我试图在我的三个环境中的每个用户附加不同类型的策略:开发、登台和生产。
环境信息以字符串格式作为地形变量存储,例如:"开发"。
resource "aws_iam_policy" "s3-dev-policy" {
count = var.stage != "dev" ? 1 : 0
name = "s3-bucket-policy-${var.stage}"
description = "Access rights for cicd-user to Bucket on Dev"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3::: dev-bucket-pushed",
"arn:aws:s3::: dev-bucket-pushed/*"
]
}
}
EOF
}
resource "aws_iam_group_policy_attachment" "attach_cicd-users_s3_dev_group_policy" {
count = var.stage != "dev" ? 1 : 0
group = aws_iam_group.cicd-users.name
policy_arn = aws_iam_policy.s3-dev-policy[count.index]
}
Terraform apply不抱怨语法,但它也不应用这个资源,即使阶段被设置为'dev'。是否条件只工作与布尔作为数据类型?
您的条件不正确, policy有语法错误,arn不正确等问题。应该是:
resource "aws_iam_policy" "s3-dev-policy" {
count = var.stage == "dev" ? 1 : 0
name = "s3-bucket-policy111-${var.stage}"
description = "Access rights for cicd-user to Bucket on Dev"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::dev-bucket-pushed",
"arn:aws:s3:::dev-bucket-pushed/*"
]
}
]
}
EOF
}
resource "aws_iam_group_policy_attachment" "attach_cicd-users_s3_dev_group_policy" {
count = var.stage == "dev" ? 1 : 0
group = aws_iam_group.cicd-users.name
policy_arn = aws_iam_policy.s3-dev-policy[count.index].arn
}