如何将托管策略与 iam 角色一起使用
How to use managed policy with iam role
我正在使用 terragrunt 调用我的 terraform module.I 有一个 terragrunt.hcl 用于我的开发,另一个用于测试 environment.I 希望能够附加 AWS 托管策略 (AdministratorAccess)使用输入变量到我的开发帐户和 (AmazonEC2FullAccess) 我的测试帐户,这样我就可以删除 aws_iam_role_policy 部分
中的策略行
terragrunt.hcl
terraform {
source = "..//module/vpc"
}
include {
path = find_in_parent_folders()
}
inputs = {
}
main.tf
resource "aws_iam_role" "GitHubActions" {
name = var.GithubAction_role
assume_role_policy = <<EOF
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRoleWithWebIdentity",
"Principal":{
"Federated": "${aws_iam_openid_connect_provider.github_oidc_github_actions.arn}"
}
}
EOF
}
resource "aws_iam_role_policy" "GitHubActions"{
name = var.policy
role = aws_iam_role.GitHubActions.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement":[
{
"Sid": "",
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
EOF
}
我不确定是否完全理解您的问题。您不能将 IAM Policy 附加到帐户。但是,您可以将它附加到 IAM Role,这似乎是您的目标?如果是,您可以使用 data source:
data "aws_iam_policy" "AmazonEC2FullAccess" {
arn = "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
}
resource "aws_iam_role_policy_attachment" "attachment" {
role = aws_iam_role.GitHubActions.name
policy_arn = data.aws_iam_policy.AmazonEC2FullAccess.arn
}
参见 iam_role_policy_attachment and iam policy 数据源。
我正在使用 terragrunt 调用我的 terraform module.I 有一个 terragrunt.hcl 用于我的开发,另一个用于测试 environment.I 希望能够附加 AWS 托管策略 (AdministratorAccess)使用输入变量到我的开发帐户和 (AmazonEC2FullAccess) 我的测试帐户,这样我就可以删除 aws_iam_role_policy 部分
中的策略行terragrunt.hcl
terraform {
source = "..//module/vpc"
}
include {
path = find_in_parent_folders()
}
inputs = {
}
main.tf
resource "aws_iam_role" "GitHubActions" {
name = var.GithubAction_role
assume_role_policy = <<EOF
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRoleWithWebIdentity",
"Principal":{
"Federated": "${aws_iam_openid_connect_provider.github_oidc_github_actions.arn}"
}
}
EOF
}
resource "aws_iam_role_policy" "GitHubActions"{
name = var.policy
role = aws_iam_role.GitHubActions.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement":[
{
"Sid": "",
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
EOF
}
我不确定是否完全理解您的问题。您不能将 IAM Policy 附加到帐户。但是,您可以将它附加到 IAM Role,这似乎是您的目标?如果是,您可以使用 data source:
data "aws_iam_policy" "AmazonEC2FullAccess" {
arn = "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
}
resource "aws_iam_role_policy_attachment" "attachment" {
role = aws_iam_role.GitHubActions.name
policy_arn = data.aws_iam_policy.AmazonEC2FullAccess.arn
}
参见 iam_role_policy_attachment and iam policy 数据源。