如何在 terraform 中引用另一个文件夹的目标
How to refer target of another folder in terrform
我项目的terraform结构是:
iam/policies/policy1.tf
iam/roles/roles1.tf
policy1.tf包括几个政策等:
resource "aws_iam_policy" "policy1A" {
name = "..."
policy = "${data.template_file.policy1ATempl.rendered}"
}
roles1.tf包括几个角色等:
resource "aws_iam_role" "role1" {
name = ....
assume_role_policy = ....
}
现在我想将 policy1A 附加到 role1。由于 policy1 和 role1 不在同一个文件夹中,我该如何附加它们?
resource "aws_iam_policy_attachment" "attach1" {
name = "attachment1"
roles = ??? (sth. like ["${aws_iam_role.role1.name}"])
policy_arn = ??? (sth. like "${aws_iam_policy.Policy1.arn}")
}
您不能像这样跨目录进行引用,因为 Terraform 一次只能在一个目录中工作。如果您确实需要将它们分成不同的文件夹(我不建议在这里这样做),那么通常您会使用数据源来检索有关已创建资源的信息。
在这种情况下,尽管 aws_iam_policy data source 目前几乎没有用,因为它需要策略的 ARN 而不是路径或名称。相反,如果您知道策略名称,则可以构造它,因为它符合众所周知的模式。您显然知道要将策略附加到的角色的名称,并且您知道策略的名称以便涵盖这些内容。
data "aws_caller_identity" "current" {}
resource "aws_iam_policy_attachment" "attach1" {
name = "attachment1"
roles = "role1"
policy_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/policy1A"
}
上面的示例确实简要展示了如何使用数据源,因为它使用 aws_caller_identity data source 获取 AWS 账户 ID,并动态使用它来构建您尝试附加的策略的 ARN。
我会回应文档中关于使用资源 aws_iam_policy_attachment unless you are absolutely certain with what you're doing because it will detach the policy from anything else it happens to be attached to. If you want to take a managed policy and attach it to N roles I would instead recommend using aws_iam_role_policy_attachment 的警告,而它就像。
我项目的terraform结构是:
iam/policies/policy1.tf
iam/roles/roles1.tf
policy1.tf包括几个政策等:
resource "aws_iam_policy" "policy1A" {
name = "..."
policy = "${data.template_file.policy1ATempl.rendered}"
}
roles1.tf包括几个角色等:
resource "aws_iam_role" "role1" {
name = ....
assume_role_policy = ....
}
现在我想将 policy1A 附加到 role1。由于 policy1 和 role1 不在同一个文件夹中,我该如何附加它们?
resource "aws_iam_policy_attachment" "attach1" {
name = "attachment1"
roles = ??? (sth. like ["${aws_iam_role.role1.name}"])
policy_arn = ??? (sth. like "${aws_iam_policy.Policy1.arn}")
}
您不能像这样跨目录进行引用,因为 Terraform 一次只能在一个目录中工作。如果您确实需要将它们分成不同的文件夹(我不建议在这里这样做),那么通常您会使用数据源来检索有关已创建资源的信息。
在这种情况下,尽管 aws_iam_policy data source 目前几乎没有用,因为它需要策略的 ARN 而不是路径或名称。相反,如果您知道策略名称,则可以构造它,因为它符合众所周知的模式。您显然知道要将策略附加到的角色的名称,并且您知道策略的名称以便涵盖这些内容。
data "aws_caller_identity" "current" {}
resource "aws_iam_policy_attachment" "attach1" {
name = "attachment1"
roles = "role1"
policy_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/policy1A"
}
上面的示例确实简要展示了如何使用数据源,因为它使用 aws_caller_identity data source 获取 AWS 账户 ID,并动态使用它来构建您尝试附加的策略的 ARN。
我会回应文档中关于使用资源 aws_iam_policy_attachment unless you are absolutely certain with what you're doing because it will detach the policy from anything else it happens to be attached to. If you want to take a managed policy and attach it to N roles I would instead recommend using aws_iam_role_policy_attachment 的警告,而它就像。