我正在尝试使用Terraform在AWS的三个环境中创建数据角色。 一种是在root帐户中的角色。该角色可用于登录AWS并在生产和登台中承担数据角色。这很好。这是使用单独的模块。
在尝试在产品中创建角色并从模块暂存时遇到问题。 我的模块看起来像这个main.tf:
resource "aws_iam_role" "this" {
name = "${var.name}"
description = "${format("%s (managed by Terraform)", var.policy_description)}"
assume_role_policy = "${length(var.custom_principals) == 0 ? data.aws_iam_policy_document.assume_role.json : data.aws_iam_policy_document.assume_role_custom_principals.json}"
}
resource "aws_iam_policy" "this" {
name = "${var.name}"
description = "${format("%s (managed by Terraform)", var.policy_description)}"
policy = "${var.policy}"
}
data "aws_iam_policy_document" "assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${var.account_id}:root"]
}
}
}
data "aws_iam_policy_document" "assume_role_custom_principals" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = [
"${var.custom_principals}",
]
}
}
}
resource "aws_iam_role_policy_attachment" "this" {
role = "${aws_iam_role.this.name}"
policy_arn = "${aws_iam_policy.this.arn}"
}
在output.tf中也有以下内容:
output "role_name" {
value = "${aws_iam_role.this.name}"
}
接下来,我尝试使用该模块在生产和暂存中创建两个角色。 main.tf:
module "data_role" {
source = "../tf_data_role"
account_id = "${var.account_id}"
name = "data"
policy_description = "Role for data engineers"
custom_principals = [
"arn:aws:iam::${var.master_account_id}:root",
]
policy = "${data.aws_iam_policy_document.data_access.json}"
}
然后,我尝试附加这样的AWS策略:
resource "aws_iam_role_policy_attachment" "data_readonly_access" {
role = "${module.data_role.role_name}"
policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}
resource "aws_iam_role_policy_attachment" "data_redshift_full_access" {
role = "${module.data_role.role_name}"
policy_arn = "arn:aws:iam::aws:policy/AmazonRedshiftFullAccess"
}
我在这里遇到的问题是,当我尝试运行此模块时,以上两个策略未附加在登台阶段,而是在root帐户中。如何解决此问题,使其在登台时附加策略?
答案 0 :(得分:0)
从您的问题中,我将假定登台是其自己的AWS账户,与您的根账户分开。 From the Terraform docs
您可以为同一提供程序定义多个配置,以支持多个区域,多个主机等。
这也适用于在多个AWS账户中创建资源。要在两个AWS账户中创建Terraform资源,请执行以下步骤。
在入口点main.tf中,为要定位的帐户定义aws providers:
# your normal provider targeting your root account
provider "aws" {
version = "1.40"
region = "us-east-1"
}
provider "aws" {
version = "1.40"
region = "us-east-1"
alias = "staging" # define custom alias
# either use an assumed role or allowed_account_ids to target another account
assume_role {
role_arn = "arn:aws:iam:STAGINGACCOUNTNUMBER:role/Staging"
}
}
(注意:角色arn必须已经存在,并且您当前的AWS凭证必须具有承担此权限的权限)
要use them in your module,请像这样调用您的模块
module "data_role" {
source = "../tf_data_role"
providers = {
aws.staging = "aws.staging"
aws = "aws"
}
account_id = "${var.account_id}"
name = "data"
... remainder of module
}
并像这样在模块中定义提供程序
provider "aws" {
alias = "staging"
}
provider "aws" {}
现在,当您在模块中声明资源时,您可以指定要在哪个AWS提供程序(以及哪个帐户)中创建资源,例如
resource "aws_iam_role" "this" {
provider = "aws.staging" # this aws_iam_role will be created in your staging account
name = "${var.name}"
description = "${format("%s (managed by Terraform)", var.policy_description)}"
assume_role_policy = "${length(var.custom_principals) == 0 ? data.aws_iam_policy_document.assume_role.json : data.aws_iam_policy_document.assume_role_custom_principals.json}"
}
resource "aws_iam_policy" "this" {
# no explicit provider is set here so it will use the "default" (un-aliased) aws provider and create this aws_iam_policy in your root account
name = "${var.name}"
description = "${format("%s (managed by Terraform)", var.policy_description)}"
policy = "${var.policy}"
}