Terraform：附加非托管 IAM 角色

Question

Terraform 版本：12

我们有一个不受 Terraform IAM 角色管理的遗留问题，我想从 aws_iam_policy_attachment 块中引用它，我尝试了以下操作：

  resource "aws_iam_policy_attachment" "example-attach" {
  name = "example-attach"

  roles = [ 
    aws_iam_role.managed-role.name, 
    "arn:aws:iam::1234567890:role/unmanaged-role"
  ]

  policy_arn = aws_iam_policy.example-policy.arn
}

Dry-运行工作正常但在应用 TF 时说：

– ValidationError: The specified value for roleName is invalid. It must contain only alphanumeric characters and/or the following: +=,.@_-

有没有一种方法可以只引用非托管角色而无需在 TF 中定义它？或者是否有一些非破坏性的声明方式不会改变与非托管角色有关的任何内容？

Answer 1

在您的 roles 中，您提供的是角色 ARN，而不是角色名称。

因此，您应该使用其名称而不是 ARN：

resource "aws_iam_policy_attachment" "example-attach" {

  name = "example-attach"

  roles = [ 
    aws_iam_role.managed-role.name, 
    "unmanaged-role"
  ]

  policy_arn = aws_iam_policy.example-policy.arn
}

您也可以使用data_source

data "aws_iam_role" "example" {
  name = "unmanaged-role"
}

并在您的资源中引用它：

resource "aws_iam_policy_attachment" "example-attach" {

  name = "example-attach"

  roles = [ 
    aws_iam_role.managed-role.name, 
    data.aws_iam_role.example.name
  ]

  policy_arn = aws_iam_policy.example-policy.arn
}

Terraform：附加非托管 IAM 角色

Terraform: Attaching an unmanaged IAM role

amazon-web-services

terraform

terraform-provider-aws