我试图在下面调用一个变量,但是此刻必须手动输入它,有点卡住了。如何让Terraform自动插入变量的值。
resource "aws_iam_role" "aws-admin-role" {
name = "AWS-AdminAccess"
description = "Administration of Account from AWSxx"
assume_role_policy = <<EOF
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::INSERTACCOUNTMANUALLY:root"
},
"Action":"sts:AssumeRole",
"Condition":{
}
}
]
}
EOF
}
答案 0 :(得分:1)
Terraform允许您插入它知道的值,例如来自数据源,资源或模块的变量或输出。
在您的情况下,您可以使用aws_caller_identity data source动态获取调用者的帐户ID,并将其插入您的IAM策略中,如下所示:
data "aws_caller_identity" "current" {}
resource "aws_iam_role" "aws-admin-role" {
name = "AWS-AdminAccess"
description = "Administration of Account from AWSxx"
assume_role_policy = <<EOF
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
},
"Action":"sts:AssumeRole",
"Condition":{
}
}
]
}
EOF
}
相反,如果您想使用变量来引用其他AWS账户,则可以执行以下操作:
variable "account_id" {}
resource "aws_iam_role" "aws-admin-role" {
name = "AWS-AdminAccess"
description = "Administration of Account from AWSxx"
assume_role_policy = <<EOF
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::${var.account_id}:root"
},
"Action":"sts:AssumeRole",
"Condition":{
}
}
]
}
EOF
}