我正在使用Jenkins自动化Terraform来创建我的AWS环境。虽然Jenkins拥有CreateSecurityGroup的权限,但是当Jenkins运行我的Terraform主文件时,我收到此错误:
* aws_security_group.lambda_security_group: aws_security_group.lambda_security_group: UnauthorizedOperation: You are not authorized to perform this operation.status code: 403, request id: 08c21dbe-5b86-4ad1-8ff3-13611bdb178c
有了CreateSecurityGroup权限 - 我很好奇为什么我无法执行操作。
我已确保将这些权限分配给创建安全组的Jenkins角色:
{
"Sid": "AllowEC2Control",
"Action": [
"ec2:CreateSecurityGroup"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
这是我的Terraform文件中的代码:
创建安全组:
resource "aws_security_group" "lambda_security_group" {
name = "security group"
description = "Security group for data ingestion lambda"
vpc_id = "${var.vpc_id}"
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = [
"0.0.0.0/0"
]
}
tags {
Service = "${var.tags_service_name}"
environment = "${var.environment}"
}
}
创建lambda:
resource "aws_lambda_function" "some_lambda" {
function_name = "my_lambda"
s3_bucket = "${aws_s3_bucket.my_data.bucket}"
s3_key = "lambda.zip"
role = "${aws_iam_role.my_iam_role.arn}"
handler = "lambda_function.lambda_handler"
runtime = "python3.6"
timeout = 900
memory_size = 128
source_code_hash = "${var.GIT_SHA}"
vpc_config {
security_group_ids = [
"${aws_security_group.lambda_security_group.id}"
]
subnet_ids = "${var.subnets}"
}
不幸的是,当Jenkins执行Terraform脚本时,我收到错误。我希望拥有创建此安全组的适当权限
您只需授权您的jenkins创建安全组,并在您要添加和退出的terraform代码中。
您还必须授予出口许可。这里有一个参考https://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#security-group
为了能够添加/更新/删除您更改您的iam规则
{
"Sid": "AllowEC2Control",
"Action": [
"ec2:CreateSecurityGroup",
"ec2:*SecurityGroupEgress",
"ec2:*SecurityGroupIngress",
],
"Effect": "Allow",
"Resource": [
"*"
]
}