AWS Macie 和 Terraform - Select 帐户中的所有 S3 存储桶
AWS Macie & Terraform - Select all S3 buckets in account
我正在使用 terraform 启用 AWS Macie 2,并且我正在定义一个默认分类作业,如下所示:
resource "aws_macie2_account" "member" {}
resource "aws_macie2_classification_job" "member" {
job_type = "ONE_TIME"
name = "S3 PHI Discovery default"
s3_job_definition {
bucket_definitions {
account_id = var.account_id
buckets = ["S3 BUCKET NAME 1", "S3 BUCKET NAME 2"]
}
}
depends_on = [aws_macie2_account.member]
}
AWS Macie 需要要分析的 S3 存储桶列表。我想知道是否有办法 select 一个帐户中的所有存储桶,使用通配符或其他方法。我们的生产帐户包含数百个 S3 存储桶,并且在 s3_job_definition 中对每个值进行硬编码是不可行的。
有什么想法吗?
遗憾的是,Terraform AWS 提供商目前不支持用于列出 S3 存储桶的数据源。对于这种情况(Terraform 不支持的数据源),常见的方法是通过外部数据源使用 AWS CLI。
这些是我喜欢用于 CLI/shell 命令的模块:
- As a data source(每次重新运行)
- As a resource(仅在重新创建资源或更改触发器时重新运行)
使用数据源版本,它看起来像:
module "list_buckets" {
source = "Invicton-Labs/shell-data/external"
version = "0.1.6"
// Since the command is the same on both Unix and Windows, it's ok to just
// specify one and not use the `command_windows` input arg
command_unix = "aws s3api list-buckets --output json"
// You want Terraform to fail if it can't get the list of buckets for some reason
fail_on_error = true
// Specify your AWS credentials as environment variables
environment = {
AWS_PROFILE = "myprofilename"
// Alternatively, although not recommended:
// AWS_ACCESS_KEY_ID = "..."
// AWS_SECRET_ACCESS_KEY = "..."
}
}
output "buckets" {
// We specified JSON format for the output, so decode it to get a list
value = jsondecode(module.list_buckets.stdout).Buckets
}
Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
Outputs:
buckets = [
{
"CreationDate" = "2021-07-15T18:10:20+00:00"
"Name" = "bucket-foo"
},
{
"CreationDate" = "2021-07-15T18:11:10+00:00"
"Name" = "bucket-bar"
},
]
我正在使用 terraform 启用 AWS Macie 2,并且我正在定义一个默认分类作业,如下所示:
resource "aws_macie2_account" "member" {}
resource "aws_macie2_classification_job" "member" {
job_type = "ONE_TIME"
name = "S3 PHI Discovery default"
s3_job_definition {
bucket_definitions {
account_id = var.account_id
buckets = ["S3 BUCKET NAME 1", "S3 BUCKET NAME 2"]
}
}
depends_on = [aws_macie2_account.member]
}
AWS Macie 需要要分析的 S3 存储桶列表。我想知道是否有办法 select 一个帐户中的所有存储桶,使用通配符或其他方法。我们的生产帐户包含数百个 S3 存储桶,并且在 s3_job_definition 中对每个值进行硬编码是不可行的。
有什么想法吗?
遗憾的是,Terraform AWS 提供商目前不支持用于列出 S3 存储桶的数据源。对于这种情况(Terraform 不支持的数据源),常见的方法是通过外部数据源使用 AWS CLI。
这些是我喜欢用于 CLI/shell 命令的模块:
- As a data source(每次重新运行)
- As a resource(仅在重新创建资源或更改触发器时重新运行)
使用数据源版本,它看起来像:
module "list_buckets" {
source = "Invicton-Labs/shell-data/external"
version = "0.1.6"
// Since the command is the same on both Unix and Windows, it's ok to just
// specify one and not use the `command_windows` input arg
command_unix = "aws s3api list-buckets --output json"
// You want Terraform to fail if it can't get the list of buckets for some reason
fail_on_error = true
// Specify your AWS credentials as environment variables
environment = {
AWS_PROFILE = "myprofilename"
// Alternatively, although not recommended:
// AWS_ACCESS_KEY_ID = "..."
// AWS_SECRET_ACCESS_KEY = "..."
}
}
output "buckets" {
// We specified JSON format for the output, so decode it to get a list
value = jsondecode(module.list_buckets.stdout).Buckets
}
Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
Outputs:
buckets = [
{
"CreationDate" = "2021-07-15T18:10:20+00:00"
"Name" = "bucket-foo"
},
{
"CreationDate" = "2021-07-15T18:11:10+00:00"
"Name" = "bucket-bar"
},
]