带计数插值的Terrafom 0.12.6地图变量

时间:2019-08-20 14:11:32

标签: amazon-web-services interpolation terraform hcl

我正在尝试附加已创建为策略列表的策略ARN列表。请看下面:

failure

variables.tf

我的资源是这些:

main.tf 

variable "arns_map" {   type  = "map"
     default = {
    default       = [
      "default"
    ]
    bakery   = [    
        "arn:aws:iam::aws:policy/AmazonECS_FullAccess",
        "arn:aws:iam::aws:policy/AmazonS3FullAccess",
        "arn:aws:iam::aws:policy/AmazonSNSFullAccess"
    ]
    lambda = [
    "arn:aws:iam::aws:policy/AWSLambdaFullAccess"
    ]
    media-server  = [
    "arn:aws:iam::aws:policy/AmazonSQSFullAccess",
    "arn:aws:iam::aws:policy/AmazonS3FullAccess",
    "arn:aws:iam::aws:policy/AmazonElasticTranscoder_FullAccess",
    "arn:aws:iam::aws:policy/AmazonECS_FullAccess",
    "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"
    ]
    recognition = [
    "arn:aws:iam::aws:policy/AmazonESFullAccess",
    "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
    "arn:aws:iam::aws:policy/AmazonS3FullAccess",
    "arn:aws:iam::aws:policy/AmazonECS_FullAccess"
    ]
    frontends = [
      "arn:aws:iam::aws:policy/CloudFrontFullAccess"
    ]
    elasticbeanstalk = [
      "arn:aws:iam::aws:policy/AWSElasticBeanstalkFullAccess"
    ]
    docker = [
      "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess"
    ]
    media = [
        "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess",
        "arn:aws:iam::aws:policy/AmazonSQSFullAccess",
        "arn:aws:iam::aws:policy/AmazonS3FullAccess",
        "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
      ]   } }

我遇到以下错误:

resource "aws_iam_role" "tenant_roles" {
  count = length(var.role_names)
  name  = element(var.role_names, count.index)
  description = "Dedicated role for tenants"
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "${var.kops_nodes_role_arn}"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF

  tags  = {
    Managedby = "terraform"
  }
}

resource "aws_iam_role_policy_attachment" "tenant_policies" {
  count       = length(values(var.arns_map))
  role        = join(",", keys(var.arns_map))
  # policy_arn  = element(var.role_names, count.index)
  policy_arn  = join(",", values(var.arns_map))

  depends_on = [
    aws_iam_role.tenant_roles,
  ]
}

我正在使用terraform 0.12.6管理AWS资源。

关于如何做到这一点的任何想法?

预先感谢

1 个答案:

答案 0 :(得分:1)

这是因为aws_iam_role_policy_attachment需要example中所述的aws_iam_policy资源中的字符串化arn,而您正在尝试提供list(string)

我在AWS IAM方面的经验有限,我不确定role参数,但是您似乎想遍历地图。像这样:

resource "aws_iam_role_policy_attachment" "tenant_policies" {
  count       = length(keys(var.arns_map))
  role        = element(keys(var.arns_map), count.index)
  policy_arn  = join(",", var.arns_map[element(keys(var.arns_maps), count.index))]
}

还可以在其中使用局部变量

locals {
  arns_keys = keys(var.arns_map)
  arns_values = [for k in keys(var.arns_map) : join(",", var.arns_map[k])]
}

resource "aws_iam_role_policy_attachment" "tenant_policies" {
  count       = length(local.arns_keys)
  role        = join(",", local.arns_keys)
  policy_arn  = element(local.arns_values, count.index)
}
相关问题
最新问题