amazon-web-services - 在 terraform 中授予 aws ec2 实例对 aws secretsmanager 的访问权限
问题描述
我对 terraform 很陌生,但我正在尝试授予此资源
resource aws_instance "myinstance" {
ami = "${data.aws_ami.awsami.id}"
instance_type = "t2.small"
key_name = "${aws_key_pair.my_key.key_name}"
vpc_security_group_ids = ["${module.security.my_sg_id}", "${module.security.my_security_group_id}"]
subnet_id = "${element(module.network.public_subnets,1)}"
tags {
Name = "My instance"
}
}
访问机密管理器。该实例需要能够通过 ansible 脚本读取机密。我找到了一个关于使用实例配置文件的博客。如何使用实例配置文件角色授予实例对 Secrets Manager 的访问权限?
解决方案
通过使用下面的代码,我能够实现我的目标。您需要添加ASSUME_ROLE_POLICY_HERE
和POLICY_GOES_HERE
。重要的是指定iam_instance_profile ="{aws_iam_instance_profile.myinstance_instance_profile.id}"
locals {
env_account = "${terraform.workspace}"
deploy_env_name = "${lookup(var.workspace_deploy_env, local.env_account)}"
}
resource "aws_eip" "myinstanceip" {
instance = "${aws_instance.myinstance.id}"
vpc = true
}
resource aws_instance "myinstance" {
ami = "${data.aws_ami.awsami.id}"
instance_type = "t2.small"
key_name = "${aws_key_pair.my_key.key_name}"
vpc_security_group_ids = ["${module.security.my_sg_id}", "${module.security.my_security_group_id}"]
subnet_id = "${element(module.network.public_subnets,1)}"
iam_instance_profile ="{aws_iam_instance_profile.myinstance_instance_profile.id}"
tags {
Name = "My instance"
}
}
resource aws_route53_record "myinstance_domain_name" {
zone_id = "${module.tf_aws_route53_zone.zone_id}"
name = "myinstance.${module.tf_aws_route53_zone.domain_name}"
type = "A"
ttl = "300"
records = ["${aws_eip.myinstanceip.public_ip}"]
}
output myinstance_ip {
value = "${aws_eip.myinstanceip.public_ip}"
}
resource "aws_iam_instance_profile" "myinstance_instance_profile" {
name = "myinstance-instance-profile"
role = "myinstance-role"
}
resource "aws_iam_role" "myinstance_role" {
name = "myinstance-role"
assume_role_policy = <<EOF
{
ASSUME_ROLE_POLICY_HERE
}
EOF
}
resource "aws_iam_policy" "secrets_manager" {
name = "secrets-manager-myinstance"
description = "Read secrets"
policy = <<POLICY
{
POLICY_GOES_HERE
}
POLICY
}
推荐阅读
- html - 表格标题未以 100% 宽度显示列
- r - 如何从R中的主数据框中减去一些参与者数据
- python - Matplotlib 条形图切出条形(并且不显示所有值)
- python - pandas - 解析 MySql 结果
- html - 附加图像时如何使引导程序的输入组中的边框保持一致?
- spss - SPSS 中的嵌套宏和以计算为条件的 !IF-!THEN 命令
- r - 如何在 R 中创建简单的时间戳可视化
- c# - 检查输入是否为 100 的因子在 C# 中并不总是正常工作
- reactjs - useState 设置方法和状态在 onClick 函数中没有改变
- outlook-addin - Outlook 365,检索 MAPI 会话时出现错误 8000FFFF(意外)