我想将托管的IAM策略ARN(例如AmazomS3FullAccess)和内联/自定义IAM策略(以terraform文件中的JSON格式编写)附加到单个IAM角色。
使用aws_iam_role_policy_attachment只能附加一项政策,如何同时附加两项?
variables.tf
------------
variable "iam_policy_arn" {
description = "IAM Policy to be attached to role"
type = list(string)
default = ["arn:aws:iam::aws:policy/AWSLambdaFullAccess", "arn:aws:iam::aws:policy/AmazonSSMFullAccess", "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess"]
}
main.tf
-------
resource "aws_iam_role" "test_role" {
name = "test_role"
assume_role_policy = <<-EOF
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"ec2.amazonaws.com"
},
"Action":"sts:AssumeRole"
},
{
"Effect":"Allow",
"Principal":{
"Service":"sagemaker.amazonaws.com",
"AWS":"*"
},
"Action":"sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "role_policy_attachment" {
role = "${aws_iam_role.test_role.name}"
count = "${length(var.iam_policy_arn)}"
policy_arn = "${element(var.iam_policy_arn,count.index)}"
}
resource "aws_iam_instance_profile" "test_profile" {
name = "test_profile"
role = "${aws_iam_role.test_role.name}"
}
现在我想将如下所示的自定义策略附加到角色
resource "aws_iam_role_policy" "test_policy" {
name = "test_policy"
role = aws_iam_role.test_role.id
policy = <<-EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
如何将托管IAM策略和自定义IAM策略附加到IAM角色?
答案 0 :(得分:1)
只需将它们作为变量传递或将它们声明为局部值,然后在该变量上进行迭代。
例如:
resource "aws_iam_role_policy_attachment" "attach" {
count = length(var.policies)
role = aws_iam_role.my_role.name
policy_arn = ${var.policies[count.index]}
}
其中var.policies是策略["arn:aws:iam::aws:policy/AmazonS3FullAccess", "arn:aws:iam::<your_account>:policy/your_policy"]的列表
答案 1 :(得分:0)
您可能需要根据自己的需要修改策略,但这就是它的样子。您可以执行以下操作:
data "template_file" "test_role_template" {
template = "${file("pathToRoleJson")}"
}
data "template_file" "test_policy_template" {
template = "${file("pathToPolicyJson")}"
vars = {
customParam = "${var.ValueOfParam}"
}
}
resource "aws_iam_role" "test_role" {
name = "roleName"
assume_role_policy = "${data.template_file.test_role.rendered}"
}
#-----------------------------------------
resource "aws_iam_policy" "test_role_policy" {
name = "policyName"
policy = "${data.template_file.test_policy_template.rendered}"
}
# Attach policy to role nat_ec2_role
#-----------------------------------------
resource "aws_iam_role_policy_attachment" "nat_ec2_role_policy-attachment" {
role = "${aws_iam_role.test_role.name}"
policy_arn = "${aws_iam_policy.test_role_policy.arn}"
}
# Policy Template File
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"ec2.amazonaws.com"
},
"Action":"sts:AssumeRole"
},
{
"Effect":"Allow",
"Principal":{
"Service":"sagemaker.amazonaws.com",
"AWS":"*"
},
{
"Action": [
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
"Action":"sts:AssumeRole"
}
]
}
resource "aws_iam_instance_profile" "test_profile" {
name = "test_profile"
role = "${aws_iam_role.test_role.name}"
}
希望有帮助。
答案 2 :(得分:0)
您可以添加具有嵌入式JSON的内联策略,如下所示:
resource "aws_iam_role_policy" "test_policy" {
name = "test_policy"
role = aws_iam_role.test_role.id
policy = <<-EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
或者您可以使用 aws_iam_policy_document 在IntelliJ IDEA等IDE中获得更好的错误检查:
resource "aws_iam_role_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = data.aws_iam_policy_document.allow_ec2_describe
}
data "aws_iam_policy_document" "allow_ec2_describe" {
version = "2012-10-17"
statement {
actions = [
"ec2:Describe*",
]
effect = "Allow"
resources = [
"*",
]
}
}
旁注:您可以使用带有 for_each 的 aws_iam_role_policy_attachment 资源更干净地附加Amazon Managed Policy,如下所示:
resource "aws_iam_role_policy_attachment" "managed_policy_attachments" {
for_each = {for arn in var.iam_policy_arns : arn => arn}
role = aws_iam_role.test_role.name
policy_arn = data.aws_iam_policy.managed_policies[each.key]
}
旁注:您还可以使用 aws_iam_role_policy_attachment 进行清洁的 assume_role_policy 设置:
resource "aws_iam_role" "test_role" {
name = "test_role"
assume_role_policy = data.aws_iam_policy_document.allow_ec2_and_sagemaker
}
data "aws_iam_policy_document" "allow_ec2_and_sagemaker" {
version = "2012-10-17"
statement {
sid = "AllowEC2AndSageMaker"
effect = "Allow"
actions = [
"sts:AssumeRole",
]
principals {
type = "Service"
identifiers = [
"ec2.amazonaws.com",
"sagemaker.amazonaws.com",
]
}
}
}
答案 3 :(得分:0)
我能够使用以下代码将托管的IAM策略和内联/自定义IAM策略附加到IAM角色。
# variables.tf
variable "cloudwatch_lambda_iam_policy_arn" {
type = list(string)
description = "IAM Policy to be attached to AWS CloudWatch Lambda role"
default = ["arn:aws:iam::aws:policy/AmazonEC2FullAccess", "arn:aws:iam::aws:policy/AWSLambdaExecute", "arn:aws:iam::aws:policy/AmazonCloudDirectoryFullAccess", "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"]
}
#------------------------------------------------------------
# lambda.tf
resource "aws_iam_role" "awsmetrics_exec_role" {
name = "awsmetrics-exec-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
# custom/inline policy
resource "aws_iam_role_policy" "sts_assumerole_lambda" {
name = "sts-assumerole-lambda"
role = aws_iam_role.awsmetrics_exec_role.id
policy = <<-EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:DecodeAuthorizationMessage",
"sts:AssumeRoleWithSAML",
"sts:AssumeRoleWithWebIdentity"
],
"Resource": "*"
}
]
}
EOF
}
# AWS managed policies
resource "aws_iam_role_policy_attachment" "awsmetrics_role_policy_attachment" {
role = aws_iam_role.awsmetrics_exec_role.name
count = length(var.cloudwatch_lambda_iam_policy_arn)
policy_arn = element(var.cloudwatch_lambda_iam_policy_arn, count.index)
}