小贝子编程

在GitLab CI中使用terraform更新aws_iam_policy失败,出现EntityAlreadyExis



我正在尝试通过GitLab CI更新IAM角色及其附带的Terraform策略。我的地形代码如下:-

data "aws_iam_policy_document" "billing-roles" {
statement {
effect = "Allow"
principals {
type = "Federated"
identifiers = ["${var.samlprovider_arn}"]
}
actions = ["sts:AssumeRoleWithSAML"]
condition {
test = "StringEquals"
variable ="SAML:aud"
values = ["https://signin.aws.amazon.com/saml"]
}
}
}
resource "aws_iam_role" "billing_role" {
name               = "billing-role"
permissions_boundary = "${var.permissions_boundary_arn}"
assume_role_policy = "${data.aws_iam_policy_document.billing-roles.json}"
tags =  {
Applicatio_ID = "${var.app_id}"
Environment = "${var.environment}"
Name = "billing-role"
Owner = "Terraform"
}
}

resource "aws_iam_policy" "billing_policy" {
name  = "billing-policy"
policy= "${file("${path.module}/policies/billing-role-policy.json")}"
}
resource "aws_iam_role_policy_attachment" "billing_attachment" {
role  = aws_iam_role.billing_role.name
policy_arn = aws_iam_policy.billing_policy.arn
}

我正在通过GitLab CI运行地形的各个阶段(INIT、PLAN、APPLY(。这是第一次工作,但由于EntityAlreadyExists错误而失败。gitlab-ci.yml看起来是这样的:-

include:
- project: 'infrastructure/infrastructure-code-cicd-files'
ref: master
file: '.for_terraform_iam.yml'
stages:
- init
- plan
- apply
tf_init:
extends: .tf_init
tags:
- integration
stage: init
variables:
ACCOUNT: "ACCOUNT_ID"
ASSUME_ROLE: "arn:aws:iam::ACCOUNT_ID:role/devops-cross-account"
backend_bucket_name: "iam-role-backend-${ACCOUNT}"
tfstate_file: "iam-role/terraform.tfstate"
tf_plan:
extends: .tf_plan
variables:
ASSUME_ROLE: "arn:aws:iam::ACCOUNT_ID:role/devops-cross-account"
tags:
- integration
stage: plan

tf_apply:
extends: .tf_apply
variables:
ASSUME_ROLE: "arn:aws:iam::ACCOUNT_ID:role/devops-cross-account"
tags:
- integration
stage: apply

该gitlab ci配置包括一个实用程序文件,该文件具有Init、Plan和Apply的所有地形逻辑。

我正在Terraform 0.12.13上运行设置。Terraform导入虽然成功地导入了资源,但在这里并没有帮助,因为Terraform抱怨";EntityAlreadyExists";地形污染不起作用,因为我在这里使用的地形版本中有一个错误。

我想要一个工作流,其中IAM角色一旦创建,其附加的内联策略可以由运营工程师更新,审批人将批准合并请求,这样IAM角色将根据运营工程师的要求添加服务。

我们有办法在这里更新IAM政策吗。我知道更新IAM角色需要先分离策略,然后将新策略附加到它。

请帮助

问题是将terraform.tfstate文件传递到我错过的计划阶段。我们经营着一个";awss3cps3://后端bucket/keys"获取状态文件,这就解决了问题。

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium