我可以使用terraform将开箱即用的aws_iam_policy(SecurityAudit),帐户ID和外部ID添加到aws_iam_role中吗?

时间:2019-02-05 16:59:46

标签: terraform aws-iam amazon-iam

我正在设置云安全性,我需要:

  1. 选择受信任实体的类型>另一个AWS帐户
  2. 帐户ID:xxxxxxxxxx
  3. 外部ID:xxxxxxxxxx
  4. 附加SecurityAudit策略(AWS中已经存在)

我不确定如何添加现有策略或在何处添加ID。我似乎无法从terraform文档中找到解决方案。

../Core/iam_roles.tf

# BEGIN 'foo'
resource "aws_iam_role" "foo" {
  name               = "${terraform.workspace}_Foo"
  path               = "/"
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "automation.amazonaws.com",
          "events.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

resource "aws_iam_role_policy_attachment" "foo" {
  policy_arn = "${aws_iam_policy.security_audit.arn}"
  role = "${aws_iam_role.foo.name}"
}

任何帮助将不胜感激!

2 个答案:

答案 0 :(得分:0)

如果要附加帐户中已经存在的策略,我将使用数据源进行查询。您必须知道ARN可以使用IAM策略数据源,因此它与直接在aws_iam_role_policy_attachment资源中指定ARN没什么不同,只不过它允许terraform plan命令在运行{之前验证该策略是否存在{1}},这对您来说是一个额外的保障。数据源还为您提供more information有关资源的信息。

apply

答案 1 :(得分:0)

`# BEGIN 'Foo'
resource "aws_iam_role" "foo" {
  name = "${terraform.workspace}_Foo"
  path = "/"

  assume_role_policy = <<EOF
{
 "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::INSERT_ACCOUNT_NUMBER:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "INSERT_EXTERNAL_ID"
        }
      }
    }
  ]
}
EOF
}

resource "aws_iam_role_policy_attachment" "foo" {
  policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
  role       = "${aws_iam_role.foo.name}"
}

resource "aws_iam_instance_profile" "foo" {
  name = "${terraform.workspace}_Foo"
  role = "${aws_iam_role.foo.name}"
}

# END
`