如何为 aws_iam_policy_document 创建可重用的语句块?
How to create a reusable block of statement for aws_iam_policy_document?
我有几个aws_iam_policy_document像这样
策略 1
data "aws_iam_policy_document" "policy1" {
statement {
actions = [
"rds:DescribeDBSnapshots"
]
resources = [
"arn:aws:rds:${var.region}:${local.account_id}:db:*
]
}
statement {
actions = [
"rds:RestoreDBInstanceFromDBSnapshot"
]
resources = [
"arn:aws:rds:${var.region}:${local.account_id}:db:*s",
"arn:aws:rds:${var.region}:${local.account_id}:snapshot:*"
]
}
}
政策2
data "aws_iam_policy_document" "policy2" {
statement {
actions = [
"rds:DescribeDBInstances",
"rds:ModifyDBInstance"
]
resources = [
"arn:aws:rds:${var.region}:${local.account_id}:db:*",
"arn:aws:rds:${var.region}:${local.account_id}:db:*"
]
}
}
我还有一些政策,它们都有一些变化。
现在我希望能够为所有这些政策插入相同的 statement 块。
尚未测试,但语句将如下所示:
statement {
action = [
"ssm:GetParameter"
]
resources = [
"arn:aws:ssm:${var.region}:${local.account_id}:parameter/lambda/*"
]
}
最有效的方法是什么?我想避免将相同的语句块复制并粘贴到所有策略。
我可以使用 source_json 关键字。
这是一个例子:
首先,在新政策文件中定义共同政策
data "aws_iam_policy_document" "common" {
statement {
action = [
"ssm:GetParameter"
]
resources = [
"arn:aws:ssm:${var.region}:${local.account_id}:parameter/lambda/*"
]
}
}
然后在现有的政策文件中,使用source_json
data "aws_iam_policy_document" "policy1" {
source_json = "${data.aws_iam_policy_document.common.json}"
statement {
....
}
}
我有几个aws_iam_policy_document像这样
策略 1
data "aws_iam_policy_document" "policy1" {
statement {
actions = [
"rds:DescribeDBSnapshots"
]
resources = [
"arn:aws:rds:${var.region}:${local.account_id}:db:*
]
}
statement {
actions = [
"rds:RestoreDBInstanceFromDBSnapshot"
]
resources = [
"arn:aws:rds:${var.region}:${local.account_id}:db:*s",
"arn:aws:rds:${var.region}:${local.account_id}:snapshot:*"
]
}
}
政策2
data "aws_iam_policy_document" "policy2" {
statement {
actions = [
"rds:DescribeDBInstances",
"rds:ModifyDBInstance"
]
resources = [
"arn:aws:rds:${var.region}:${local.account_id}:db:*",
"arn:aws:rds:${var.region}:${local.account_id}:db:*"
]
}
}
我还有一些政策,它们都有一些变化。
现在我希望能够为所有这些政策插入相同的 statement 块。
尚未测试,但语句将如下所示:
statement {
action = [
"ssm:GetParameter"
]
resources = [
"arn:aws:ssm:${var.region}:${local.account_id}:parameter/lambda/*"
]
}
最有效的方法是什么?我想避免将相同的语句块复制并粘贴到所有策略。
我可以使用 source_json 关键字。
这是一个例子:
首先,在新政策文件中定义共同政策
data "aws_iam_policy_document" "common" {
statement {
action = [
"ssm:GetParameter"
]
resources = [
"arn:aws:ssm:${var.region}:${local.account_id}:parameter/lambda/*"
]
}
}
然后在现有的政策文件中,使用source_json
data "aws_iam_policy_document" "policy1" {
source_json = "${data.aws_iam_policy_document.common.json}"
statement {
....
}
}