在terraform的官方网站上,他们有一个这样的例子(https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy):
resource "aws_iam_role_policy" "test_policy" {
name = "test_policy"
role = aws_iam_role.test_role.id
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:Describe*",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
resource "aws_iam_role" "test_role" {
name = "test_role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "ec2.amazonaws.com"
}
},
]
})
}
,其中通过在策略中设置角色id将策略附加到角色,即:
role = aws_iam_role.test_role.id
但是在我们的一个团队项目中设置这种方式对我不起作用,我一直得到错误(参见这里Terraform定义的任务角色不能正确地工作于ECS计划任务)。最后,我意识到我必须在我的策略中像这样使用角色名来设置它:
role = aws_iam_role.my_role.name
但是我确实在我们的其他团队项目中看到我的同事使用role id的实例。我想知道在terraform的上下文中id和name有什么区别,什么时候使用它们。
正如已经指出的,没有区别在id和name之间。您可以通过简单地输出您的角色来检查:
output "test" {
value = aws_iam_role.test_role
}
表示id和name都被设置为test_role:
test = {
"arn" = "arn:aws:iam::xxxxxx:role/test_role"
"assume_role_policy" = "{"Version":"2012-10-17","Statement":[{"Sid":"","Effect":"Allow","Principal":{"Service":"ec2.amazonaws.com"},"Action":"sts:AssumeRole"}]}"
"create_date" = "2021-02-14T01:25:48Z"
"description" = ""
"force_detach_policies" = false
"id" = "test_role"
"max_session_duration" = 3600
"name" = "test_role"
"name_prefix" = tostring(null)
"path" = "/"
"permissions_boundary" = tostring(null)
"tags" = tomap({})
"unique_id" = "AROASZHPM3IXXHCEBQ6OD"
}