作为升级的一部分,我有两个eks集群。我想处理假设策略,这样它就可以访问两个eks集群。两个集群都在同一个AWS帐户中。
我希望我的政策看起来像下面的政策。使得we不更新任何角色,而只更新处理这两个集群的假定策略。
locals.tf
eks_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::11111111111:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/yyyyyyyyyyyyyyyyyy",
"Federated": "arn:aws:iam::11111111111:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/yyyyyyyyyyyyyyyyyy"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.us-east-1.amazonaws.com/id/xxxxxxxxxxxxxx:sub": "system:serviceaccount:%s:%s",
"oidc.eks.us-east-1.amazonaws.com/id/xxxxxxxxxxxxx:sub": "system:serviceaccount:%s:%s"
}
}
}
]
}
EOF
启动器=";作业启动器";
的作用
resource "aws_iam_role" "launcher" {
name = local.Launcher
assume_role_policy = format(local.eks_policy, "my-namepsace", local.Launcher)
tags = {
terraform = "true"
owner = "stg"
}
}
所以我在当地试过了。tf
count = length(var.federated)
eks_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::11111111111:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/${join(",",${element(var.federated, count.index)})}",
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.us-east-1.amazonaws.com/id/${join(",", ${element(var.federated, count.index)})}:sub": "system:serviceaccount:%s:%s"
}
}
}
]
}
但我得到了一个错误,因为count不能在locals.tf中使用,有人能帮我吗?
更新2:
我们怎样才能得到这样的
"Condition": {
"StringEquals": {
"oidc.eks.us-east-1.amazonaws.com/id/xxxxxxxxxxxxx:sub": "system:serviceaccount:ihr-system:ihr-system-external-dns18",
"oidc.eks.us-east-1.amazonaws.com/id/yyyyyyyyyyyyy:sub": "system:serviceaccount:ihr-system:ihr-system-external-dns"
}
}
我试过了,
联合=["xxxxxxxxxxxxxxxxxxxxxx";,"yyyy-yyyy-yyyyyyyy-yyyy";]
Condition : {
"StringEquals" : {
join("",[for oidc in local.federated:"oidc.eks.us-east-1.amazonaws.com/id/${oidc}:sub:","system:serviceaccount:%s:%s"])
}
在中附近出现语法错误,应为本地错误,得到另一个错误应为","或"}",而应为"system:serviceaccount"'
for oidc in local.federated
Terraform格式函数要求每个占位符都有一个参数。来自文件:
规范是一个字符串,其中包括用%字符引入的格式化谓词。然后,函数调用必须为规范中的每个动词序列都有一个额外的参数。只要每个给定的参数都可以转换为格式动词所需的类型,动词就会与连续的参数相匹配,并按指示设置格式。
话虽如此,您需要提供四个参数,即使在您的情况下是相同的局部变量:
format(local.eks_policy, "my-namepsace", local.Launcher, "my-namepsace", local.Launcher)
根据您的用例,您还可以考虑定义一个具有配置的对象列表,并使用循环构建策略语句,以便准备最终字符串。
更新1
动态生成的示例可能是这样的,其中角色可以由变量local.params:中的任何帐户承担
locals {
# key = account ID, value could be whatever
params = {
"1111" = { foo = "bar" },
"2222" = { x = "y" }
}
assume_role_str = jsonencode({
# skipped beginning for brevity
Effect = "Allow",
Principal = {
Federated: [ for account in keys(local.params): "arn:aws:iam::11111111111:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/:${account}" ]
}
})
}