我想将多个 IAM 策略 ARN 附加到单个 IAM 角色。
一种方法是创建一个具有所有策略(多个策略(权限的新策略。
但是在AWS中,我们有一些预定义的IAM策略,如AmazonEC2FullAccess、AmazomS3FullAccess等。我想将这些组合用于我的角色。
我在 Terraform 文档中找不到这样做的方法。
根据文档,我们可以使用aws_iam_role_policy_attachment将策略附加到角色,但不能将多个策略附加到角色,因为这可以通过 AWS 控制台获得。
请让我知道是否有一种方法可以做同样的事情,或者它仍然是一个需要添加的功能。
我使用的Terraform版本是v0.9.5
对于 Terraform 版本>= 0.12,添加多个策略的最干净方法可能是这样的:
resource "aws_iam_role_policy_attachment" "role-policy-attachment" {
for_each = toset([
"arn:aws:iam::aws:policy/AmazonEC2FullAccess",
"arn:aws:iam::aws:policy/AmazonS3FullAccess"
])
role = var.iam_role_name
policy_arn = each.value
}
如Pranshu Verma的回答所述,策略列表也可以放入变量中。
使用for_each支持count具有以下优点:terraform 可以正确识别对列表的插入,因此它实际上只会添加一个策略,而插入后的所有策略计数都会更改(这在本博客文章中有详细说明(
感谢克里希纳·库马尔 R 的提示。
我从你的回答中得到了一个更精致的答案。
# Define policy ARNs as list
variable "iam_policy_arn" {
description = "IAM Policy to be attached to role"
type = "list"
}
# Then parse through the list using count
resource "aws_iam_role_policy_attachment" "role-policy-attachment" {
role = "${var.iam_role_name}"
count = "${length(var.iam_policy_arn)}"
policy_arn = "${var.iam_policy_arn[count.index]}"
}
最后,策略列表应在 *.tfvars 文件中或使用 -var 在命令行中指定,例如:
iam_policy_arn = [
"arn:aws:iam::aws:policy/AmazonEC2FullAccess", "arn:aws:iam::aws:policy/AmazonS3FullAccess"]
你有没有尝试过这样的事情:
resource "aws_iam_role" "iam_role_name" {
name = "iam_role_name"
}
resource "aws_iam_role_policy_attachment" "mgd_pol_1" {
name = "mgd_pol_attach_name"
role = "${aws_iam_role.iam_role_name.name}"
policy_arn = "${aws_iam_policy.mgd_pol_1.arn}"
}
resource "aws_iam_role_policy_attachment" "mgd_pol_2" {
name = "mgd_pol_attach_name"
role = "${aws_iam_role.iam_role_name.name}"
policy_arn = "${aws_iam_policy.mgd_pol_2.arn}"
}
1.使用 for 循环数据源获取所有策略
data "aws_iam_policy" "management_group_policy" {
for_each = toset(["Billing", "AmazonS3ReadOnlyAccess"])
name = each.value
}
2.依附于角色;
resource "aws_iam_role_policy_attachment" "dev_role_policy_attachment" {
for_each = data.aws_iam_policy.management_group_policy
role = aws_iam_role.role.name
policy_arn = each.value.arn
}
添加另一个选项,类似于例外答案,但不是:
policy_arn = "${var.iam_policy_arn[count.index]}"
您可以使用元素函数:
policy_arn = "${element(var.iam_policy_arn,count.index)}"
我认为在某些情况下(例如具有大量代码的项目(,这可能更具可读性。
就我而言,我在一个策略文档中添加了多个语句:
data "aws_iam_policy_document" "sns-and-sqs-policy" {
statement {
sid = "AllowToPublishToSns"
effect = "Allow"
actions = [
"sns:Publish",
]
resources = [
data.resource.arn,
]
}
statement {
sid = "AllowToSubscribeFromSqs"
effect = "Allow"
actions = [
"sqs:changeMessageVisibility*",
"sqs:SendMessage",
"sqs:ReceiveMessage",
"sqs:GetQueue*",
"sqs:DeleteMessage",
]
resources = [
data.resource.arn,
]
}
}
resource "aws_iam_policy" "sns-and-sqs" {
name = "sns-and-sqs-policy"
policy = data.aws_iam_policy_document.sns-and-sqs-policy.json
}
resource "aws_iam_role_policy_attachment" "sns-and-sqs-role" {
role = "role_name"
policy_arn = aws_iam_policy.sns-and-sqs.arn
}
只需将您的保单合并到一个保单中即可
这是我如何做到的一个例子:
resource "aws_iam_group_policy_attachment" "policy_attach_example" {
for_each = aws_iam_policy.example
group = aws_iam_group.example.name
policy_arn = each.value["arn"]
}
所以基本上"aws_iam_policy.example"是我以同样方式制定的政策列表,for_each
希望这对你有帮助,我知道我来晚了,但我有这个类似的问题