以json格式生成的地形策略文档

我正在尝试用terraform创建一个iam角色。而不是提供内联JSON的角色，我试图使用terraform创建它，然后将其附加到角色。我正在遵循这里给出的文档，不知何故它似乎不工作。

有人能帮忙吗?

provider "aws" {
region = "eu-west-1"
profile = "admin"

}
data "aws_caller_identity" "current" {}
locals {
account_id = data.aws_caller_identity.current.account_id
}
output "account_id" {
value = local.account_id  
}
resource "aws_iam_role" "github_actions_role" {
name = "GitHubActionsRole"
assume_role_policy = resource.aws_iam_policy.trust
}
resource "aws_iam_policy" "trust" {
name = "trust_policy"
path = "/"
policy = data.aws_iam_policy_document.assume_role_policy.json

}
data "aws_iam_policy_document" "assume_role_policy" {
statement {
actions = ["sts:AssumeRoleWithWebIdentity"]
principals {
type = "Federated"
identifiers = ["arn:aws:iam::${local.account_id}:oidc-provider/token.actions.githubusercontent.com"]
}
condition {
test = "StringEquals"
variable = "token.actions.githubusercontent.com:aud"
values = [ "sts.amazonaws.com" ]
}
condition {
test = "StringEquals"
variable = "token.actions.githubusercontent.com:sub"
values = [ "repo:Parthiva/*" ]
}
}
}
data "aws_iam_policy" "admin_policy" {
arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}

resource "aws_iam_role_policy_attachment" "github_actions_role_policy_attach" {
role       = "${aws_iam_role.github_actions_role.name}"
policy_arn = "${data.aws_iam_policy.admin_policy.arn}"
}

运行terraform plan后，错误如下

│ Error: Incorrect attribute value type
│
│   on gh-actions-role.tf line 22, in resource "aws_iam_role" "github_actions_role":
│   22:   assume_role_policy = resource.aws_iam_policy.trust
│     ├────────────────
│     │ resource.aws_iam_policy.trust is object with 10 attributes
│

你不能使用aws_iam_policy生成assume_role_policy。从文档:

assume_role_policy与标准IAM策略非常相似，但略有不同，不能使用aws_iam_policy资源。但是，它可以使用aws_iam_policy_document数据源。请参阅上面的示例，了解它是如何工作的。

而必须使用数据源(非资源)aws_iam_policy_document.

相关内容

最新更新

热门标签：