我正在尝试用terraform创建一个iam角色。而不是提供内联JSON的角色,我试图使用terraform创建它,然后将其附加到角色。我正在遵循这里给出的文档,不知何故它似乎不工作。
有人能帮忙吗?
provider "aws" {
region = "eu-west-1"
profile = "admin"
}
data "aws_caller_identity" "current" {}
locals {
account_id = data.aws_caller_identity.current.account_id
}
output "account_id" {
value = local.account_id
}
resource "aws_iam_role" "github_actions_role" {
name = "GitHubActionsRole"
assume_role_policy = resource.aws_iam_policy.trust
}
resource "aws_iam_policy" "trust" {
name = "trust_policy"
path = "/"
policy = data.aws_iam_policy_document.assume_role_policy.json
}
data "aws_iam_policy_document" "assume_role_policy" {
statement {
actions = ["sts:AssumeRoleWithWebIdentity"]
principals {
type = "Federated"
identifiers = ["arn:aws:iam::${local.account_id}:oidc-provider/token.actions.githubusercontent.com"]
}
condition {
test = "StringEquals"
variable = "token.actions.githubusercontent.com:aud"
values = [ "sts.amazonaws.com" ]
}
condition {
test = "StringEquals"
variable = "token.actions.githubusercontent.com:sub"
values = [ "repo:Parthiva/*" ]
}
}
}
data "aws_iam_policy" "admin_policy" {
arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
resource "aws_iam_role_policy_attachment" "github_actions_role_policy_attach" {
role = "${aws_iam_role.github_actions_role.name}"
policy_arn = "${data.aws_iam_policy.admin_policy.arn}"
}
运行terraform plan
后,错误如下
│ Error: Incorrect attribute value type
│
│ on gh-actions-role.tf line 22, in resource "aws_iam_role" "github_actions_role":
│ 22: assume_role_policy = resource.aws_iam_policy.trust
│ ├────────────────
│ │ resource.aws_iam_policy.trust is object with 10 attributes
│
你不能使用aws_iam_policy
生成assume_role_policy
。从文档:
而必须使用数据源(非资源)aws_iam_policy_document.assume_role_policy与标准IAM策略非常相似,但略有不同,不能使用aws_iam_policy资源。但是,它可以使用aws_iam_policy_document数据源。请参阅上面的示例,了解它是如何工作的。