时间戳

首页 > 解决方案 > 我无法使用 terraform 在 lambda 函数的基于资源的策略中添加条件

amazon-web-services - 我无法使用 terraform 在 lambda 函数的基于资源的策略中添加条件

问题描述

我想在基于 lambda 资源的策略条件中添加 source_account。所以我在 terraform 代码下面执行。

data "aws_caller_identity" "current" {
  # Retrieves information about the AWS account corresponding to the
  # access key being used to run Terraform, which we need to populate
  # the "source_account" on the permission resource.
}

resource "aws_lambda_permission" "example" {
  statement_id  = "AllowExecutionFromS3Bucket"
  action        = "lambda:InvokeFunction"
  function_name = "${aws_lambda_function.example.arn}"
  principal     = "s3.amazonaws.com"
  source_account = "${data.aws_caller_identity.current.account_id}"
  source_arn    = "${aws_s3_bucket.example.arn}"
}

在应用 terraform 更改并执行计划后,我无法获得(这是需要的,但对于 S3 没有获得)

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "lambda-8433be2d-00f7-48dc-9296-7c432662f91e",
      "Effect": "Allow",
      "Principal": {
        "Service": "logs.us-east-1.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-east-1:xxxxxxxxxxxx:function:yyyyyyyyyyyy",
      "Condition": {
        "StringEquals": {
          "AWS:SourceAccount": "xxxxxxxxxxxx"
        },
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:logs:us-east-1:xxxxxxxxxxxx:log-group:/aws/lambda/lambda_handler:*"
        }
      }
    }
  ]
}

我尝试了很多方法我没有得到任何线索。

在执行 terraform 计划后,我得到以下输出:

module.environment.aws_lambda_permission.xxxxxxxxxxxx: Creating...
  action:        "" => "lambda:InvokeFunction"
  function_name: "" => "arn:aws:lambda:us-east-1:yyyyyyyyyyyyyy:function:xxxxxxxxxxxx"
  principal:     "" => "s3.amazonaws.com"
  source_arn:    "" => "arn:aws:s3:::xxxxxxxxxxxx"
  statement_id:  "" => "AllowExecutionFromS3Bucket"

我越来越像这样:

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "AllowExecutionFromS3Bucket",
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-east-1:yyyyyyyyyy:function:xxxxxxxxxx",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:s3:::xxxxxxxxxx"
        }
      }
    }
  ]
}

我可以使用 AWS CLI 添加条件。我没有使用 root 帐户。有人请帮助我。

标签: amazon-web-servicesamazon-s3terraform

解决方案

推荐阅读