我正在尝试实施逻辑以限制仅为特定AWS配置文件创建AWS资源,以便没有人可以在其他AWS配置文件中意外创建AWS资源。
例如 - 仅当为以下配置文件设置AWS变量时,才会创建AWS资源
provider "aws" {
profile = "AWS_Horizontal_Dev"
region = "us-east-1"
}
如果用户意外设置了不同配置文件的AWS变量,则不应创建AWS资源。
实现此逻辑的最佳方式是什么?
答案 0 :(得分:1)
您可以在此处添加allowed_account_ids参数,以限制确切的AWS账户,假设您的AWS个人资料映射到AWS账户:
provider "aws" {
profile = "AWS_Horizontal_Dev"
region = "us-east-1"
allowed_account_ids = ["${var.allowed_account_id}"]
}
或者您可以使用forbidden_account_ids排除不允许的帐户:
provider "aws" {
profile = "AWS_Horizontal_Dev"
region = "us-east-1"
forbidden_account_ids = ["${var.excluded_account_id}"]
}