我如何将托管的IAM策略和自定义IAM策略附加到IAM角色?

问题描述 投票:0回答:3

我想将管理IAM策略ARN(例如AmazomS3FullAccess)和自定义IAM策略(以JSON格式写入terraform文件中)附加到单个IAM角色。

通过使用aws_iam_role_policy_attachment我只能附加一个策略,同时附加两个策略是什么?

variables.tf
------------

variable "iam_policy_arn" {
  description = "IAM Policy to be attached to role"
  type        = list(string)
  default     = ["arn:aws:iam::aws:policy/AWSLambdaFullAccess", "arn:aws:iam::aws:policy/AmazonSSMFullAccess", "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess"]
}




main.tf
-------


resource "aws_iam_role" "test_role" {
  name = "test_role"

  assume_role_policy = <<-EOF
{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Effect":"Allow",
      "Principal":{
        "Service":"ec2.amazonaws.com"
      },
      "Action":"sts:AssumeRole"
    },
    {
      "Effect":"Allow",
      "Principal":{
        "Service":"sagemaker.amazonaws.com",
        "AWS":"*"
      },
      "Action":"sts:AssumeRole"
    }
  ]
}    
  EOF
}
resource "aws_iam_role_policy_attachment" "role_policy_attachment" {
  role       = "${aws_iam_role.test_role.name}"
  count      = "${length(var.iam_policy_arn)}"
  policy_arn = "${element(var.iam_policy_arn,count.index)}"

}

resource "aws_iam_instance_profile" "test_profile" {
  name = "test_profile"
  role = "${aws_iam_role.test_role.name}"
}

现在我想将如下所示的自定义策略附加到角色上

resource "aws_iam_role_policy" "test_policy" {
  name = "test_policy"
  role = aws_iam_role.test_role.id

  policy = <<-EOF
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": [
          "ec2:Describe*"
        ],
        "Effect": "Allow",
        "Resource": "*"
      }
    ]
  }
  EOF
}

如何将托管IAM策略和自定义IAM策略附加到IAM角色?

terraform terraform-provider-aws
3个回答
1
投票

只需将它们作为变量传递,或将它们声明为局部值,然后在该变量上进行迭代。

例如:

resource "aws_iam_role_policy_attachment" "attach" {
  count      = length(var.policies)
  role       = aws_iam_role.my_role.name
  policy_arn = ${var.policies[count.index]}
}

其中var.policies是策略["arn:aws:iam::aws:policy/AmazonS3FullAccess", "arn:aws:iam::<your_account>:policy/your_policy"]的列表

0
投票

您可能需要根据自己的需要修改策略,但这就是它的样子。您可以执行以下操作:

data "template_file" "test_role_template" {
 template = "${file("pathToRoleJson")}"
}

data "template_file" "test_policy_template" {
    template = "${file("pathToPolicyJson")}"
    vars = {
      customParam    = "${var.ValueOfParam}"
    }
}

resource "aws_iam_role" "test_role" {
    name     = "roleName"
    assume_role_policy = "${data.template_file.test_role.rendered}"
}

#-----------------------------------------
resource "aws_iam_policy" "test_role_policy" {
  name   = "policyName"
  policy = "${data.template_file.test_policy_template.rendered}"
}

# Attach policy to role nat_ec2_role
#-----------------------------------------
resource "aws_iam_role_policy_attachment" "nat_ec2_role_policy-attachment" {
  role       = "${aws_iam_role.test_role.name}"
  policy_arn = "${aws_iam_policy.test_role_policy.arn}"
}



# Policy Template File
{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Effect":"Allow",
      "Principal":{
        "Service":"ec2.amazonaws.com"
      },
      "Action":"sts:AssumeRole"
    },
    {
      "Effect":"Allow",
      "Principal":{
        "Service":"sagemaker.amazonaws.com",
        "AWS":"*"
      },
       {
        "Action": [
          "ec2:Describe*"
        ],
        "Effect": "Allow",
        "Resource": "*"
      }
      "Action":"sts:AssumeRole"
    }
  ]
}    


resource "aws_iam_instance_profile" "test_profile" {
  name = "test_profile"
  role = "${aws_iam_role.test_role.name}"
}

希望有帮助。

0
投票

您可以如下添加带有嵌入式JSON的内联策略:

resource "aws_iam_role_policy" "test_policy" {
  name = "test_policy"
  role = aws_iam_role.test_role.id

  policy = <<-EOF
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": [
          "ec2:Describe*"
        ],
        "Effect": "Allow",
        "Resource": "*"
      }
    ]
  }
  EOF
}

或者您可以使用aws_iam_policy_document在诸如IntelliJ IDEA之类的IDE中获得更好的错误检查:

resource "aws_iam_role_policy" "policy" {
  name        = "test-policy"
  description = "A test policy"

  policy = data.aws_iam_policy_document.allow_ec2_describe
}

data "aws_iam_policy_document" "allow_ec2_describe" {
  version = "2012-10-17"

  statement {
    actions = [
      "ec2:Describe*",
    ]
    effect = "Allow"
    resources = [
      "*",
    ]
  }
}

附带说明:您可以使用aws_iam_role_policy_attachment资源和for_each,更干净地附加Amazon Managed Policy,如下所示:

resource "aws_iam_role_policy_attachment" "managed_policy_attachments" {
  for_each   = {for arn in var.iam_policy_arns : arn => arn}
  role       = aws_iam_role.test_role.name
  policy_arn = data.aws_iam_policy.managed_policies[each.key]
}

旁注:您也可以使用aws_iam_role_policy_attachment清洁清洁器assume_role_policy设置:

resource "aws_iam_role" "test_role" {
  name = "test_role"

  assume_role_policy = data.aws_iam_policy_document.allow_ec2_and_sagemaker
}

data "aws_iam_policy_document" "allow_ec2_and_sagemaker" {
  version = "2012-10-17"

  statement {
    sid    = "AllowEC2AndSageMaker"
    effect = "Allow"

    actions = [
      "sts:AssumeRole",
    ]

    principals {
      type = "Service"
      identifiers = [
        "ec2.amazonaws.com",
        "sagemaker.amazonaws.com",
      ]
    }
  }
}
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.