代码之家 › 专栏 › 技术社区 › Ankit Kushwaha

在为IAM策略附件运行地形时面临问题

terraform-provider-aws terraform amazon-web-services

Ankit Kushwaha · 技术社区 · 1 年前

因此,我试图将多个策略分配给我在policies.tf文件中定义的用户,当运行时显示错误。我正在使用gitlab来运行这个,如果我像aws_iam_policy.s3_policy.arn一样直接定义s3_policy,我也可以解决这个错误

resource "aws_iam_policy" "s3_policy" {
  name        = "s3-policy"
  description = "S3 IAM policy"
    
  # Define the policy document with the required permissions
  policy = <<-JSON
    {
       "Version": "2012-10-17",
       "Statement": [
         {
           "Effect": "Allow",
           "Action": "s3:GetObject",
           "Resource": "*"
         }
       ]
    }
    JSON
}
    
resource "aws_iam_policy" "ec2_policy" {
  name        = "ec2-policy"
  description = "EC@ IAM policy"
    
  # Define the policy document with the required permissions
  policy = <<-JSON
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "ec2:*",
          "Resource": "*"
        }
      ]
    }
    JSON
}

# Your aws_iam_user_policy_attachment resource definition
resource "aws_iam_user_policy_attachment" "user_policies" {
  for_each = toset(var.user_policies)
    
  user   = module.iam_user_module.aws_iam_user.this[0].name
    
  policy_arn = aws_iam_policy[each.value].arn
}

我得到的错误是

错误:无效引用在模块/iam_module/policies.tf第43行,在资源“aws_iam_user_policy_attachment”“user_policies”中: 43:policy_arn=aws_iam_policy[aeach.value].arn 对资源类型的引用必须后跟至少一个属性访问,指定资源名称。

1 回复 | 直到 1 年前

Marko E 1 年前

创建策略资源时未使用 for_each 元参数,因此您需要使用以下内容:

resource "aws_iam_policy" "s3_policy" {
  name        = "s3-policy"
  description = "S3 IAM policy"

  # Define the policy document with the required permissions
  policy = <<-JSON
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": "s3:GetObject",
        "Resource": "*"
      }
    ]
  }
  JSON
}

resource "aws_iam_policy" "ec2_policy" {
  name        = "ec2-policy"
  description = "EC2 IAM policy"

  # Define the policy document with the required permissions
  policy = <<-JSON
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": "ec2:*",
        "Resource": "*"
      }
    ]
  }
  JSON
}


# Your aws_iam_user_policy_attachment resource definition
resource "aws_iam_user_policy_attachment" "ec2_policy" {
  user       = module.iam_user_module.aws_iam_user.this[0].name
  policy_arn = aws_iam_policy.ec2_policy.arn
}

resource "aws_iam_user_policy_attachment" "s3_policy" {
  user       = module.iam_user_module.aws_iam_user.this[0].name
  policy_arn = aws_iam_policy.s3_policy.arn
}

请注意,使用时 implicit references ,语法为:

<resource type>.<logical name>.<attribute>

或者在你的情况下

| aws_iam_policy  | ec2_policy    | arn
| resource type   | logical name  | attribute

由于策略被分配给同一用户,因此可以执行以下操作:

resource "aws_iam_policy" "iam_policies" {
  name        = "ec2-s3-policy"
  description = "EC2 and S3 IAM policy"

  # Define the policy document with the required permissions
  policy = <<-JSON
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": "s3:GetObject",
        "Resource": "*"
      },
      {
        "Effect": "Allow",
        "Action": "ec2:*",
        "Resource": "*"
      }
    ]
  }
  JSON
}


# Your aws_iam_user_policy_attachment resource definition
resource "aws_iam_user_policy_attachment" "user_policy" {
  user       = module.iam_user_module.aws_iam_user.this[0].name
  policy_arn = aws_iam_policy.iam_policy.arn
}