IAM 角色和强制分离策略是为日志组和 DynamoDB 表定义的,但在代码中强制分离策略不接受定义的策略,而是期望布尔值(真/假)
**Note: Terraform resource for AWS_IAM_ROLE....**
resource "aws_iam_role" "get_applicant_group_file_iam_role_lambda_execution" {
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = {
Service = [
"lambda.amazonaws.com"
]
}
Action = [
"sts:AssumeRole"
]
}
]
})
force_detach_policies = [
{
PolicyName = join("-", ["backend", "dev", "lambda"])
PolicyDocument = {
Version = "2012-10-17"
Statement = [
**Note: Policy define for Create and Put Logs**
{
Effect = "Allow"
Action = [
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:PutLogEvents"
]
Resource = [
"arn:${data.aws_partition.current.partition}:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/backend-dev-getApplicantGroupFile:*:*"
]
},
**Note: Policy define for DynamoDB tables.**
{
Effect = "Allow"
Action = [
"dynamodb:DescribeTable",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem"
]
Resource = [
"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/job-app-backend-dev",
"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/job-app-backend-dev/index/GSI1"
]
},
{
Effect = "Allow"
Action = [
"s3:GetObject"
]
Resource = "arn:aws:s3:::jobapp.pk-dev-us-east-1-media/*"
}
]
}
}
]
path = "/"
name = join("-", ["backend", "dev", "getApplicantGroupFile", data.aws_region.current.name, "lambdaRole"])
managed_policy_arns = [
]
我已经定义了布尔表达式,但这不是我正在寻找的解决方案。
如果通过 aws_iam_policy_attachment 资源将策略附加到角色,并且您要修改角色名称或路径,则在尝试操作之前必须将force_detach_policies 参数设置为 true 并应用,否则您将遇到 DeleteConflict 错误。 aws_iam_role_policy_attachment 资源(推荐)没有此要求。
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role