如何为 aws_iam_policy_document 创建可重用的语句块?

How to create a reusable block of statement for aws_iam_policy_document?

我有几个aws_iam_policy_document像这样

策略 1

data "aws_iam_policy_document" "policy1" {
  statement {
    actions = [
      "rds:DescribeDBSnapshots"
    ]
    resources = [
      "arn:aws:rds:${var.region}:${local.account_id}:db:*
    ]
  }
  statement {
    actions = [
      "rds:RestoreDBInstanceFromDBSnapshot"
    ]
    resources = [
      "arn:aws:rds:${var.region}:${local.account_id}:db:*s",
      "arn:aws:rds:${var.region}:${local.account_id}:snapshot:*"

    ]
  }
}

政策2

data "aws_iam_policy_document" "policy2" {
  statement {
    actions = [
      "rds:DescribeDBInstances",
      "rds:ModifyDBInstance"
    ]
    resources = [
      "arn:aws:rds:${var.region}:${local.account_id}:db:*",
      "arn:aws:rds:${var.region}:${local.account_id}:db:*"
    ]
  }

}

我还有一些政策,它们都有一些变化。

现在我希望能够为所有这些政策插入相同的 statement 块。

尚未测试,但语句将如下所示:

statement {

    action = [
        "ssm:GetParameter" 

    ]
    resources = [

"arn:aws:ssm:${var.region}:${local.account_id}:parameter/lambda/*"
    ]

}

最有效的方法是什么?我想避免将相同的语句块复制并粘贴到所有策略。

我可以使用 source_json 关键字。

这是一个例子:

首先,在新政策文件中定义共同政策

  data "aws_iam_policy_document" "common" {
    statement {

        action = [
            "ssm:GetParameter" 

        ]
        resources = [

    "arn:aws:ssm:${var.region}:${local.account_id}:parameter/lambda/*"
        ]

    }
  }

然后在现有的政策文件中,使用source_json

data "aws_iam_policy_document" "policy1" {
  source_json = "${data.aws_iam_policy_document.common.json}"
  statement {
     ....
  }
}