我能够成功运行包含以下片段的云形式堆栈,现在我的最终目标是将其移植到Terraform,但是..
即使在AWS控制台内,我也会遇到畸形的语法错误。我尝试使用AWS控制台的"策略编辑器"进行调试,然后单击" validate"按钮,但错误不是特定的。有人知道我在做什么错吗?这很奇怪,因为当我部署CloudFormation堆栈模板时,此策略似乎有效。(顺便说一句,如果有帮助,这是从Gorillastack的自动标记项目中(
此策略包含以下错误:策略中的语法错误。有关IAM策略语法的更多信息,请参见AWS IAM政策。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStackResource"
],
"Resource": [
{ "Fn::Join": [ "", [ "arn:aws:cloudformation:", { "Ref" : "AWS::Region" }, ":", { "Ref" : "AWS::AccountId" }, ":stack/autotag/*" ] ] }
]
},
{
"Effect": "Allow",
"Action": [
"sts:*"
],
"Resource": [
{ "Fn::GetAtt" : [ "AutoTagMasterRole", "Arn" ] }
]
}
]
}
我的Terraform配置具有以下资源(包括上述片段(
resource "aws_iam_role_policy" "AutoTagExecutionPolicy" {
name = "AutoTagExecutionPolicy"
role = "${aws_iam_role.AutoTagExecutionRole.id}"
policy = <<EOF
<-THE POLICY ABOVE GOES HERE->
EOF
}
您需要将云形式函数转换为Terraform脚本中的变量。
data "aws_iam_policy_document" "example" {
statement {
sid = "allow logs"
effect = "Allow"
action = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
]
Resources = [
"arn:aws:logs:*:*:*",
]
}
statement {
sid = "allow s3"
effect = "Allow"
action = [
"s3:GetObject",
"s3:ListBucket",
]
resource = [
"*",
]
}
statement {
sid = "allow cfn"
effect = "Allow"
action = [
"cloudformation:DescribeStackResource",
]
resource = [
"${var.cfn_stack}",
]
}
statement {
sid = "allow sts"
effect = "Allow"
action = [
"sts:*",
]
resource = [
"${var.AutoTagMasterRole_arn}",
]
}
}
然后
resource "aws_iam_policy" "example" {
name = "example_policy"
path = "/"
policy = "${data.aws_iam_policy_document.example.json}"
}
https://www.terraform.io/docs/providers/aws/d/iam_policy_document.html
https://www.terraform.io/docs/configuration/interpolation.html