从模块调用时,Terraform似乎没有在我的列表上进行迭代

时间:2019-04-09 20:11:26

标签: terraform

我有一个简单的模块,如下所示:

module "EncryptionKeys" {
  source                 = "../../../../Modules/KeyGenerator"
  item_list              = ["${module.static_variables.item_list}"]
  account_id             = "${module.static_variables.account_id}"
  key_alias_suffix       = "a-suffix"
  key_administrator_role = "${data.aws_iam_role.admins.name}"
  key_user_suffix        = "some-other-suffix"
}

这是模块内的关键资源:

resource "aws_kms_key" "key" {
  count               = "${length(var.item_list)}"
  description         = "${var.description}"
  policy             = "${data.aws_iam_policy_document.key_document.json}"
  enable_key_rotation = "${var.enable_key_rotation}"
}

该模块本身通过以下语句来制定AWS IAM角色/策略:

statement {
  sid = "Allow use of the key for users"
  effect = "Allow"
  principals {
    identifiers = 
["arn:aws:iam::${var.account_id}:role/${var.key_administrator_role}", "${element(split(".",var.item_list[count.index]),0)}-${var.key_user_suffix}"]
    type = "AWS"
}
actions = [
  "kms:Encrypt",
  "kms:Decrypt",
  "kms:ReEncrypt*",
  "kms:GenerateDataKey*",
  "kms:DescribeKey"
]
resources = ["*"]
 }

有问题吗?当我查看成功的Terraform计划时,item_list会根据元素正确解析,但是只有相同的值。即如果我将item_list定义为:

item_list = ["a.blah", "b.foo", "c.bar", "d.foobar"]

将有四个相关资源的实例,正确的拆分将出现在“。”上,但是所有的都将以“ a”命名。

"{
 "Version": "2012-10-17",
 "Id": "key=consolepolicy-3",
 "Statement": [
 {
  "Sid": "Enable IAM User Permissions",
  "Effect": "Allow",
  "Action": "kms:*",
  "Resource": "*",
  "Principal": {
    "AWS": "arn:aws:iam::123456789:role/Admins"
  }
},
{
  "Sid": "Allow attachment of persistent resources for admin",
  "Effect": "Allow",
  "Action": [
    "kms:RevokeGrant",
    "kms:ListGrants",
    "kms:CreateGrant"
  ],
  "Resource": "*",
  "Principal": {
    "AWS": "arn:aws:iam::123456789:role/Admins"
  },
  "Condition": {
    "Bool": {
      "kms:GrantIsForAWSResource": "true"
    }
  }
},
{
  "Sid": "Allow use of the key for users",
  "Effect": "Allow",
  "Action": [
    "kms:ReEncrypt*",
    "kms:GenerateDataKey*",
    "kms:Encrypt",
    "kms:DescribeKey",
    "kms:Decrypt"
  ],
  "Resource": "*",
  "Principal": {
    "AWS": [
      "a-stg-role",
      "arn:aws:iam::123456789:role/Admins"
    ]
  }
},
{
  "Sid": "Allow attachment of persistent resources for users",
  "Effect": "Allow",
  "Action": [
    "kms:RevokeGrant",
    "kms:ListGrants",
    "kms:CreateGrant"
  ],
  "Resource": "*",
  "Principal": {
    "AWS": [
      "a-stg-role",
      "arn:aws:iam::123456789:role/Admins"
    ]
  },
  "Condition": {
    "Bool": {
      "kms:GrantIsForAWSResource": "true"
    }
  }
}
]
}"

我在这里对count / count.index做一些根本错误的事情吗?为什么它不会循环item_list,为什么它似乎总是获得相同的值?

1 个答案:

答案 0 :(得分:1)

您在资源密钥上指定了计数,但这并不意味着它可用于您的aws_iam_policy_document

尝试将计数包括在aws_iam_policy_document中,例如

data "aws_iam_policy_document" "key_document" {
  count = "${length(var.item_list)}"

  # rest of template ....
}

然后使用密钥资源policy = "${element(data.aws_iam_policy_document.key_document.*.json, count.index)}"

中的计数从密钥资源引用策略列表。
相关问题
最新问题