我可以使用terraform为aws_iam_role添加开箱即用的aws_iam_policy（SecurityAudit），帐户ID和外部ID吗？

作者: 爱我真好
发布时间: 2024-12-14 04:03:17 (8天前)
转自：

3 条回复

0#
回复此人
夏花 | 2019-08-31 10-32

<div class =“post-text”itemprop =“text”> <P> 如果您附加了帐户中已存在的策略，我将使用数据源进行查询。您必须知道ARN才能使用IAM策略数据源，因此它与在ARN中直接指定ARN没有太大区别。 <code> aws_iam_role_policy_attachment </code> 除了它允许的资源 <code> terraform plan </code> 命令在运行之前验证策略是否存在 <code> apply </code> ，这是对你的额外保障。数据源也为您提供 <a href="https://www.terraform.io/docs/providers/aws/d/iam_policy.html#attributes-reference" rel="nofollow noreferrer"> 更多信息 </A> 关于你需要它的资源。 </p> <pre> <code> data "aws_iam_policy" "security_audit" { arn = "arn:aws:iam::${var.target_account_id}:policy/SecurityAudit" } # BEGIN 'foo' resource "aws_iam_role" "foo" { name = "${terraform.workspace}_Foo" path = "/" assume_role_policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "automation.amazonaws.com", "events.amazonaws.com" ] }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::${var.other_aws_account_id}:role/your_role_name_and_path_here" ] }, "Action": "sts:AssumeRole" } ] } EOF } resource "aws_iam_role_policy_attachment" "foo" { policy_arn = "${data.aws_iam_policy.security_audit.arn}" role = "${aws_iam_role.foo.name}" } </code> </pre> </DIV>

编辑
1#
回复此人
生如夏花 | 2019-08-31 10-32

<div class =“post-text”itemprop =“text”> <pre> <code> `# BEGIN 'Foo' resource "aws_iam_role" "foo" { name = "${terraform.workspace}_Foo" path = "/" assume_role_policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::INSERT_ACCOUNT_NUMBER:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "INSERT_EXTERNAL_ID" } } } ] } EOF } resource "aws_iam_role_policy_attachment" "foo" { policy_arn = "arn:aws:iam::aws:policy/SecurityAudit" role = "${aws_iam_role.foo.name}" } resource "aws_iam_instance_profile" "foo" { name = "${terraform.workspace}_Foo" role = "${aws_iam_role.foo.name}" } # END ` </code> </pre> </DIV>

编辑

登录后才能参与评论