使用Terraform创建AWS服务角色

时间:2019-07-08 10:46:27

标签: amazon-web-services terraform amazon-iam

我不知道如何使用Terraform for AWS配置角色策略。

第一件事:

$ terraform version
Terraform v0.12.0
+ provider.aws v2.18.0

现在,我需要创建一个服务角色,据我了解,首先我需要使用aws_iam_role创建该角色,并使用aws_iam_role_policy_attachment来附加CodeDeploy的AWSCodeDeployRole策略。

resource "aws_iam_role" "codedeploy_service_role" {
  name = "CodeDeployServiceRole"
}
resource "aws_iam_role_policy_attachment" "codedeploy_service_role_policy_attach" {
   role       = "${aws_iam_role.codedeploy_service_role.name}"
   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole"
}

但是它不起作用,因为 aws_iam_role 资源没有必填字段“ assume_role_policy”。并且“ assume_role_policy”字段仅接受JSON格式的策略字段。我不明白为什么在此角色初始化期间如果不设置策略就无法创建角色。

1 个答案:

答案 0 :(得分:1)

我误读了您的问题后得到纠正:

您可以如下创建iam_policy:

data "aws_iam_policy" "codedeploy_service_policy" {
  arn = "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole"
}

然后在您的政策附件中:

resource "aws_iam_role_policy_attachment" "codedeploy_service_role_policy_attach" {
   role       = "${aws_iam_role.codedeploy_service_role.name}"
   policy_arn = "${data.aws_iam_policy.codedeploy_service_policy.arn}"
}

具有承担角色策略的AWS IAM角色(具有信任关系) **在AWS中创建角色时,您必须提供信任关系(该特定角色将利用的服务)。

resource "aws_iam_role" "codedeploy_service_role" {
  name = "CodeDeployServiceRole"
  assume_role_policy = <<EOF
{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Action": "sts:AssumeRole",
     "Principal": {
       "Service": "ec2.amazonaws.com"
     },
     "Effect": "Allow",
     "Sid": ""
   }
 ]
}
EOF
}
相关问题
最新问题