我正在尝试将资源 AWS IAM 策略添加到 Terraform 中的 lambda 函数,IAM 策略没有任何条件,但有资源,但是 Terraform 正在条件中添加相同的资源。
resource "aws_lambda_permission" "lambda_function" {
statement_id = "AllowSecretsManagerInvoke"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.myfunction.function_name
principal = "secretsmanager.amazonaws.com"
source_arn = aws_lambda_function.myfunction.arn
}
理想的资源策略应创建如下
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "SecretsManagerInvoke",
"Effect": "Allow",
"Principal": {
"Service": "secretsmanager.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:{region}:{account}:function:myfunction"
}
]
}
但是 terraform 正在制定如下政策:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "AllowSecretsManagerInvoke",
"Effect": "Allow",
"Principal": {
"Service": "secretsmanager.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:arn:aws:lambda:{region}:{account}:function:myfunction",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:lambda:arn:aws:lambda:{region}:{account}:function:myfunction"
}
}
}
]
}
删除
source_arn
解决了该问题。当您指定 aws_lambda_permission
参数时,Terraform 中的 source_arn
资源会自动添加条件。
resource "aws_lambda_permission" "lambda_function" {
statement_id = "AllowSecretsManagerInvoke"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.myfunction.function_name
principal = "secretsmanager.amazonaws.com"
}