在 terraform 的官方网站上,他们有一个这样的例子 (https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy):
resource "aws_iam_role_policy" "test_policy" {
name = "test_policy"
role = aws_iam_role.test_role.id
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:Describe*",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
resource "aws_iam_role" "test_role" {
name = "test_role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "ec2.amazonaws.com"
}
},
]
})
}
他们通过在策略中设置角色 ID 将策略附加到角色,即:
role = aws_iam_role.test_role.id
但是在我们的一个团队项目中,这样设置对我不起作用,我不断收到错误消息(请参阅此处的详细信息 Task role defined by Terraform not working correctly for ECS scheduled task)。最终,我意识到我必须在我的策略中使用这样的角色名称来设置它:
role = aws_iam_role.my_role.name
但我确实在我们的其他团队项目中看到我的同事使用角色 ID 的实例。我想知道在 terraform 的上下文中 id 和 name 之间有什么区别以及何时使用 which。
答案 0 :(得分:1)
如前所述,id
和 name
之间没有区别。您可以通过简单地输出您的角色来检查它:
output "test" {
value = aws_iam_role.test_role
}
这表明 id
和 name
都设置为 test_role
:
test = {
"arn" = "arn:aws:iam::xxxxxx:role/test_role"
"assume_role_policy" = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}"
"create_date" = "2021-02-14T01:25:48Z"
"description" = ""
"force_detach_policies" = false
"id" = "test_role"
"max_session_duration" = 3600
"name" = "test_role"
"name_prefix" = tostring(null)
"path" = "/"
"permissions_boundary" = tostring(null)
"tags" = tomap({})
"unique_id" = "AROASZHPM3IXXHCEBQ6OD"
}