小贝子编程

如何通过Terraform传递假设角色并将SSM文档与EC2关联



我正在尝试将SSM文档(将linux服务器与AD域连接)与EC2实例关联。

我在关联过程中得到以下错误-

aws_ssm_association.rhel: Creating...
╷
│ Error: Error creating SSM association: ValidationException: The assume role is invalid.
│       status code: 400, request id: 3e2e23f0-da9e-4d0d-947f-2f121aa653e9
│ 
│   with aws_ssm_association.rhel,
│   on ssm.tf line 10, in resource "aws_ssm_association" "rhel":
│   10: resource "aws_ssm_association" "rhel" {

这是我的Terraform代码-

main.tf

provider "aws" {
region              = "us-west-2"
allowed_account_ids = ["1234"]
assume_role {
role_arn = "arn:aws:iam::1234:role/my-role"
}
}
terraform {
required_version = "= 1.0.9"
}

ec2.tf

resource "aws_key_pair" "rhel" {
key_name_prefix = "rhel_domain_join_test"
public_key      = "ssh-rsa AMAMAMMMxxxx"
}
resource "aws_instance" "rhel" {
ami                    = "ami-0b28dfc7adc3xxx" # us-west-2
instance_type          = "t3.medium"
subnet_id              = "subnet-023db3ebxxx"
iam_instance_profile   = aws_iam_instance_profile.rhel_instance_profile.id
vpc_security_group_ids = ["sg-077f9f9aceexxxx"]
key_name               = aws_key_pair.rhel.id
tags = {
Name = "w2domainjointestpoc"
}
}

iam.tf

resource "aws_iam_instance_profile" "rhel_instance_profile" {
name_prefix = "rhel_instance_profile"
role        = aws_iam_role.rhel_instance_role.name
}
resource "aws_iam_role" "rhel_instance_role" {
name_prefix        = "rhel_instance_role"
path               = "/"
assume_role_policy = data.aws_iam_policy_document.ssm_role_policy.json
}
resource "aws_iam_role_policy_attachment" "rhel_instance" {
role       = aws_iam_role.rhel_instance_role.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole"
}
resource "aws_iam_role_policy_attachment" "rhel_instance_2" {
role       = aws_iam_role.rhel_instance_role.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
}
resource "aws_iam_role_policy_attachment" "ec2-attach" {
role       = aws_iam_role.rhel_instance_role.name
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
}

resource "aws_iam_policy" "ssm_role_passrole" {
name_prefix = "ssm_automation"
description = "My test policy"
policy      = data.aws_iam_policy_document.ssm_role_passrole.json
}
resource "aws_iam_role_policy_attachment" "ssm_role_passrole" {
role       = aws_iam_role.rhel_instance_role.name
policy_arn = aws_iam_policy.ssm_role_passrole.arn
}

data.tf

data "aws_iam_policy_document" "ssm_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type        = "Service"
identifiers = ["ec2.amazonaws.com", "ssm.amazonaws.com"]
}
}
}

data "aws_iam_policy_document" "ssm_role_passrole" {
statement {
actions   = ["iam:GetRole", "iam:PassRole"]
resources = [aws_iam_role.rhel_instance_role.arn]
}
}

ssm.tf

resource "aws_ssm_document" "rhel_domain_join_document" {
name            = "rhel_domain_join_document"
document_format = "JSON"
document_type   = "Automation"

content = file("${path.module}/redhat_linux_launch_automation_document.json")
}
resource "aws_ssm_association" "rhel" {
name = aws_ssm_document.rhel_domain_join_document.name
targets {
key    = "InstanceIds"
values = [aws_instance.rhel.id]
}
}

你能帮我理解我在这里错过了什么吗?

谢谢

我认为你混淆了SSM文档类型。对于SSM状态管理器,可以使用三种类型的文件:

  1. <
  2. 命令/gh>自动化

您的redhat_linux_launch_automation_document.json自动化。正因为如此,targets块在你的aws_ssm_association.rhel不完全适用。targets块仅用于前两种文档类型或速率控制的Automation

对于简单执行自动化类型只要在aws_ssm_association.rhel中提供parameters,假设您不需要任何速率或计划执行控制。此外,您的redhat_linux_launch_automation_document.json承担任何角色.

所以应该是:

redhat_linux_launch_automation_document.json(局部视图)

添加角色AutomationAssumeRole:

{
"description": "Launch Automation for RedHat Linux instance",
"schemaVersion": "0.3",
"assumeRole": "{{AutomationAssumeRole}}",    
"parameters": {
"instanceIds": {
"type": "StringList",
"description": "InstanceIds to run launch setup"
},
"AutomationAssumeRole": {
"default": "",
"type": "String",
"description": "(Optional) The ARN of the role that allows Automation to perform the actions on your behalf."
}        
},

main.tf:

创建SSM角色:

resource "aws_iam_role" "ssm" {
path               = "/"
assume_role_policy = <<EOL
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": ["ec2.amazonaws.com", "ssm.amazonaws.com"]
},
"Action": "sts:AssumeRole"
}
]
}
EOL
managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole"]
inline_policy {
name = "my_inline_policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action   = ["iam:PassRole"]
Effect   = "Allow"
Resource = "*"
},
]
})
}
}

和最终修复aws_ssm_association.rhel:

resource "aws_ssm_association" "rhel" {
name = aws_ssm_document.rhel_domain_join_document.name

parameters = {
AutomationAssumeRole = aws_iam_role.ssm.arn
instanceIds = aws_instance.rhel.id
}  
}

注意:我的回答只针对你的错误信息。我没有检查你的自动化文档是否实际工作。为此,您可能需要创建新的问题。

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium