使用 terraform 创建具有多个 IAM 策略的多个 IAM 组

【问题标题】:Creating multiple IAM groups with multiple IAM policies using terraform使用 terraform 创建具有多个 IAM 策略的多个 IAM 组
【发布时间】:2020-11-11 17:57:34
【问题描述】:

我正在尝试创建多个 IAM 组,然后使用 terraform (v0.12) 将多个 AWS 策略附加到每个组。

目前我有:

resource "aws_iam_group" "group1" {
  name = "group1"
  path = "/"
}

resource "aws_iam_group" "group2" {
  name = "group2"
  path = "/"
}

resource "aws_iam_group_policy_attachment" "group1" {
  for_each = toset([
    "arn:aws:iam::aws:policy/AmazonS3FullAccess",
    "arn:aws:iam::aws:policy/AmazonCodeGuruProfilerFullAccess",
    "arn:aws:iam::aws:policy/job-function/Billing"
  ])
  group      = aws_iam_group.group1.name
  policy_arn = each.value
}

有没有更简洁的方法可以做到这一点,这样我就不会使用那么多重复的代码。

【问题讨论】:

    标签: amazon-web-services terraform amazon-iam


    【解决方案1】:

    您可以使用内置的setproduct 函数来实现此功能。

    例如,给定以下 Terraform 配置:

    variable "group_names" {
  default = []
  type    = set(string)
}

variable "policy_arns" {
  default = []
  type    = set(string)
}

locals {
  group_policies = [
    for group_policy in setproduct(var.group_names, var.policy_arns) : {
      group_name = group_policy[0]
      policy_arn = group_policy[1]
    }
  ]
}

resource "aws_iam_group" "iam_group" {
  for_each = var.group_names

  name = each.value
}

resource "aws_iam_group_policy_attachment" "iam_group_policy_attachment" {
  for_each = {
    for group_policy in local.group_policies : "${group_policy.group_name}.${group_policy.policy_arn}" => group_policy
  }

  group      = each.value.group_name
  policy_arn = each.value.policy_arn
}

    导致以下计划:

    Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.


------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_iam_group.iam_group["group1"] will be created
  + resource "aws_iam_group" "iam_group" {
      + arn       = (known after apply)
      + id        = (known after apply)
      + name      = "group1"
      + path      = "/"
      + unique_id = (known after apply)
    }

  # aws_iam_group.iam_group["group2"] will be created
  + resource "aws_iam_group" "iam_group" {
      + arn       = (known after apply)
      + id        = (known after apply)
      + name      = "group2"
      + path      = "/"
      + unique_id = (known after apply)
    }

  # aws_iam_group_policy_attachment.iam_group_policy_attachment["group1.arn:aws:iam::aws:policy/AmazonCodeGuruProfilerFullAccess"] will be created
  + resource "aws_iam_group_policy_attachment" "iam_group_policy_attachment" {
      + group      = "group1"
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/AmazonCodeGuruProfilerFullAccess"
    }

  # aws_iam_group_policy_attachment.iam_group_policy_attachment["group1.arn:aws:iam::aws:policy/AmazonEC2FullAccess"] will be created
  + resource "aws_iam_group_policy_attachment" "iam_group_policy_attachment" {
      + group      = "group1"
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
    }

  # aws_iam_group_policy_attachment.iam_group_policy_attachment["group1.arn:aws:iam::aws:policy/AmazonS3FullAccess"] will be created
  + resource "aws_iam_group_policy_attachment" "iam_group_policy_attachment" {
      + group      = "group1"
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
    }

  # aws_iam_group_policy_attachment.iam_group_policy_attachment["group2.arn:aws:iam::aws:policy/AmazonCodeGuruProfilerFullAccess"] will be created
  + resource "aws_iam_group_policy_attachment" "iam_group_policy_attachment" {
      + group      = "group2"
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/AmazonCodeGuruProfilerFullAccess"
    }

  # aws_iam_group_policy_attachment.iam_group_policy_attachment["group2.arn:aws:iam::aws:policy/AmazonEC2FullAccess"] will be created
  + resource "aws_iam_group_policy_attachment" "iam_group_policy_attachment" {
      + group      = "group2"
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
    }

  # aws_iam_group_policy_attachment.iam_group_policy_attachment["group2.arn:aws:iam::aws:policy/AmazonS3FullAccess"] will be created
  + resource "aws_iam_group_policy_attachment" "iam_group_policy_attachment" {
      + group      = "group2"
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
    }

Plan: 8 to add, 0 to change, 0 to destroy.

------------------------------------------------------------------------

Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.

    setproduct 函数返回给定 2 个或更多参数的所有可能的元素组合。

    aws_iam_group_policy_attachment 中的 for_each 表达式创建一个键值对映射,其中每个键的格式类似于 group_name.policy_arn(例如,"group2.arn:aws:iam::aws:policy/AmazonS3FullAccess"),每个值是一个包含两个键的映射,@987654330 @ 和policy_arn

    for_each 表达式中创建唯一键非常重要,以防止覆盖映射中现有键的可能性。

    【讨论】:

      猜你喜欢
      • 2018-01-11
      • 2022-01-19
      • 1970-01-01
      • 2020-01-23
      • 1970-01-01
      • 2021-06-22
      • 1970-01-01
      • 1970-01-01
      • 2018-04-13
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode