Terraform:如何导入AWS跨账户资源?

时间:2019-11-01 15:37:46

标签: amazon-web-services terraform terraform-provider-aws

如何将现有的AWS资源导入Terraform状态(该资源存在于另一个账户中)?

terraform import module.mymodule.aws_iam_policy.policy arn:aws:iam::123456789012:policy/mypolicy

出现以下错误:

Error: Cannot import non-existent remote object

While attempting to import an existing object to aws_iam_policy.policy, the
provider detected that no object exists with the given id. Only pre-existing
objects can be imported; check that the id is correct and that it is
associated with the provider's configured region or endpoint, or use
"terraform apply" to create a new remote object for this resource.

该资源是使用称为mymodule的模块中定义的其他配置程序在一个帐户中创建的:

module "mymodule" {
    // ... define variables for the module
}

// within the module
provider "aws" {
  alias = "cross-account"
  region = "eu-west-2"
  assume_role {
    role_arn = var.provider_role_arn
  }
}

resource "aws_iam_policy" "policy" {
  provider = "aws.cross-account"
  name        = var.policy-name
  path        = var.policy-path
  description = var.policy-description

  policy = var.policy-document
}

如何导入跨帐户资源?

更新:使用-provider标志,我得到了另一个错误:

Error: Provider configuration not present

To work with module.mymodule.aws_iam_policy.policy (import
id "arn:aws:iam::123456789012:policy/somepolicytoimport") its original provider
configuration at provider.aws.cross-account is required, but it has been
removed. This occurs when a provider configuration is removed while objects
created by that provider still exist in the state. Re-add the provider
configuration to destroy
module.mymodule.aws_iam_policy.policy (import id
"arn:aws:iam::123456789012:policy/somepolicytoimport"), after which you can remove
the provider configuration again.

2 个答案:

答案 0 :(得分:0)

我认为您必须按如下方式承担第二个帐户的角色。

provider "aws" {
  assume_role {
    role_arn     = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
    session_name = "SESSION_NAME"
    external_id  = "EXTERNAL_ID"
  }
}

[1]:https://www.terraform.io/docs/providers/aws/index.html

答案 1 :(得分:0)

尝试导入AWS acm证书时遇到相同的错误。

第一步,在导入资源之前,您需要在根模块(或其他相关模块)中创建其配置:

resource "aws_acm_certificate" "cert" {
  # (resource arguments)
}

否则您将出现以下错误:

错误:资源地址“ aws_acm_certificate.cert”在以下位置不存在 配置。

然后,您可以通过提供相关的信息来导入资源:

$ terraform import aws_acm_certificate.cert <certificate-arn>

就像评论中提到的@ydaetskcoR一样-如果您使用的是v0.12.10+,则无需承担第二个帐户的角色。

但是Terraform确实需要第二个帐户的访问凭据-因此,请确保您提供相关帐户的凭据(而不是源帐户凭据),否则您会被
Error: Cannot import non-existent remote object < br />像我这样呆了几个小时(:

相关问题
最新问题