因此,我尝试将多个策略分配给我在policies.tf 文件中定义的用户,并且在运行时显示错误。我正在使用 gitlab 来运行这个,如果我像 aws_iam_policy.s3_policy.arn 一样直接定义 s3_policy ,我也能够解决这个错误。
resource "aws_iam_policy" "s3_policy" {
name = "s3-policy"
description = "S3 IAM policy"
# Define the policy document with the required permissions
policy = <<-JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "*"
}
]
}
JSON
}
resource "aws_iam_policy" "ec2_policy" {
name = "ec2-policy"
description = "EC@ IAM policy"
# Define the policy document with the required permissions
policy = <<-JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
}
]
}
JSON
}
# Your aws_iam_user_policy_attachment resource definition
resource "aws_iam_user_policy_attachment" "user_policies" {
for_each = toset(var.user_policies)
user = module.iam_user_module.aws_iam_user.this[0].name
policy_arn = aws_iam_policy[each.value].arn
}
我得到的错误是
错误:参考无效 │ │ 在 module/iam_module/policies.tf 第 43 行,资源“aws_iam_user_policy_attachment”“user_policies”中: │ 43:policy_arn = aws_iam_policy[each.value].arn │ │ 对资源类型的引用必须后跟至少一个属性 │ 访问,指定资源名称。
for_each
元参数的情况下创建的,因此您需要使用以下内容:
resource "aws_iam_policy" "s3_policy" {
name = "s3-policy"
description = "S3 IAM policy"
# Define the policy document with the required permissions
policy = <<-JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "*"
}
]
}
JSON
}
resource "aws_iam_policy" "ec2_policy" {
name = "ec2-policy"
description = "EC2 IAM policy"
# Define the policy document with the required permissions
policy = <<-JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
}
]
}
JSON
}
# Your aws_iam_user_policy_attachment resource definition
resource "aws_iam_user_policy_attachment" "ec2_policy" {
user = module.iam_user_module.aws_iam_user.this[0].name
policy_arn = aws_iam_policy.ec2_policy.arn
}
resource "aws_iam_user_policy_attachment" "s3_policy" {
user = module.iam_user_module.aws_iam_user.this[0].name
policy_arn = aws_iam_policy.s3_policy.arn
}
注意,使用隐式引用时,语法为:
<resource type>.<logical name>.<attribute>
或者根据你的情况
| aws_iam_policy | ec2_policy | arn
| resource type | logical name | attribute
由于策略已分配给同一用户,因此可以执行以下操作:
resource "aws_iam_policy" "iam_policies" {
name = "ec2-s3-policy"
description = "EC2 and S3 IAM policy"
# Define the policy document with the required permissions
policy = <<-JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
}
]
}
JSON
}
# Your aws_iam_user_policy_attachment resource definition
resource "aws_iam_user_policy_attachment" "user_policy" {
user = module.iam_user_module.aws_iam_user.this[0].name
policy_arn = aws_iam_policy.iam_policy.arn
}