我想给我的 Terraform 用户最低权限。我只是在创建 VPC。
vpc.tf
# Create VPC
resource "aws_vpc" "santo_vpc" {
provider = aws.santo-region
cidr_block = "10.0.0.0/20"
tags = {
Name = "santo-vpc-10.0.0.0/20"
Prj = "santo"
}
}
# Get all availability zones
data "aws_availability_zones" "azs" {
provider = aws.santo-region
state = "available"
}
# Create private subnet
resource "aws_subnet" "santo_private_subnet" {
provider = aws.santo-region
availability_zone = element(data.aws_availability_zones.azs.names, 0)
vpc_id = aws_vpc.santo_vpc.id
cidr_block = "10.0.3.0/24"
tags = {
Name = "santo-private-subnet-10.0.3.0/24"
Prj = "santo"
}
}
与此用户关联的策略具有以下 json。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:DeleteSubnet",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeVpcs",
"ec2:CreateVpc",
"ec2:DeleteVpc",
"ec2:CreateSubnet",
"ec2:DescribeSubnets"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::bucket/prj_terraform_file"
}
]
}
但是当我运行
terraform apply
时它给出了创建VPC的错误。
Plan: 2 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
aws_vpc.prj_vpc: Creating...
╷
│ Error: creating EC2 VPC: UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message: YZow_Zb22lBD6X5fwqYdXXXXXXXXXXXXXfsQyznUuqTNoyDksW_J9W-eY4ngA5xwiRCoMdY97SlCPaPs7LRHXnF7sSf8pmCZWk0ofsLUnawviO3ICw4eLLpNWFSQYbGRYK3w1H8qzuxfc2rdn_LAkOeZ3qILmz2aNEF8Nh
│ status code: 403, request id: 58b59076-a802-4761-886f-9435f29375be
│
│ with aws_vpc.prj_vpc,
│ on vpc.tf line 3, in resource "aws_vpc" "prj_vpc":
│ 3: resource "aws_vpc" "prj_vpc" {
│
╵
创建 VPC 我还必须添加什么权限?