在 terraform 中运行 IAM 策略附件时遇到问题

问题描述 投票:0回答:1

因此,我尝试将多个策略分配给我在policies.tf 文件中定义的用户,并且在运行时显示错误。我正在使用 gitlab 来运行这个,如果我像 aws_iam_policy.s3_policy.arn 一样直接定义 s3_policy ,我也能够解决这个错误。

resource "aws_iam_policy" "s3_policy" { name = "s3-policy" description = "S3 IAM policy" # Define the policy document with the required permissions policy = <<-JSON { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "*" } ] } JSON } resource "aws_iam_policy" "ec2_policy" { name = "ec2-policy" description = "EC@ IAM policy" # Define the policy document with the required permissions policy = <<-JSON { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*" } ] } JSON } # Your aws_iam_user_policy_attachment resource definition resource "aws_iam_user_policy_attachment" "user_policies" { for_each = toset(var.user_policies) user = module.iam_user_module.aws_iam_user.this[0].name policy_arn = aws_iam_policy[each.value].arn } 
我得到的错误是




错误:参考无效
│
│ 在 module/iam_module/policies.tf 第 43 行,资源“aws_iam_user_policy_attachment”“user_policies”中:
│ 43:policy_arn = aws_iam_policy[each.value].arn
│
│ 对资源类型的引用必须后跟至少一个属性
│ 访问,指定资源名称。



    



    
    amazon-web-services
    
    terraform
    
    terraform-provider-aws
    
    
1个回答

    

      
      
      

        

          

            

              
1
投票

              
            

          

        

        
策略资源是在没有使用 
for_each
 元参数的情况下创建的,因此您需要使用以下内容:


resource "aws_iam_policy" "s3_policy" {
  name        = "s3-policy"
  description = "S3 IAM policy"

  # Define the policy document with the required permissions
  policy = <<-JSON
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": "s3:GetObject",
        "Resource": "*"
      }
    ]
  }
  JSON
}

resource "aws_iam_policy" "ec2_policy" {
  name        = "ec2-policy"
  description = "EC2 IAM policy"

  # Define the policy document with the required permissions
  policy = <<-JSON
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": "ec2:*",
        "Resource": "*"
      }
    ]
  }
  JSON
}


# Your aws_iam_user_policy_attachment resource definition
resource "aws_iam_user_policy_attachment" "ec2_policy" {
  user       = module.iam_user_module.aws_iam_user.this[0].name
  policy_arn = aws_iam_policy.ec2_policy.arn
}

resource "aws_iam_user_policy_attachment" "s3_policy" {
  user       = module.iam_user_module.aws_iam_user.this[0].name
  policy_arn = aws_iam_policy.s3_policy.arn
}

注意,使用
隐式引用时,语法为:

<resource type>.<logical name>.<attribute>

或者根据你的情况


| aws_iam_policy  | ec2_policy    | arn
| resource type   | logical name  | attribute

由于策略已分配给同一用户,因此可以执行以下操作:


resource "aws_iam_policy" "iam_policies" {
  name        = "ec2-s3-policy"
  description = "EC2 and S3 IAM policy"

  # Define the policy document with the required permissions
  policy = <<-JSON
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": "s3:GetObject",
        "Resource": "*"
      },
      {
        "Effect": "Allow",
        "Action": "ec2:*",
        "Resource": "*"
      }
    ]
  }
  JSON
}


# Your aws_iam_user_policy_attachment resource definition
resource "aws_iam_user_policy_attachment" "user_policy" {
  user       = module.iam_user_module.aws_iam_user.this[0].name
  policy_arn = aws_iam_policy.iam_policy.arn
}

    



      

      
    

  

  

    
最新问题


  





  

    © www.soinside.com 2019 - 2024. All rights reserved.