我正在尝试创建具有跨帐户策略的存储库。对于每个帐户只需要一个角色的存储库,可以使用以下代码段:
#X-Account Policy for the repositories
data "aws_iam_policy_document" "components_policy" {
statement {
sid = "AllowPushPull"
effect = "Allow"
actions = [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
principals {
type = "AWS"
identifiers = [
for account_id in var.whitelisting :
"arn:aws:iam::${account_id}:role/eks-node-role"
]
}
}
}
当我尝试为帐户添加3个角色白名单时,问题出现了。我尝试了以下方法,但它不起作用:
#X-Account Policy for the repositories
data "aws_iam_policy_document" "components_policy" {
statement {
sid = "AllowPushPull"
effect = "Allow"
actions = [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
principals {
type = "AWS"
identifiers = [
for account_id in var.whitelisting :
<<EOF
"arn:aws:iam::${account_id}:role/eks-node-role-1",
"arn:aws:iam::${account_id}:role/eks-node-role-2",
"arn:aws:iam::${account_id}:role/eks-node-role-3"
EOF
]
}
}
}
嵌套的for循环是不可能的,所以我目前正在查看动态块,但到目前为止,我无法掌握我是否可以通过它们做到这一点。如有任何帮助,我将不胜感激,谢谢。
您正在使用的here-document特性(<<EOF到EOF)将生成一个大字符串,而不是数组元素列表。这将以不正确的值格式结束。
我还没有测试过这个,但是试试下面的:
identifiers = flatten([
for account_id in var.whitelisting :
["arn:aws:iam::${account_id}:role/eks-node-role-1",
"arn:aws:iam::${account_id}:role/eks-node-role-2",
"arn:aws:iam::${account_id}:role/eks-node-role-3"]
])
上面将创建一个列表列表,然后使用Terraform flatten函数将其转换为适合IAMidentifiers属性的单个值列表。