如何使用 Terraform 将多个 IAM 策略附加到 IAM 角色?
How to attach multiple IAM policies to IAM roles using Terraform?
我想将多个 IAM 策略 ARN 附加到单个 IAM 角色。
一种方法是创建一个具有所有策略(多个策略)权限的新策略。
但在 AWS 中,我们有一些预定义的 IAM 策略,例如 AmazonEC2FullAccess、AmazomS3FullAccess 等。我想将这些策略组合用于我的角色。
我在 Terraform 文档中找不到这样做的方法。
根据文档,我们可以使用 aws_iam_role_policy_attachment 将一个策略附加到一个角色,但不能将多个策略附加到一个角色,因为这可以通过 AWS 控制台获得。
请告诉我是否有方法可以做到这一点,或者它是否仍然是一个有待添加的功能。
我使用的Terraform版本是v0.9.5
你有没有试过这样的事情:
resource "aws_iam_role" "iam_role_name" {
name = "iam_role_name"
}
resource "aws_iam_role_policy_attachment" "mgd_pol_1" {
name = "mgd_pol_attach_name"
role = "${aws_iam_role.iam_role_name.name}"
policy_arn = "${aws_iam_policy.mgd_pol_1.arn}"
}
resource "aws_iam_role_policy_attachment" "mgd_pol_2" {
name = "mgd_pol_attach_name"
role = "${aws_iam_role.iam_role_name.name}"
policy_arn = "${aws_iam_policy.mgd_pol_2.arn}"
}
感谢 Krishna Kumar R 的提示。
我从你的回答中得出了一个更完善的答案。
# Define policy ARNs as list
variable "iam_policy_arn" {
description = "IAM Policy to be attached to role"
type = "list"
}
# Then parse through the list using count
resource "aws_iam_role_policy_attachment" "role-policy-attachment" {
role = "${var.iam_role_name}"
count = "${length(var.iam_policy_arn)}"
policy_arn = "${var.iam_policy_arn[count.index]}"
}
最后,策略列表应在 *.tfvars 文件或命令行中使用 -var 指定,例如:
iam_policy_arn = [
"arn:aws:iam::aws:policy/AmazonEC2FullAccess", "arn:aws:iam::aws:policy/AmazonS3FullAccess"]
添加另一个选项,类似于例外的答案,但不是:
policy_arn = "${var.iam_policy_arn[count.index]}"
您可以使用 element function:
policy_arn = "${element(var.iam_policy_arn,count.index)}"
我认为在某些情况下(比如有大量代码的项目)这可能更具可读性。
对于 >= 0.12 的 Terraform 版本,添加多个策略的最干净的方法可能是这样的:
resource "aws_iam_role_policy_attachment" "role-policy-attachment" {
for_each = toset([
"arn:aws:iam::aws:policy/AmazonEC2FullAccess",
"arn:aws:iam::aws:policy/AmazonS3FullAccess"
])
role = var.iam_role_name
policy_arn = each.value
}
正如 Pranshu Verma 的回答中所述,政策列表也可以放入变量中。
使用 for_each 代替 count 的优点是,terraform 可以正确识别列表中的插入,因此它实际上只会添加一个策略,而在插入将被更改(这在 this blog post 中有详细描述)
这是我如何做到的示例:
resource "aws_iam_group_policy_attachment" "policy_attach_example" {
for_each = aws_iam_policy.example
group = aws_iam_group.example.name
policy_arn = each.value["arn"]
}
所以基本上“aws_iam_policy.example”是我以相同方式制定的政策列表,for_each
希望这对你有帮助,我知道我来晚了,但我遇到了类似的问题
就我而言,我在一份保单文件中添加了多个声明:
data "aws_iam_policy_document" "sns-and-sqs-policy" {
statement {
sid = "AllowToPublishToSns"
effect = "Allow"
actions = [
"sns:Publish",
]
resources = [
data.resource.arn,
]
}
statement {
sid = "AllowToSubscribeFromSqs"
effect = "Allow"
actions = [
"sqs:changeMessageVisibility*",
"sqs:SendMessage",
"sqs:ReceiveMessage",
"sqs:GetQueue*",
"sqs:DeleteMessage",
]
resources = [
data.resource.arn,
]
}
}
resource "aws_iam_policy" "sns-and-sqs" {
name = "sns-and-sqs-policy"
policy = data.aws_iam_policy_document.sns-and-sqs-policy.json
}
resource "aws_iam_role_policy_attachment" "sns-and-sqs-role" {
role = "role_name"
policy_arn = aws_iam_policy.sns-and-sqs.arn
}
只需将您的保单合并为一个保单
我想将多个 IAM 策略 ARN 附加到单个 IAM 角色。
一种方法是创建一个具有所有策略(多个策略)权限的新策略。
但在 AWS 中,我们有一些预定义的 IAM 策略,例如 AmazonEC2FullAccess、AmazomS3FullAccess 等。我想将这些策略组合用于我的角色。
我在 Terraform 文档中找不到这样做的方法。
根据文档,我们可以使用 aws_iam_role_policy_attachment 将一个策略附加到一个角色,但不能将多个策略附加到一个角色,因为这可以通过 AWS 控制台获得。
请告诉我是否有方法可以做到这一点,或者它是否仍然是一个有待添加的功能。
我使用的Terraform版本是v0.9.5
你有没有试过这样的事情:
resource "aws_iam_role" "iam_role_name" {
name = "iam_role_name"
}
resource "aws_iam_role_policy_attachment" "mgd_pol_1" {
name = "mgd_pol_attach_name"
role = "${aws_iam_role.iam_role_name.name}"
policy_arn = "${aws_iam_policy.mgd_pol_1.arn}"
}
resource "aws_iam_role_policy_attachment" "mgd_pol_2" {
name = "mgd_pol_attach_name"
role = "${aws_iam_role.iam_role_name.name}"
policy_arn = "${aws_iam_policy.mgd_pol_2.arn}"
}
感谢 Krishna Kumar R 的提示。
我从你的回答中得出了一个更完善的答案。
# Define policy ARNs as list
variable "iam_policy_arn" {
description = "IAM Policy to be attached to role"
type = "list"
}
# Then parse through the list using count
resource "aws_iam_role_policy_attachment" "role-policy-attachment" {
role = "${var.iam_role_name}"
count = "${length(var.iam_policy_arn)}"
policy_arn = "${var.iam_policy_arn[count.index]}"
}
最后,策略列表应在 *.tfvars 文件或命令行中使用 -var 指定,例如:
iam_policy_arn = [
"arn:aws:iam::aws:policy/AmazonEC2FullAccess", "arn:aws:iam::aws:policy/AmazonS3FullAccess"]
添加另一个选项,类似于例外的答案,但不是:
policy_arn = "${var.iam_policy_arn[count.index]}"
您可以使用 element function:
policy_arn = "${element(var.iam_policy_arn,count.index)}"
我认为在某些情况下(比如有大量代码的项目)这可能更具可读性。
对于 >= 0.12 的 Terraform 版本,添加多个策略的最干净的方法可能是这样的:
resource "aws_iam_role_policy_attachment" "role-policy-attachment" {
for_each = toset([
"arn:aws:iam::aws:policy/AmazonEC2FullAccess",
"arn:aws:iam::aws:policy/AmazonS3FullAccess"
])
role = var.iam_role_name
policy_arn = each.value
}
正如 Pranshu Verma 的回答中所述,政策列表也可以放入变量中。
使用 for_each 代替 count 的优点是,terraform 可以正确识别列表中的插入,因此它实际上只会添加一个策略,而在插入将被更改(这在 this blog post 中有详细描述)
这是我如何做到的示例:
resource "aws_iam_group_policy_attachment" "policy_attach_example" {
for_each = aws_iam_policy.example
group = aws_iam_group.example.name
policy_arn = each.value["arn"]
}
所以基本上“aws_iam_policy.example”是我以相同方式制定的政策列表,for_each
希望这对你有帮助,我知道我来晚了,但我遇到了类似的问题
就我而言,我在一份保单文件中添加了多个声明:
data "aws_iam_policy_document" "sns-and-sqs-policy" {
statement {
sid = "AllowToPublishToSns"
effect = "Allow"
actions = [
"sns:Publish",
]
resources = [
data.resource.arn,
]
}
statement {
sid = "AllowToSubscribeFromSqs"
effect = "Allow"
actions = [
"sqs:changeMessageVisibility*",
"sqs:SendMessage",
"sqs:ReceiveMessage",
"sqs:GetQueue*",
"sqs:DeleteMessage",
]
resources = [
data.resource.arn,
]
}
}
resource "aws_iam_policy" "sns-and-sqs" {
name = "sns-and-sqs-policy"
policy = data.aws_iam_policy_document.sns-and-sqs-policy.json
}
resource "aws_iam_role_policy_attachment" "sns-and-sqs-role" {
role = "role_name"
policy_arn = aws_iam_policy.sns-and-sqs.arn
}
只需将您的保单合并为一个保单