如何通过 Terraform 将现有隐私政策附加到 IAM 角色

How to attach existing privacy policy to IAM role via Terraform

我需要通过 Terraform 创建一个新的 IAM 角色。该角色应具有在 AWS (AmazonSSMFullAccess) 中预定义的策略,但我无法在任何地方找到如何添加已创建的策略。 代码模板应如下所示:

    resource "aws_iam_role" "role" {
      name                 = var.name
      assume_role_policy   = var.assume_role_policy
      max_session_duration = var.max_session_duration
      description          = var.description
    }
    
    resource "aws_iam_role_policy_attachment" "attach_policy" {
      policy_arn = var.policy_to_attach
      role       = aws_iam_role.role.name
    }

对于现有的 aws 策略,您可以直接从控制台复制其 arn。然后只需将 arn 粘贴为 policy_arn 参数。在你的情况下:

resource "aws_iam_role_policy_attachment" "attach_policy" {
    policy_arn = "arn:aws:iam::aws:policy/AmazonSSMFullAccess"
    role       = aws_iam_role.role.name
}

为了使其更加安全,您可以先使用 a datasource 导入策略:

data "aws_iam_policy" "example" {
    arn = "arn:aws:iam::aws:policy/AmazonSSMFullAccess"
}
resource "aws_iam_role_policy_attachment" "attach_policy" {
    policy_arn = data.aws_iam_policy.example.arn
    role       = aws_iam_role.role.name
}

编辑:数据源也可以按名称调用:

data "aws_iam_policy" "test" {
  name = "AmazonSSMFullAccess"
}

如评论中所述,数据源将有助于在 Terraform 尝试执行任何其他操作之前检查您是否可以找到并阅读给定的策略。