具有策略分配的terraform aws iam角色
具有策略分配的terraform aws iam角色
提问于 2020-09-22 18:37:04
我正在尝试自动化一个市集,这也需要访问s3桶。因此,我创建了一个s3桶
resource "aws_s3_bucket" "ddve6" {
bucket = "js-ddve6-bucket"
}
output "S3_bucket_name" {
value = aws_s3_bucket.ddve6.bucket
description = "The value you do need for DDVE configuration on the bucket name!"
}所以ami可以访问这个桶,我通常会创建一个IAM策略,我也是用terraform创建的
resource "aws_iam_policy" "js_iam_policy_ddve6_s3" {
name = "js_ddve6_iam_policy"
path = "/"
description = "My test policy"
policy = file("jspolicy.json")
# I do need to have a s3 storage created first
depends_on = [aws_s3_bucket.ddve6]
}jspolicy.json看起来像:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::js-ddve6-bucket",
"arn:aws:s3:::js-ddve6-bucket/*"
]
}
]
}为了将其紧密地应用到ec2实例中,我通常会在aws控制台中使用并创建一个角色,并将该角色附加到带有普通用例ec2的ec2访问中。将创建的策略附加到此角色,并创建一个没有权限边界的角色。没有标记,所以我来到配置:
Trusted entitiesAWS service: ec2.amazonaws.com
Policies: js_ddve6_iam_policy
Permissions boundary: Permissions boundary is not set在地形上我创造了一个角色
resource "aws_iam_role" "js_ec2_s3_access_iam_role" {
name = "js_ddve6_iam_role"
assume_role_policy = file("jsrolepolicy.json")
}而jsrolepolicy.json包含
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}我确实将iam策略分配给iam角色
resource "aws_iam_role_policy_attachment" "assign-policy-to-role-attach" {
role = aws_iam_role.js_ec2_s3_access_iam_role.name
policy_arn = aws_iam_policy.js_iam_policy_ddve6_s3.arn
depends_on = [aws_iam_policy.js_iam_policy_ddve6_s3]
}和一个aws_iam_instance_profile
resource "aws_iam_instance_profile" "js_ddve_profile" {
name = "jd_ddve_profile"
role = aws_iam_role.js_ec2_s3_access_iam_role.name
}使用一个
resource "aws_iam_instance_profile" "js_ddve_profile" {
name = "jd_ddve_profile"
role = aws_iam_role.js_ec2_s3_access_iam_role.name
}我所述的实例确实得到了iam_instance_profile = aws_iam_instance_profile.js_ddve_profile.name
我确实得到了一个角色,但是这个角色不是附加的策略,我也没有将ec2实例部署到:
resource "aws_instance" "terraform_ddve" {
ami = lookup(var.ami_id, var.region)
instance_type = var.instance_type
subnet_id = "subnet-024c26c397520c8f2"
# key name
key_name = var.key_name
# Security group assign to instance
vpc_security_group_ids = [aws_security_group.ddve6.id]
# tighten things up
iam_instance_profile = aws_iam_instance_profile.js_ddve_profile.name
tags = {
Name = var.ddve_name
}
# before we can start or create a ressource we need:
depends_on = [aws_security_group.ddve6, aws_s3_bucket.ddve6, aws_ebs_volume.ebs_volume[0]]
}为什么?
回答 1
Stack Overflow用户
发布于 2020-09-22 23:21:58
这可能是因为创建实例配置文件所花费的时间比预期的要长。在创建实例之前,terraform不会等待它“完全可用”。因此,实例部署无法查找尚未存在的配置文件。
克服此问题的最基本方法是在代码中添加一些延迟的,以便配置文件有足够的时间创建。
resource "aws_iam_instance_profile" "js_ddve_profile" {
name = "jd_ddve_profile"
role = aws_iam_role.js_ec2_s3_access_iam_role.name
provisioner "local-exec" {
command = "sleep 20"
}
}页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/64015811
复制相关文章
相似问题
腾讯云开发者
