-web-services terraform terraform-provider-aws
我不太明白 terraform 目录是如何设置的,但我的目录似乎非常基本。尽管设置了空值,但它一直抱怨空值。有人可以看一下并告诉我可能是什么问题吗?
\n.tf 的片段:
\n
provider "aws" {\n region = var.region\n\n default_tags {\n tags = {\n source = "/home/ubuntu/bootcamp-terraform-master"\n owner_name = var.owner-name\n owner_email = var.owner-email\n purpose = var.purpose\n }\n }\n}\n\n\n// Resources\n\nresource "aws_instance" "zookeepers" {\n count = var.zk-count\n ami = var.aws-ami-id\n instance_type = var.zk-instance-type\n key_name = var.key-name\n\n root_block_device {\n volume_size = 100\n }\n\n tags = {\n Name = "${var.owner-name}-zookeeper-${count.index}"\n"bootcamp2.tf" 269L, 7806C 14,0-1 Top\nprovider "aws" {\n region = var.region\n\n default_tags {\n tags = {\n source = "/home/ubuntu/bootcamp-terraform-master"\n owner_name = var.owner-name\n …运行我的 TF 脚本来创建 AWS App Runner 服务时,我收到此错误:
InvalidRequestException: Error in assuming instance role arn:aws:iam::000000000000:role/MyAppRunnerServiceRole
我使用AppRunnerECRAccessRole作为参考创建了角色策略信任,它是由控制台自动生成的,但是使用它或我自己的下面我遇到了同样的问题。
Here's my TF code:
### IAM ###
resource "aws_iam_role" "app_runner" {
name = "MyAppRunnerServiceRole"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "build.apprunner.amazonaws.com"
}
},
]
})
}
resource "aws_iam_role_policy_attachment" "app_runner" {
role = aws_iam_role.app_runner.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSAppRunnerServicePolicyForECRAccess"
}
### App Runner ###
resource "aws_apprunner_service" "main" { …amazon-web-services amazon-iam terraform terraform-provider-aws amazon-app-runner
我是地形新手。我正在尝试使用 AWS IAM Identity Center,但找不到解决方案。
上下文 - 我有一个目录服务 - example.com 和 EC2 上的 Active Directory(域加入已完成)以及我的用户和组。(到目前为止已使用 terraform 实现了这一点)。现在,我想将这些用户和组引入 AWS IAM 身份中心并创建新的权限集并将其分配给 AWS 账户。
目标 - 我想要设置和配置 AWS IAM Identity Center,并从 AWS 目录服务导入/同步用户和组,创建权限集并将其分配给帐户,所有这些都使用 terraform。
amazon-web-services amazon-iam terraform terraform-provider-aws