我对terraform非常陌生,但我正在尝试授予此资源
resource aws_instance "myinstance" {
ami = "${data.aws_ami.awsami.id}"
instance_type = "t2.small"
key_name = "${aws_key_pair.my_key.key_name}"
vpc_security_group_ids = ["${module.security.my_sg_id}", "${module.security.my_security_group_id}"]
subnet_id = "${element(module.network.public_subnets,1)}"
tags {
Name = "My instance"
}
}
访问机密管理器。该实例需要能够通过ansible脚本读取机密。我找到了有关使用实例配置文件的博客。如何使用实例配置文件角色来授予实例对Secrets Manager的访问权限?
答案 0 :(得分:0)
使用下面的代码,我得以实现自己的目标。您需要添加ASSUME_ROLE_POLICY_HERE和POLICY_GOES_HERE。重要的是指定iam_instance_profile ="{aws_iam_instance_profile.myinstance_instance_profile.id}"
locals {
env_account = "${terraform.workspace}"
deploy_env_name = "${lookup(var.workspace_deploy_env, local.env_account)}"
}
resource "aws_eip" "myinstanceip" {
instance = "${aws_instance.myinstance.id}"
vpc = true
}
resource aws_instance "myinstance" {
ami = "${data.aws_ami.awsami.id}"
instance_type = "t2.small"
key_name = "${aws_key_pair.my_key.key_name}"
vpc_security_group_ids = ["${module.security.my_sg_id}", "${module.security.my_security_group_id}"]
subnet_id = "${element(module.network.public_subnets,1)}"
iam_instance_profile ="{aws_iam_instance_profile.myinstance_instance_profile.id}"
tags {
Name = "My instance"
}
}
resource aws_route53_record "myinstance_domain_name" {
zone_id = "${module.tf_aws_route53_zone.zone_id}"
name = "myinstance.${module.tf_aws_route53_zone.domain_name}"
type = "A"
ttl = "300"
records = ["${aws_eip.myinstanceip.public_ip}"]
}
output myinstance_ip {
value = "${aws_eip.myinstanceip.public_ip}"
}
resource "aws_iam_instance_profile" "myinstance_instance_profile" {
name = "myinstance-instance-profile"
role = "myinstance-role"
}
resource "aws_iam_role" "myinstance_role" {
name = "myinstance-role"
assume_role_policy = <<EOF
{
ASSUME_ROLE_POLICY_HERE
}
EOF
}
resource "aws_iam_policy" "secrets_manager" {
name = "secrets-manager-myinstance"
description = "Read secrets"
policy = <<POLICY
{
POLICY_GOES_HERE
}
POLICY
}