IAM中的子网的Terraform ARN ID

时间:2018-03-31 01:43:10

标签: amazon-web-services amazon-iam terraform

我正在尝试使用Terraform创建自定义IAM角色:

resource "aws_iam_role" "prod_role" {
  name = "test_role"

  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*",
                "ec2:GetConsole*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": [
                "arn:aws:ec2:${var.aws_region}:*:subnet/${aws_subnet.prod1.id}",
                "arn:aws:ec2:${var.aws_region}:*:subnet/${aws_subnet.prod2.id}",
                "arn:aws:ec2:${var.aws_region}:*:network-interface/*",
                "arn:aws:ec2:${var.aws_region}:*:instance/*",
                "arn:aws:ec2:${var.aws_region}:*:volume/*",
                "arn:aws:ec2:${var.aws_region}::image/ami-*",
                "arn:aws:ec2:${var.aws_region}:*:key-pair/*",
                "arn:aws:ec2:${var.aws_region}:*:security-group/*"
            ]
        }
    ]
}
EOF
}

我的问题是,拉入策略的子网ID是错误的。我的ARN喜欢这样:

arn:aws:ec2:us-east-1:*:subnet/subnet-0bbg694edda209ab9

它应该是这样的:

arn:aws:ec2:us-east-1:*:subnet/0bbg694edda209ab9

如何获得与IAM一起使用的子网ID(没有子网?)

1 个答案:

答案 0 :(得分:2)

这可能不是最佳解决方案,但您可以使用Terraform的replace插值语法。用"subnet-"替换""。结果看起来像这样

arn:aws:ec2:${var.aws_region}:*:subnet/${replace(aws_subnet.prod1.id, "subnet-", "")}
相关问题
最新问题