Terraform AWS IAM角色与策略分配

时间:2020-09-22 18:37:04

标签: amazon-web-services terraform amazon-iam

我正在尝试自动化市场ami,它也确实需要访问s3存储桶。因此,我用

创建了一个s3存储桶 
resource "aws_s3_bucket" "ddve6" {
  bucket = "js-ddve6-bucket"
}
output "S3_bucket_name" {
  value       = aws_s3_bucket.ddve6.bucket
  description = "The value you do need for DDVE configuration on the bucket name!"
}

因此ami可以访问此存储区,我通常会创建一个IAM策略,我也会在terraform中创建

resource "aws_iam_policy" "js_iam_policy_ddve6_s3" {
  name        = "js_ddve6_iam_policy"
  path        = "/"
  description = "My test policy"

  policy = file("jspolicy.json")
  # I do need to have a s3 storage created first
  depends_on = [aws_s3_bucket.ddve6]

}

jspolicy.json如下:

{
   "Version": "2012-10-17",
   "Statement": [
          {
          "Effect": "Allow",
          "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
                ],
          "Resource": [
                "arn:aws:s3:::js-ddve6-bucket",
                "arn:aws:s3:::js-ddve6-bucket/*"
                ]
          }
   ]
}

为了更紧密地联系ec2实例,我通常使用并在aws控制台中创建一个角色,并附加此角色以使用常见用例ec2访问ec2。 将创建的策略附加到此角色,然后创建没有权限边界的角色。没有标签,以便我进入配置:

Trusted entitiesAWS service: ec2.amazonaws.com
Policies: js_ddve6_iam_policy 
Permissions boundary: Permissions boundary is not set

在Terraform中,我创建了一个角色

resource "aws_iam_role" "js_ec2_s3_access_iam_role" {
  name               = "js_ddve6_iam_role"
  assume_role_policy = file("jsrolepolicy.json")
}

jsrolepolicy.json包含

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Action": "sts:AssumeRole",
     "Principal": {
       "Service": "ec2.amazonaws.com"
     },
     "Effect": "Allow",
     "Sid": ""
   }
 ]
}

我确实通过以下方式将iam策略分配给了iam角色

resource "aws_iam_role_policy_attachment" "assign-policy-to-role-attach" {
  role       = aws_iam_role.js_ec2_s3_access_iam_role.name
  policy_arn = aws_iam_policy.js_iam_policy_ddve6_s3.arn

  depends_on = [aws_iam_policy.js_iam_policy_ddve6_s3]
}

和aws_iam_instance_profile与

resource "aws_iam_instance_profile" "js_ddve_profile" {
  name = "jd_ddve_profile"
  role = aws_iam_role.js_ec2_s3_access_iam_role.name
}

带有

resource "aws_iam_instance_profile" "js_ddve_profile" {
  name = "jd_ddve_profile"
  role = aws_iam_role.js_ec2_s3_access_iam_role.name
}

我旋转的实例确实得到了 iam_instance_profile = aws_iam_instance_profile.js_ddve_profile.name

我确实获得了一个角色,但是这个角色没有附加的策略,并且我也没有部署ec2实例,

resource "aws_instance" "terraform_ddve" {
  ami           = lookup(var.ami_id, var.region)
  instance_type = var.instance_type
  subnet_id     = "subnet-024c26c397520c8f2"

  # key name
  key_name = var.key_name

  # Security group assign to instance
  vpc_security_group_ids = [aws_security_group.ddve6.id]
  # tighten things up
  iam_instance_profile = aws_iam_instance_profile.js_ddve_profile.name
  tags = {
    Name = var.ddve_name
  }
  # before we can start or create a ressource we need:
  depends_on = [aws_security_group.ddve6, aws_s3_bucket.ddve6, aws_ebs_volume.ebs_volume[0]]
}

为什么????

1 个答案:

答案 0 :(得分:1)

这可能是因为创建实例配置文件花费了比预期更长的时间。 terraform在创建实例之前不会等待其“完全”可用。因此,实例部署无法查找尚不存在的配置文件。

解决此问题的最基本方法是在代码中添加一些延迟,以使配置文件有足够的时间创建。


resource "aws_iam_instance_profile" "js_ddve_profile" {

  name = "jd_ddve_profile"
  role = aws_iam_role.js_ec2_s3_access_iam_role.name

  provisioner "local-exec" {
    command = "sleep 20"
  }
}
相关问题
最新问题