我正在尝试将SSM文档(将linux服务器与AD域连接)与EC2实例关联。
我在关联过程中得到以下错误-
aws_ssm_association.rhel: Creating...
╷
│ Error: Error creating SSM association: ValidationException: The assume role is invalid.
│ status code: 400, request id: 3e2e23f0-da9e-4d0d-947f-2f121aa653e9
│
│ with aws_ssm_association.rhel,
│ on ssm.tf line 10, in resource "aws_ssm_association" "rhel":
│ 10: resource "aws_ssm_association" "rhel" {
这是我的Terraform代码-
main.tf
provider "aws" {
region = "us-west-2"
allowed_account_ids = ["1234"]
assume_role {
role_arn = "arn:aws:iam::1234:role/my-role"
}
}
terraform {
required_version = "= 1.0.9"
}
ec2.tf
resource "aws_key_pair" "rhel" {
key_name_prefix = "rhel_domain_join_test"
public_key = "ssh-rsa AMAMAMMMxxxx"
}
resource "aws_instance" "rhel" {
ami = "ami-0b28dfc7adc3xxx" # us-west-2
instance_type = "t3.medium"
subnet_id = "subnet-023db3ebxxx"
iam_instance_profile = aws_iam_instance_profile.rhel_instance_profile.id
vpc_security_group_ids = ["sg-077f9f9aceexxxx"]
key_name = aws_key_pair.rhel.id
tags = {
Name = "w2domainjointestpoc"
}
}
iam.tf
resource "aws_iam_instance_profile" "rhel_instance_profile" {
name_prefix = "rhel_instance_profile"
role = aws_iam_role.rhel_instance_role.name
}
resource "aws_iam_role" "rhel_instance_role" {
name_prefix = "rhel_instance_role"
path = "/"
assume_role_policy = data.aws_iam_policy_document.ssm_role_policy.json
}
resource "aws_iam_role_policy_attachment" "rhel_instance" {
role = aws_iam_role.rhel_instance_role.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole"
}
resource "aws_iam_role_policy_attachment" "rhel_instance_2" {
role = aws_iam_role.rhel_instance_role.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
}
resource "aws_iam_role_policy_attachment" "ec2-attach" {
role = aws_iam_role.rhel_instance_role.name
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
}
resource "aws_iam_policy" "ssm_role_passrole" {
name_prefix = "ssm_automation"
description = "My test policy"
policy = data.aws_iam_policy_document.ssm_role_passrole.json
}
resource "aws_iam_role_policy_attachment" "ssm_role_passrole" {
role = aws_iam_role.rhel_instance_role.name
policy_arn = aws_iam_policy.ssm_role_passrole.arn
}
data.tf
data "aws_iam_policy_document" "ssm_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com", "ssm.amazonaws.com"]
}
}
}
data "aws_iam_policy_document" "ssm_role_passrole" {
statement {
actions = ["iam:GetRole", "iam:PassRole"]
resources = [aws_iam_role.rhel_instance_role.arn]
}
}
ssm.tf
resource "aws_ssm_document" "rhel_domain_join_document" {
name = "rhel_domain_join_document"
document_format = "JSON"
document_type = "Automation"
content = file("${path.module}/redhat_linux_launch_automation_document.json")
}
resource "aws_ssm_association" "rhel" {
name = aws_ssm_document.rhel_domain_join_document.name
targets {
key = "InstanceIds"
values = [aws_instance.rhel.id]
}
}
你能帮我理解我在这里错过了什么吗?
谢谢
我认为你混淆了SSM文档类型。对于SSM状态管理器,可以使用三种类型的文件:
- <
- 命令/gh>自动化
您的redhat_linux_launch_automation_document.json
是自动化。正因为如此,targets
块在你的aws_ssm_association.rhel
不完全适用。targets
块仅用于前两种文档类型或速率控制的Automation
。
对于简单执行自动化类型只要在aws_ssm_association.rhel
中提供parameters
,假设您不需要任何速率或计划执行控制。此外,您的redhat_linux_launch_automation_document.json
不承担任何角色.
所以应该是:
redhat_linux_launch_automation_document.json(局部视图)
添加角色AutomationAssumeRole
:
{
"description": "Launch Automation for RedHat Linux instance",
"schemaVersion": "0.3",
"assumeRole": "{{AutomationAssumeRole}}",
"parameters": {
"instanceIds": {
"type": "StringList",
"description": "InstanceIds to run launch setup"
},
"AutomationAssumeRole": {
"default": "",
"type": "String",
"description": "(Optional) The ARN of the role that allows Automation to perform the actions on your behalf."
}
},
main.tf:
创建SSM角色:
resource "aws_iam_role" "ssm" {
path = "/"
assume_role_policy = <<EOL
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": ["ec2.amazonaws.com", "ssm.amazonaws.com"]
},
"Action": "sts:AssumeRole"
}
]
}
EOL
managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole"]
inline_policy {
name = "my_inline_policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = ["iam:PassRole"]
Effect = "Allow"
Resource = "*"
},
]
})
}
}
和最终修复aws_ssm_association.rhel
:
resource "aws_ssm_association" "rhel" {
name = aws_ssm_document.rhel_domain_join_document.name
parameters = {
AutomationAssumeRole = aws_iam_role.ssm.arn
instanceIds = aws_instance.rhel.id
}
}
注意:我的回答只针对你的错误信息。我没有检查你的自动化文档是否实际工作。为此,您可能需要创建新的问题。