我正在使用Jenkins自动化Terraform创建我的AWS环境。尽管Jenkins拥有CreateSecurityGroup的权限,但是当Jenkins运行Terraform主文件时,我会收到此错误:
* aws_security_group.lambda_security_group: aws_security_group.lambda_security_group: UnauthorizedOperation: You are not authorized to perform this operation.status code: 403, request id: 08c21dbe-5b86-4ad1-8ff3-13611bdb178c
具有CreateSecurityGroup权限-我很好奇为什么无法执行该操作。
我确保将这些权限分配给创建安全组的Jenkins角色:
{
"Sid": "AllowEC2Control",
"Action": [
"ec2:CreateSecurityGroup"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
这是我的Terraform文件中的代码:
创建安全组:
resource "aws_security_group" "lambda_security_group" {
name = "security group"
description = "Security group for data ingestion lambda"
vpc_id = "${var.vpc_id}"
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = [
"0.0.0.0/0"
]
}
tags {
Service = "${var.tags_service_name}"
environment = "${var.environment}"
}
}
创建lambda:
resource "aws_lambda_function" "some_lambda" {
function_name = "my_lambda"
s3_bucket = "${aws_s3_bucket.my_data.bucket}"
s3_key = "lambda.zip"
role = "${aws_iam_role.my_iam_role.arn}"
handler = "lambda_function.lambda_handler"
runtime = "python3.6"
timeout = 900
memory_size = 128
source_code_hash = "${var.GIT_SHA}"
vpc_config {
security_group_ids = [
"${aws_security_group.lambda_security_group.id}"
]
subnet_ids = "${var.subnets}"
}
不幸的是,当詹金斯执行Terraform脚本时,我得到了错误提示。我希望拥有创建此安全组的适当权限
答案 0 :(得分:0)
您只需授权您的詹金斯创建安全组,并在terraform代码中也要添加和退出。
您还必须授予出口权限。这是一个参考 https://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#security-group
要更改即可添加/更新/删除,请更改您的iam规则
{
"Sid": "AllowEC2Control",
"Action": [
"ec2:CreateSecurityGroup",
"ec2:*SecurityGroupEgress",
"ec2:*SecurityGroupIngress",
],
"Effect": "Allow",
"Resource": [
"*"
]
}