我正在使用terragrunt来调用我的terraform模块。我有一个terrangrunt.hcl用于我的开发,另一个用于测试环境。我希望能够使用输入变量将AWS托管策略(AdministrarAccess(附加到我的开发人员帐户,并将(AmazonEC2FullAccess(添加到我的测试帐户,这样我就可以删除我的AWS_iam_role_policy部分中的策略行
terragrunt.hcl
terraform {
source = "..//module/vpc"
}
include {
path = find_in_parent_folders()
}
inputs = {
}
main.tf
resource "aws_iam_role" "GitHubActions" {
name = var.GithubAction_role
assume_role_policy = <<EOF
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRoleWithWebIdentity",
"Principal":{
"Federated": "${aws_iam_openid_connect_provider.github_oidc_github_actions.arn}"
}
}
EOF
}
resource "aws_iam_role_policy" "GitHubActions"{
name = var.policy
role = aws_iam_role.GitHubActions.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement":[
{
"Sid": "",
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
EOF
}
我不能完全理解你的问题。不能将IAM Policy附加到帐户。然而,你可以将它附加到IAM Role上,这似乎是你的目标?如果是,您可以使用data source:
data "aws_iam_policy" "AmazonEC2FullAccess" {
arn = "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
}
resource "aws_iam_role_policy_attachment" "attachment" {
role = aws_iam_role.GitHubActions.name
policy_arn = data.aws_iam_policy.AmazonEC2FullAccess.arn
}
请参阅iam_role_policy_attachment和iam策略数据源。