如何在地形中创建iam用户模块，以覆盖3种类型的iam用户场景

你能在这里帮助如何在terraform中创建iam用户模块来覆盖3种类型的iam用户场景吗？

PS：我不想在modules/iam/iam-user/下创建嵌套目录，以使每个iam用户案例分别存在。

以下是场景：

// Type 1
resource "aws_iam_user" "aws_iam_user_000" {
name                 = "user-000"
permissions_boundary = data.aws_iam_policy.permission_boundary.arn
}
resource "aws_iam_user_policy_attachment" "aws_iam_user_000" {
policy_arn = aws_iam_policy.s3_iam_policy.arn
user       = aws_iam_user.aws_iam_user_000.name
}
// Type 2
resource "aws_iam_user" "aws_iam_user_001" {
path                 = "/"
for_each             = toset(var.user_lists)
name                 = each.value
force_destroy        = true
permissions_boundary = data.aws_iam_policy.permission_boundary.arn
}
resource "aws_iam_group" "aws_iam_group_001" {
name = "group-0001"
}
resource "aws_iam_user_group_membership" "group-membership" {
for_each = toset(var.user_lists)
user     = aws_iam_user.aws_iam_user_001[each.value].name
groups   = [aws_iam_group.aws_iam_group_001.name]
}
// Type 3
resource "aws_iam_user" "aws_iam_user_0002" {
name                 = "user-002"
tags                 = { "user_type" = "admin_account" }
permissions_boundary = data.aws_iam_policy.permission_boundary.arn
}

如果我理解正确，您应该能够使用以下变量的count和for_each来实现这一点。

变量.tf

variable "is_admin" {
type    = bool
default = false
}
variable "user_lists" {
type    = list(any)
default = null
}

main.tf

// Type 1 and Type 3
resource "aws_iam_user" "this" {
count = var.user_lists == null ? 1 : 0
name                 = var.is_admin ? "user-000" : "user-002"
permissions_boundary = data.aws_iam_policy.permission_boundary.arn
tags                 = var.is_admin ? { "user_type" = "admin_account" } : null
}
resource "aws_iam_user_policy_attachment" "this" {
count = var.user_lists == null ? 1 : 0
policy_arn = aws_iam_policy.s3_iam_policy.arn
user       = aws_iam_user.this[0].name
}
// Type 2
resource "aws_iam_user" "from_list" {
for_each = var.user_lists != null ? toset(var.user_lists) : []
path                 = "/"
name                 = each.value
force_destroy        = true
permissions_boundary = data.aws_iam_policy.permission_boundary.arn
}
resource "aws_iam_group" "from_list" {
count = var.user_lists == null ? 1 : 0
name = "group-0001"
}
resource "aws_iam_user_group_membership" "this" {
for_each = var.user_lists != null ? toset(var.user_lists) : []
user   = aws_iam_user.from_list[each.value].name
groups = [aws_iam_group.from_list[0].name]
}

变量.tf

main.tf

相关内容

最新更新

热门标签：