定义Lambda策略并承担角色策略

时间:2020-05-06 19:41:15

标签: amazon-web-services terraform terraform-provider-aws

我正在编写应使用CloudWatch事件(在X时间之后)触发的Lambda函数。我几乎可以进行所有配置,但是我无法正确地从AWS获得策略业务。这是我到目前为止所拥有的:

data "aws_iam_policy_document" "this" {
  statement {
    actions = ["sts:AssumeRole"]
    effect  = "Allow"
    principals {
      identifiers = ["lambda.amazonaws.com"]
      type        = "Service"
    }
  }
  statement {
    actions   = [
      "logs:CreateLogStream",
      "logs:PutLogEvents",
    ]
    effect    = "Allow"
    resources = ["arn:aws:logs:*:*:*"]
  }
}

resource "aws_iam_role_policy_attachment" "this" {
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
  role       = aws_iam_role.this.name
}

resource "aws_iam_role" "this" {
  assume_role_policy = data.aws_iam_policy_document.this.json
  name               = "AWSLambdaSpringCloudFunctionBasicExecutionRole"
}

我只希望Lambda能够写入CloudWatch并由CloudWatch Event源触发...仅此而已,没有更多权限。我正在通过Terraform创建日志组,因此不需要logs:CreateLogGroup

当我执行terraform apply(版本0.12.24)时,会弹出此错误:

aws_iam_role.this: Creating...

Error: Error creating IAM Role AWSLambdaSpringCloudFunctionBasicExecutionRole: MalformedPolicyDocument: Has prohibited field Resource
    status code: 400, request id: 12ad676e-b98e-4c60-bedd-bf17487bd51d

是否可以声明AWS Lambda策略并共同承担角色策略?如果没有,推荐的Terraform资源/数据源是什么?

2 个答案:

答案 0 :(得分:1)

您正在尝试在assume_role_policy中定义多个语句,这不是常规策略,而是“信任关系”类型的策略。它仅描述了谁可以担任角色以及在什么情况下可以担任职务。

根据我的理解(有限的Terraform知识),您需要将第二条语句移至其自己的策略,然后通过aws_iam_role_policy_attachment

附加它

答案 1 :(得分:0)

正如Oleksii所指出的那样,我使用了错误的资源来创建IAM策略。这是完整的示例:

data "aws_iam_policy_document" "assume_role" {
  statement {
    actions = ["sts:AssumeRole"]
    effect  = "Allow"
    principals {
      identifiers = ["lambda.amazonaws.com"]
      type        = "Service"
    }
  }
}

resource "aws_iam_role_policy_attachment" "assume_role" {
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
  role       = aws_iam_role.lambda.name
}

resource "aws_iam_role" "lambda" {
  assume_role_policy = data.aws_iam_policy_document.assume_role.json
  name               = "Use Any Identifier/Name You Want Here For IAM Role"
}

data "aws_iam_policy_document" "logs" {
  statement {
    actions   = [
      "logs:CreateLogStream",
      "logs:PutLogEvents",
    ]
    effect    = "Allow"
    resources = ["arn:aws:logs:*:*:*"]
  }
}

resource "aws_iam_policy_attachment" "logs" {
  name       = "Use Any Identifier/Name You Want Here For IAM Policy Logs"
  policy_arn = aws_iam_policy.logs.arn
  roles      = [aws_iam_role.lambda.name]
}

resource "aws_iam_policy" "logs" {
  name   = "Use Any Identifier/Name You Want Here For IAM Policy Logs"
  policy = data.aws_iam_policy_document.logs.json
}
相关问题
最新问题