使用值列表中的值在 aws_iam_policy_document 中创建多个语句 (TF 1.13)
Create multiple statements in aws_iam_policy_document with values from list of values (TF 1.13)
我有以下variable
variable "roles" {
type = set(string)
default = [
"A",
"B",
]
}
我想为每个值创建一个 aws_iam_policy_document
和一个 sts:AssumeRole
操作。
我试过了
data "aws_iam_policy_document" "service_role_trust_node_workers" {
statement {
effect = "Allow"
principals {
identifiers = ["ec2.amazon.com"]
type = "Service"
}
actions = ["sts:AssumeRole"]
}
for_each = var.roles
statement {
effect = "Allow"
sid = "${each.key}-${each.value}"
principals {
identifiers = [
each.value
]
type = "AWS"
}
actions = [
"sts:AssumeRole"
]
}
}
但这会产生这个
json = jsonencode(
{
+ Statement = [
+ {
+ Action = "sts:AssumeRole"
+ Effect = "Allow"
+ Principal = {
+ Service = "ec2.amazon.com"
}
+ Sid = ""
},
+ {
+ Action = "sts:AssumeRole"
+ Effect = "Allow"
+ Principal = {
+ AWS = "B"
}
+ Sid = "B-B"
},
]
+ Version = "2012-10-17"
}
)
所以出于某种原因,A
被忽略了。
有什么建议吗?
好的,找到了:)
dynamic "statement" {
for_each = var.roles
iterator = role
content {
effect = "Allow"
principals {
identifiers = [
role.value
]
type = "AWS"
}
actions = [
"sts:AssumeRole"
]
}
}
我有以下variable
variable "roles" {
type = set(string)
default = [
"A",
"B",
]
}
我想为每个值创建一个 aws_iam_policy_document
和一个 sts:AssumeRole
操作。
我试过了
data "aws_iam_policy_document" "service_role_trust_node_workers" {
statement {
effect = "Allow"
principals {
identifiers = ["ec2.amazon.com"]
type = "Service"
}
actions = ["sts:AssumeRole"]
}
for_each = var.roles
statement {
effect = "Allow"
sid = "${each.key}-${each.value}"
principals {
identifiers = [
each.value
]
type = "AWS"
}
actions = [
"sts:AssumeRole"
]
}
}
但这会产生这个
json = jsonencode(
{
+ Statement = [
+ {
+ Action = "sts:AssumeRole"
+ Effect = "Allow"
+ Principal = {
+ Service = "ec2.amazon.com"
}
+ Sid = ""
},
+ {
+ Action = "sts:AssumeRole"
+ Effect = "Allow"
+ Principal = {
+ AWS = "B"
}
+ Sid = "B-B"
},
]
+ Version = "2012-10-17"
}
)
所以出于某种原因,A
被忽略了。
有什么建议吗?
好的,找到了:)
dynamic "statement" {
for_each = var.roles
iterator = role
content {
effect = "Allow"
principals {
identifiers = [
role.value
]
type = "AWS"
}
actions = [
"sts:AssumeRole"
]
}
}