amazon-web-services - 在 terraform 中授予 aws ec2 实例对 aws secretsmanager 的访问权限

通过使用下面的代码，我能够实现我的目标。您需要添加ASSUME_ROLE_POLICY_HERE和POLICY_GOES_HERE。重要的是指定iam_instance_profile ="{aws_iam_instance_profile.myinstance_instance_profile.id}"

locals {
 
  env_account = "${terraform.workspace}"
  
  deploy_env_name = "${lookup(var.workspace_deploy_env, local.env_account)}"

}

resource "aws_eip" "myinstanceip" {
  instance = "${aws_instance.myinstance.id}"
  vpc      = true
}

resource aws_instance "myinstance" {
  ami                    = "${data.aws_ami.awsami.id}"
  instance_type          = "t2.small"
  key_name               = "${aws_key_pair.my_key.key_name}"
  vpc_security_group_ids = ["${module.security.my_sg_id}", "${module.security.my_security_group_id}"]
  subnet_id              = "${element(module.network.public_subnets,1)}"
  iam_instance_profile   ="{aws_iam_instance_profile.myinstance_instance_profile.id}"

  tags {
    Name = "My instance"
  }
}

resource aws_route53_record "myinstance_domain_name" {
  zone_id = "${module.tf_aws_route53_zone.zone_id}"
  name    = "myinstance.${module.tf_aws_route53_zone.domain_name}"
  type    = "A"
  ttl     = "300"
  records = ["${aws_eip.myinstanceip.public_ip}"]
}

output myinstance_ip {
  value = "${aws_eip.myinstanceip.public_ip}"
}

resource "aws_iam_instance_profile" "myinstance_instance_profile" {
  name = "myinstance-instance-profile"
  role = "myinstance-role"
}

resource "aws_iam_role" "myinstance_role" {
  name = "myinstance-role"

  assume_role_policy = <<EOF
{
  ASSUME_ROLE_POLICY_HERE
}
EOF
}

resource "aws_iam_policy" "secrets_manager" {

  name        = "secrets-manager-myinstance"
  description = "Read secrets"

  policy = <<POLICY
{
    POLICY_GOES_HERE
}
POLICY
}