每当我第一次运行以下terraform文件时,我都会收到错误:
创建IAM角色时出错SecurityMonkey:MalformedPolicyDocument:策略中的无效主体:“AWS”。
然而,我执行代码第二次执行成功创建了假定角色对象。在我看来,角色A和角色B之间的依赖关系存在一些问题。作为一种补救措施,我甚至在角色A上放了一个depends_on语句,但没有运气。
SecurityMonkeyInstanceProfile
在这里你可以查看我的TF代码。
resource "aws_iam_role" "SecurityMonkey" {
name = "SecurityMonkey"
depends_on = ["aws_iam_role.SecurityMonkeyInstanceProfile"]
path = "/"
assume_role_policy = <<POLICY
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<AccountID>:role/SecurityMonkeyInstanceProfile"
},
"Action": "sts:AssumeRole"
}
]
}
POLICY
}
resource "aws_iam_role" "SecurityMonkeyInstanceProfile" {
name = "SecurityMonkeyInstanceProfile"
path = "/"
assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
POLICY
}
首先运行错误。
aws_iam_role.SecurityMonkey: Error creating IAM Role SecurityMonkey: MalformedPolicyDocument: Invalid principal in policy: "AWS":"arn:aws:iam::<AccountID>:role/SecurityMonkeyInstanceProfile"
status code: 400, request id: 0810c923-28dd-11e6-af5d-47689d50861a
第二次运行没有错误。
terraform apply -var-file=../../aws.tfvars
aws_iam_role.SecurityMonkeyInstanceProfile: Refreshing state... (ID: SecurityMonkeyInstanceProfile)
aws_iam_role.SecurityMonkey: Creating...
arn: "" => "<computed>"
assume_role_policy: "" => "{\n \"Version\": \"2008-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::<AccountID>:role/SecurityMonkeyInstanceProfile\"\n },\n \"Action\": \"sts:AssumeRole\"\n }\n ]\n}\n"
name: "" => "SecurityMonkey"
path: "" => "/"
unique_id: "" => "<computed>"
aws_iam_role.SecurityMonkey: Creation complete
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
显然,资源是按照正确的顺序创建的,但似乎存在某种超时,导致SecurityMonkeyInstanceProfile
角色无法被SecurityMonkey
角色发现。几乎是鸡和蛋的问题。
任何提示?
答案 0 :(得分:0)
你运行的是哪个terraform版本?
如果它已经是最新版本,那么我猜两个资源之间的时间间隔太短,API系统没有足够的时间来报告新资源SecurityMonkeyInstanceProfile
第二个资源创建已经跟进。
尝试添加一个睡眠功能,让我知道这是否可以解决您的问题。
resource "aws_iam_role" "SecurityMonkeyInstanceProfile" {
...
provisioner "local-exec" {
command = "sleep 10"
}
}