我有一个Terraform模块,可以为我的CI环境创建用户以发布到ECR。
resource "aws_iam_user" "continuous-deployment" {
name = "continuous-deployment"
path = "/system/"
}
resource "aws_iam_access_key" "continuous-deployment" {
user = "${aws_iam_user.continuous-deployment.name}"
pgp_key = "${var.pgp_key}"
}
resource "aws_iam_user_policy" "continuous-deployment" {
name = "continuous-deployment"
user = "${aws_iam_user.continuous-deployment.name}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:PutImage",
"ecr:GetLoginToken"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
output "aws_access_key_id" {
value = "${aws_iam_access_key.continuous-deployment.id}"
}
output "aws_secret_access_key" {
value = "${aws_iam_access_key.continuous-deployment.encrypted_secret}"
}
我遇到的问题是,在每个terraform apply上,Terraform希望删除并重新创建这些资源,即使这些资源没有发生变化。
我不知道为什么会发生这种情况,不幸的是找不到任何处于类似位置的人。想法?
答案 0 :(得分:0)
这种情况发生在大多数IAM策略或s3策略定义中。
使用 <h1>Your Opinions:</h1>
<div>
<%= @opinion.body %>
</div>
运行时,会导出需要重新创建的某些资源,并在一行中列出策略更改,以便您无法轻松识别更改。
请使用terraform-landscape将terraform plan输出重定向到它,并获得精确排序的输出。然后,您应该很容易识别需要修复的部分。
terraform plan/apply