如何为aws_iam_policy_document创建可重用的语句块?

时间:2019-08-28 06:50:48

标签: terraform0.12+

我有一些这样的aws_iam_policy_document

政策1 

data "aws_iam_policy_document" "policy1" {
  statement {
    actions = [
      "rds:DescribeDBSnapshots"
    ]
    resources = [
      "arn:aws:rds:${var.region}:${local.account_id}:db:*
    ]
  }
  statement {
    actions = [
      "rds:RestoreDBInstanceFromDBSnapshot"
    ]
    resources = [
      "arn:aws:rds:${var.region}:${local.account_id}:db:*s",
      "arn:aws:rds:${var.region}:${local.account_id}:snapshot:*"

    ]
  }
}

政策2 

data "aws_iam_policy_document" "policy2" {
  statement {
    actions = [
      "rds:DescribeDBInstances",
      "rds:ModifyDBInstance"
    ]
    resources = [
      "arn:aws:rds:${var.region}:${local.account_id}:db:*",
      "arn:aws:rds:${var.region}:${local.account_id}:db:*"
    ]
  }

}

我还有其他一些政策,它们都有一些不同。

现在,我希望能够将相同的statement块插入所有这些策略。

它尚未经过测试,但是语句看起来像这样:

statement {

    action = [
        "ssm:GetParameter" 

    ]
    resources = [

"arn:aws:ssm:${var.region}:${local.account_id}:parameter/lambda/*"
    ]

}

最有效的方法是什么?我想避免将同一语句块复制并粘贴到所有策略中。

1 个答案:

答案 0 :(得分:0)

我可以使用source_json关键字。

这里是一个例子:

首先,在新政策文档中定义通用政策

  data "aws_iam_policy_document" "common" {
    statement {

        action = [
            "ssm:GetParameter" 

        ]
        resources = [

    "arn:aws:ssm:${var.region}:${local.account_id}:parameter/lambda/*"
        ]

    }
  }

然后在现有策略文档中,使用source_json 

data "aws_iam_policy_document" "policy1" {
  source_json = "${data.aws_iam_policy_document.common.json}"
  statement {
     ....
  }
}
相关问题
最新问题