terraform - 我可以使用 terraform 将开箱即用的 aws_iam_policy (SecurityAudit)、帐户 ID 和外部 ID 添加到 aws_iam_role 吗?
问题描述
我正在设置云安全,我需要:
- 选择受信任实体的类型 > 另一个 AWS 账户
- 账户编号:xxxxxxxxx
- 外部 ID:xxxxxxxxx
- 附加 SecurityAudit 策略(已在 AWS 中)
我不确定如何添加已经存在的策略或在哪里添加 ID。我似乎无法从 terraform 文档中找到解决方案。
../Core/iam_roles.tf
# BEGIN 'foo'
resource "aws_iam_role" "foo" {
name = "${terraform.workspace}_Foo"
path = "/"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"automation.amazonaws.com",
"events.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "foo" {
policy_arn = "${aws_iam_policy.security_audit.arn}"
role = "${aws_iam_role.foo.name}"
}
任何帮助将非常感激!
解决方案
如果您要附加帐户中已经存在的策略,我会使用数据源来查询它。您必须知道 ARN 才能使用 IAM 策略数据源,因此它与直接在aws_iam_role_policy_attachment
资源中指定 ARN 没有太大区别,只是它允许terraform plan
命令在运行之前验证策略是否存在apply
,这对您来说是一种额外的保障。如果您需要,数据源还会为您提供有关资源的更多信息。
data "aws_iam_policy" "security_audit" {
arn = "arn:aws:iam::${var.target_account_id}:policy/SecurityAudit"
}
# BEGIN 'foo'
resource "aws_iam_role" "foo" {
name = "${terraform.workspace}_Foo"
path = "/"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"automation.amazonaws.com",
"events.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::${var.other_aws_account_id}:role/your_role_name_and_path_here"
]
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "foo" {
policy_arn = "${data.aws_iam_policy.security_audit.arn}"
role = "${aws_iam_role.foo.name}"
}
推荐阅读
- javascript - Javascript:如何将 opencv mat 转换为张量?
- google-apps-script - 用于复制数据的 Google 表格脚本
- python - Python从文件属性中的自定义选项卡获取数据
- python - 如何从 Instagram 故事洞察图 API 中获取向上滑动计数?
- android - 如何在 android 中从 NIST P-256 字符串私钥生成 PrivateKey
- python - Python为python项目生成exe
- r - R - 转置后如何创建“空”数据框?
- clickhouse - 如何正确编写clickhouse SQL?
- solidity - BEP20 代币不会被交换为 BNB 并发送到慈善钱包
- google-tag-manager - How did Google Ads find out my campaign's conversion even if customer visited different HTML page before firing final tracking code?