terraform,s3存储桶策略

时间:2019-06-05 09:07:52

标签: amazon-s3 terraform

我正在使用此模块https://github.com/turnerlabs/terraform-s3-user创建一些s3存储桶和相关的iam用户。

这很好:

public class Main {
public static void main(String[] args) throws IOException
{
    zapisz("BazaDanych.txt");
    Scanner scanner = new Scanner(System.in);
    List<FilmExtended> bazaFilmow = new ArrayList<>();
    //remove index
    while(scanner.nextInt() != 0)
    {
        boolean check = true;
        do
        {
            System.out.println("Podaj tytuł fimu: ");
            String temp = scanner.nextLine();
            if (temp.matches("[a-zA-Z]{2,}"));
            {
                FilmExtended filmExtended = new FilmExtended(); //create new instance
                filmExtended.setTytul(temp);
                bazaFilmow.add(filmExtended); //use add without index or else need to increment your index
                check = false;
            }
        } while (check);

} }

现在我想修复此模块创建的s3存储桶的默认策略。

module "my_bucket" { source = "github.com/turnerlabs/terraform-s3-user?ref=v2.1" bucket_name = "my-bucket" tag_team = "developers" tag_contact-email = "xxxxx" tag_application = "xxxxx" tag_environment = "prod" tag_customer = "xxxxx" } 向我展示:

terrafom show

我应该如何修改.tf以具有其他策略?

2 个答案:

答案 0 :(得分:0)

我同意@ydeatskcoR对您的想法的看法。但是,如果您坚持通过存储区策略来执行此操作,则可以将模块直接复制到存储库中,并根据环境调整资源aws_s3_bucket_policy

resource "aws_s3_bucket_policy" "bucket_policy" {
  bucket = "${aws_s3_bucket.bucket.id}"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "${aws_iam_user.user.arn}"
      },
      "Action": [ "s3:*" ],
      "Resource": [
        "${aws_s3_bucket.bucket.arn}",
        "${aws_s3_bucket.bucket.arn}/*"
      ]
    }
  ]
}
EOF
}

答案 1 :(得分:0)

我喜欢使用IAM角色。例如,如果使用kubernetes,则可以为您的Pod分配一个IAM角色。

下面的基本示例显示了如何授予S3存储桶读取权限。为简单起见,对值进行硬编码,但最好使用合适的变量。

resource "aws_iam_role_policy" "my-s3-read-policy" {
  name   = "inline-policy-name-that-will-show-on-aws"
  role   = "some-existing-iam-role-name"
  policy = data.aws_iam_policy_document.s3_read_permissions.json
}


data "aws_iam_policy_document" "s3_read_permissions" {
  statement {
    effect = "Allow"

    actions = [
      "s3:GetObject",
      "s3:GetObjectAcl",
      "s3:ListBucket",
    ]

    resources = ["arn:aws:s3:::my-bucket-1",
                  "arn:aws:s3:::my-bucket-1/*",
                  "arn:aws:s3:::my-bucket-2",
                  "arn:aws:s3:::mybucket-2/*",
    ]
  }
}

您可以按照以下步骤进行定向plan

terraform plan -target=aws_iam_role_policy.my-s3-read-policy

哪个会输出:

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_iam_role_policy.my-s3-read-policy will be created
  + resource "aws_iam_role_policy" "my-s3-read-policy" {
      + id     = (known after apply)
      + name   = "inline-policy-name-that-will-show-on-aws"
      + policy = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "s3:ListBucket",
                          + "s3:GetObjectAcl",
                          + "s3:GetObject",
                        ]
                      + Effect   = "Allow"
                      + Resource = [
                          + "arn:aws:s3:::mybucket-2/*",
                          + "arn:aws:s3:::my-bucket-2",
                          + "arn:aws:s3:::my-bucket-1/*",
                          + "arn:aws:s3:::my-bucket-1",
                        ]
                      + Sid      = ""
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + role   = "some-existing-iam-role-name"
    }

Plan: 1 to add, 0 to change, 0 to destroy.
相关问题
最新问题