我正在为 API 网关创建一个策略和一个角色,以访问具有以下 terraform 配置的 dynamodb API 端点。我错过了什么?我在terraform plan上收到无效的政策错误
resource "aws_iam_role_policy" "api_dbaccess_policy" {
name = "api_dbaccess_policy"
role = "${aws_iam_role.apiGatewayDynamoDbAccessRole.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:BatchGet*",
"dynamodb:DescribeStream",
"dynamodb:DescribeTable",
"dynamodb:Get*",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWrite*",
"dynamodb:CreateTable",
"dynamodb:Delete*",
"dynamodb:Update*",
"dynamodb:PutItem"
],
"Resource": "*"
}
]
}
EOF
# depends_on = [
# "aws_dynamodb_table.us-east-1"
# ]
}
resource "aws_iam_role" "apiGatewayDynamoDbAccessRole" {
name = "apiGatewayDynamoDbAccessRole"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"apigateway.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
我做错了什么?我收到无效的策略错误。
如前所述,只需删除EOF块中的缩进...
另一种选择是使用aws_iam_policy_document数据源。对我来说,这是一种更干净的方法,并且更易于维护,例如,当您使用具有地形支持的 IDE 时。 您的配置如下所示(此处不需要"Effect": "Allow",因为它是默认行为(:
resource "aws_iam_role_policy" "api_dbaccess_policy" {
name = "api_dbaccess_policy"
role = "${aws_iam_role.apiGatewayDynamoDbAccessRole.id}"
policy = "${data.aws_iam_policy_document.dynamodb.json}"
}
resource "aws_iam_role" "apiGatewayDynamoDbAccessRole" {
name = "apiGatewayDynamoDbAccessRole"
assume_role_policy = "${data.aws_iam_policy_document.apigateway.json}"
}
data "aws_iam_policy_document" "dynamodb" {
statement {
actions = [
"dynamodb:BatchGet*",
"dynamodb:DescribeStream",
"dynamodb:DescribeTable",
"dynamodb:Get*",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWrite*",
"dynamodb:CreateTable",
"dynamodb:Delete*",
"dynamodb:Update*",
"dynamodb:PutItem"
]
resources = ["*"]
}
}
data "aws_iam_policy_document" "apigateway" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["apigateway.amazonaws.com"]
}
}
}