请帮助理解如何创建这样的东西?
data "aws_iam_policy_document" "assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
dynamic "statement" {
for_each = var.assume_role_identities != [] ? [true] : []
content {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = var.assume_role_identities
}
}
}
dynamic "statement" {
for_each = var.assume_role_services != [] ? [true] : []
content {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = var.assume_role_services
}
}
}
}
这段代码的问题是,如果我不指定任何应该具有访问权限的角色或服务,那么它是一个退出错误,没有主体。是否可以在动态块上设置一些计数条件?或者如何解决这个问题?
问题解释:
问题是,如果我只想传递一个值,它将无法工作,因为它形成一个空值
如果我只添加身份记录
+ assume_role_policy = jsonencode(
{
+ Statement = [
+ {
+ Action = "sts:AssumeRole"
+ Effect = "Allow"
+ Principal = {
+ Service = "ec2.amazonaws.com"
}
+ Sid = ""
},
+ {
+ Action = "sts:AssumeRole"
+ Effect = "Allow"
+ Principal = {
+ AWS = "arn:aws:iam::account_id:user/some_user"
}
+ Sid = ""
},
+ {
+ Action = "sts:AssumeRole"
+ Effect = "Allow"
+ Principal = {
+ Service = []
}
+ Sid = ""
},
]
+ Version = "2012-10-17"
}
)
由此出现的问题:
创建IAM Role name-role: malformmedpolicydocument: Invalid错误策略中的主体:com.amazon.balsa.error.InvalidPolicyException:传入的策略有一个没有主体的声明!
这应该能奏效:
data "aws_iam_policy_document" "assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
dynamic "statement" {
for_each = length(var.assume_role_identities) > 0 ? [var.assume_role_identities] : []
content {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = var.assume_role_identities
}
}
}
dynamic "statement" {
for_each = length(var.assume_role_services) > 0 ? [var.assume_role_services] : []
content {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = var.assume_role_services
}
}
}
}
您不需要第一个语句,您可以将其作为参数传递给var.assume_role_services