Terraform IAM 策略创建 - MalformedPolicyDocument:策略旧版解析失败

问题描述 投票:0回答:1

我有 Terraform 代码(如下),用于创建 IAM 策略。但是,在 

terraform apply
上,我收到错误:

Error: creating IAM Policy autoscale-policy: MalformedPolicyDocument: The policy failed legacy parsing

Terraform 代码:

terraform {
    required_providers {
        aws = {
            source  = "hashicorp/aws"
            version = "~> 4.52.0"
        }
    }
}

provider "aws" {
    region = "us-west-2"
}

resource "aws_iam_policy" "autoscale_policy" {
    name        = "autoscale-policy"
    description = "EBS Autoscaling Policy"
    policy = <<EOT
{
    "Version": "2012-10-17",
    "Statement": {
        "Action": [
            "ec2:AttachVolume",
            "ec2:DescribeVolumeStatus",
            "ec2:DescribeVolumes",
            "ec2:ModifyInstanceAttribute",
            "ec2:DescribeVolumeAttribute",
            "ec2:CreateVolume",
            "ec2:DeleteVolume",
            "ec2:CreateTags",
            "kms:Decrypt",
            "kms:CreateGrant",
            "kms:Encrypt",
            "kms:ReEncrypt*",
            "kms:GenerateDataKey*",
            "kms:DescribeKey"
        ],
        "Resource": "*",
        "Effect": "Allow"
    }
}
EOT
}

但是,当我将 AWS cli 与完全相同的策略一起使用时,该策略在 AWS 中创建时没有任何问题:

    --policy-name TestPolicy \
    --policy-document \
'{
  "Version": "2012-10-17",
  "Statement": {
    "Action": [
        "ec2:AttachVolume",
        "ec2:DescribeVolumeStatus",
        "ec2:DescribeVolumes",
        "ec2:ModifyInstanceAttribute",
        "ec2:DescribeVolumeAttribute",
        "ec2:CreateVolume",
        "ec2:DeleteVolume",
        "ec2:CreateTags",
        "kms:Decrypt",
        "kms:CreateGrant",
        "kms:Encrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
    ],
    "Resource": "*",
    "Effect": "Allow"
  }
}'

有人看出 TF 代码和 CLI 命令之间可能存在差异吗? 当策略在 cli 中正常运行时,为什么我的 TF 代码会返回 

MalformedPolicyDocument
错误?

amazon-web-services terraform amazon-iam
1个回答
3
投票

语句应该是一个数组。

resource "aws_iam_policy" "autoscale_policy" {
  name        = "autoscale-policy"
  description = "EBS Autoscaling Policy"
  policy      = <<EOT
{
    "Version": "2012-10-17",
    "Statement": [{
        "Action": [
            "ec2:AttachVolume",
            "ec2:DescribeVolumeStatus",
            "ec2:DescribeVolumes",
            "ec2:ModifyInstanceAttribute",
            "ec2:DescribeVolumeAttribute",
            "ec2:CreateVolume",
            "ec2:DeleteVolume",
            "ec2:CreateTags",
            "kms:Decrypt",
            "kms:CreateGrant",
            "kms:Encrypt",
            "kms:ReEncrypt*",
            "kms:GenerateDataKey*",
            "kms:DescribeKey"
        ],
        "Resource": "*",
        "Effect": "Allow"
    }]
}
EOT
}

测试过可以用

或者您可以使用 

data
资源来定义您的策略。

resource "aws_iam_policy" "autoscale_policy" {
  name        = "autoscale-policy"
  description = "EBS Autoscaling Policy"
  policy      = data.aws_iam_policy_document.example.json
}

data "aws_iam_policy_document" "example" {
  statement {
    actions = [
      "ec2:AttachVolume",
      "ec2:DescribeVolumeStatus",
      "ec2:DescribeVolumes",
      "ec2:ModifyInstanceAttribute",
      "ec2:DescribeVolumeAttribute",
      "ec2:CreateVolume",
      "ec2:DeleteVolume",
      "ec2:CreateTags",
      "kms:Decrypt",
      "kms:CreateGrant",
      "kms:Encrypt",
      "kms:ReEncrypt*",
      "kms:GenerateDataKey*",
      "kms:DescribeKey"
    ]
    resources = ["*"]
    effect    = "Allow"
  }
}
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.