初次尝试
data "aws_iam_policy_document" "lambda_read_secrets" {
statement {
actions = [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
]
effect = "Allow"
resources = [
"${var.enable_test_users == true ? aws_secretsmanager_secret.test_user[0].arn : ""}",
"${var.enable_prod_users == true ? aws_secretsmanager_secret.prod_user[0].arn : ""}"
]
}
statement {
effect = "Allow"
actions = ["secretsmanager:ListSecrets"]
resources = ["*"]
}
}
问题是这遇到了
Error: error creating IAM policy test-lambda-logging20211011172058509500000003: MalformedPolicyDocument: Resource must be in ARN format or "*".
status code: 400, request id: c5c62446-eba7-450d-b97d-505be530ba2d
on ../../../../module/lambda/iam.tf line 58, in resource "aws_iam_policy" "lambda_read_secrets":
58: resource "aws_iam_policy" "lambda_read_secrets" {
因为是空字符串。
<标题>当前解决方案创建data "aws_iam_policy_document" "dev_lambda_read_secrets"和data "aws_iam_policy_document" "prod-lambda_read_secrets",并在我们部署到的环境上执行if语句。
我对这个解决方案的主要问题是,它要求我实质上用一组经过调整的资源对相同的策略进行双重声明。我希望只有一个策略声明,只有资源在变化。
Terraform具有压缩功能。这让我们可以声明
data "aws_iam_policy_document" "lambda_read_secrets" {
statement {
actions = [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
]
effect = "Allow"
resources = compact([
"${var.enable_test_users == true ? aws_secretsmanager_secret.test_user[0].arn : ""}",
"${var.enable_prod_users == true ? aws_secretsmanager_secret.prod_user[0].arn : ""}"
])
}
statement {
effect = "Allow"
actions = ["secretsmanager:ListSecrets"]
resources = ["*"]
}
}