amazon-web-services - 我无法使用 terraform 在 lambda 函数的基于资源的策略中添加条件
问题描述
我想在基于 lambda 资源的策略条件中添加 source_account。所以我在 terraform 代码下面执行。
data "aws_caller_identity" "current" {
# Retrieves information about the AWS account corresponding to the
# access key being used to run Terraform, which we need to populate
# the "source_account" on the permission resource.
}
resource "aws_lambda_permission" "example" {
statement_id = "AllowExecutionFromS3Bucket"
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.example.arn}"
principal = "s3.amazonaws.com"
source_account = "${data.aws_caller_identity.current.account_id}"
source_arn = "${aws_s3_bucket.example.arn}"
}
在应用 terraform 更改并执行计划后,我无法获得(这是需要的,但对于 S3 没有获得)
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "lambda-8433be2d-00f7-48dc-9296-7c432662f91e",
"Effect": "Allow",
"Principal": {
"Service": "logs.us-east-1.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:xxxxxxxxxxxx:function:yyyyyyyyyyyy",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "xxxxxxxxxxxx"
},
"ArnLike": {
"AWS:SourceArn": "arn:aws:logs:us-east-1:xxxxxxxxxxxx:log-group:/aws/lambda/lambda_handler:*"
}
}
}
]
}
我尝试了很多方法我没有得到任何线索。
在执行 terraform 计划后,我得到以下输出:
module.environment.aws_lambda_permission.xxxxxxxxxxxx: Creating...
action: "" => "lambda:InvokeFunction"
function_name: "" => "arn:aws:lambda:us-east-1:yyyyyyyyyyyyyy:function:xxxxxxxxxxxx"
principal: "" => "s3.amazonaws.com"
source_arn: "" => "arn:aws:s3:::xxxxxxxxxxxx"
statement_id: "" => "AllowExecutionFromS3Bucket"
我越来越像这样:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "AllowExecutionFromS3Bucket",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:yyyyyyyyyy:function:xxxxxxxxxx",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:s3:::xxxxxxxxxx"
}
}
}
]
}
我可以使用 AWS CLI 添加条件。我没有使用 root 帐户。有人请帮助我。
解决方案
推荐阅读
- ios - 忽略滚动视图中的安全区域,但不忽略其子视图
- ruby-on-rails - Rails 使用邮件流配置发送带有邮戳的电子邮件
- angular-directive - Angular 12 单元测试:不能绑定到“scrollIntoForm”的指令
- php - 有逗号就单独捕获,没有RegEx就整体捕获
- ms-access - Google Drive 和 MS Access
- firebase - 无法解析 Android 应用程序模块 gradle 配置。解决或重新同步
- php - 如何获取UAPI源码,如何集成Cpanel.php文件
- angular - validate E-mail with white space with regular expression with angular form-builders
- python - Python 中的 2D EWT(经验小波变换)
- swift - 调整 UIView 内按钮的不透明度,不透明度为 0.5