我试图通过安全帐户中的默认管理员(All in terraform)在组织级别启用IAM访问分析器。
在org帐户的根目录中,我有:
- 更新了aws_service_access_principals以包含"access-analyzer.amazonaws.com">
resource "aws_organizations_organization" "org" {
feature_set = "ALL"
aws_service_access_principals = [
...
"access-analyzer.amazonaws.com"
]
enabled_policy_types = [
"SERVICE_CONTROL_POLICY"
]
}
- 为安全帐户和
accessanalyzer
创建aws_organizations_delegated_administrator
resource "aws_organizations_delegated_administrator" "example" {
account_id = var.security_account
service_principal = "access-analyzer.amazonaws.com"
}
在安全帐号中启用access-analyzer
,type
设置为organization
resource "aws_accessanalyzer_analyzer" "accessanalyzer" {
analyzer_name = "test"
type = "ORGANIZATION"
}
当它运行时,我得到错误:
Error: error creating Access Analyzer Analyzer (openc): ConflictException: Access Analyzer Service Linked Role is not in the organizational management account
│ {
│ RespMetadata: {
│ StatusCode: 409,
│ RequestID: "1c597ce0-4c59-4115-89aa-437cdc8156d5"
│ },
│ Message_: "Access Analyzer Service Linked Role is not in the organizational management account"
│ }
│
│ with aws_accessanalyzer_analyzer.accessanalyzer,
│ on access-analyzer.tf line 1, in resource "aws_accessanalyzer_analyzer" "accessanalyzer":
│ 1: resource "aws_accessanalyzer_analyzer" "accessanalyzer" {
│
╵
知道为什么会出错吗?我期待委托管理来解决这个问题?
您缺少并且需要创建"AWSServiceRoleForAccessAnalyzer"在硕士"组织"中的作用;帐户,最简单的方法是在主帐户上创建分析器,然后角色将自动创建
https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html
然后尝试应用您的Terraform代码。