我是使用地形创建iam用户的地形新手
下面是.tf文件
resource "aws_iam_user" "lb" {
name = "Ec2_view"
# path = "/system/"
# tags = {
# tag-key = "tag-value"
# }
}
resource "aws_iam_access_key" "lb" {
user = "${aws_iam_user.lb.name}"
}
resource "aws_iam_user_policy" "lb_ro" {
name = "test"
user = "${aws_iam_user.lb.name}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_user_login_profile" "u" {
user = "${aws_iam_user.lb.name}"
password_reset_required = true
pgp_key="keybase:terraform_user"
}
output "password" {
value="${aws_iam_user_login_profile.u.encrypted_password"
}
pgpkey在aws_iam_userloggin_profile中意味着什么,以及创建pgpkey并在terraform代码中使用它的步骤?
得到答案
- 需要在本地安装Keybase
- 需要使用
keybase pgp gen
创建Keybase密钥 - 然后在地形代码
keybase:username_of_keybase
中给出这个Keybase密钥的引用 - 然后应用地形
- 然后我们需要得到解密的密码
terraform output -raw password | base64 --decode | keybase pgp decrypt
另一种避免完全使用Keybase的方法是生成自己的PGP密钥进行加密。如果您的组织不使用Keybase和/或您不想创建Keybase帐户,这很方便。
这里有一篇精彩的博客文章,它分解了大部分步骤,但要简化:
-
在本地创建PGP密钥:
# confirm you have pgp installed, check for existing keys gpg -k # create a new key # IMPORTANT: with your real name, email, and optionally a passphrase gpg --gen-key # export your key for the email used gpg --output public-key-binary.gpg --export <YOUR_EMAIL>@<X.DOMAIN.com>
-
根据此处的Terraform文档为您的AWS IAM资源
aws_iam_access_key
设置参考data "local_file" "pgp_key" { filename = abspath("./relative/path/to/your/public-key-binary.gpg") } resource "aws_iam_access_key" "lb" { user = aws_iam_user.lb.name pgp_key = data.local_file.pgp_key.content_base64 } output "password" { value = aws_iam_access_key.lb.encrypted_secret }
-
当您准备好为IaC 进行部署时,继续执行
terraform init
、validate
、plan
和apply
-
IAM用户部署后,您可以使用以下命令解密敏感secret_key:
terraform output password | base64 --decode | gpg --decrypt --pinentry-mode=loopback
如果您没有在PGP密钥生成上设置密码短语,请跳过
--pinentry-mode=loopback
标志