【问题标题】:How to handle lists for eks assume policy如何处理 eks 的列表假设策略
【发布时间】:2021-03-27 11:10:25
【问题描述】:

作为升级的一部分,我有 2 个 eks 集群。我想处理假设策略,以便它可以访问两个 eks 集群。两个集群都在同一个 AWS 账户中。

我希望我的政策类似于以下政策。这样我们就不会更新任何角色,而只会更新处理两个集群的假设策略。

locals.tf

  eks_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::11111111111:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/yyyyyyyyyyyyyyyyyy",
        "Federated": "arn:aws:iam::11111111111:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/yyyyyyyyyyyyyyyyyy"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.us-east-1.amazonaws.com/id/xxxxxxxxxxxxxx:sub": "system:serviceaccount:%s:%s",
          "oidc.eks.us-east-1.amazonaws.com/id/xxxxxxxxxxxxx:sub": "system:serviceaccount:%s:%s"
        }
      }
    }
  ]
}
EOF

Launcher = "job-Launcher"

角色.tf

resource "aws_iam_role" "launcher" {
  name               = local.Launcher
  assume_role_policy = format(local.eks_policy, "my-namepsace", local.Launcher)
  tags = {
    terraform = "true"
    owner     = "stg"
  }
}

所以我在 locals.tf 中尝试过这样的

  count = length(var.federated)

      eks_policy = <<EOF
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Federated": "arn:aws:iam::11111111111:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/${join(",",${element(var.federated, count.index)})}",
          },
          "Action": "sts:AssumeRoleWithWebIdentity",
          "Condition": {
            "StringEquals": {
              "oidc.eks.us-east-1.amazonaws.com/id/${join(",", ${element(var.federated, count.index)})}:sub": "system:serviceaccount:%s:%s"
            }
          }
        }
      ]
    }

但我收到一个错误,因为 count 不能在 locals.tf 中使用, 有人可以帮助我吗?

更新2:

我们如何得到这样的东西

"Condition": {
        "StringEquals": {
          "oidc.eks.us-east-1.amazonaws.com/id/xxxxxxxxxxxxx:sub": "system:serviceaccount:ihr-system:ihr-system-external-dns18",
          "oidc.eks.us-east-1.amazonaws.com/id/yyyyyyyyyyyyy:sub": "system:serviceaccount:ihr-system:ihr-system-external-dns"
        }
      }

我试过了,

联合 = [ "xxxxxxxxxxxxxxxxxxxxx", “yyyyyyyyyyyyyyyyyyyyy” ]

    Condition : {
      "StringEquals" : {
        join("",[for oidc in local.federated:"oidc.eks.us-east-1.amazonaws.com/id/${oidc}:sub:","system:serviceaccount:%s:%s"])
    }

在附近出现语法错误,本地预期和另一个错误 ',' 或 '}' 预期得到 '"system:serviceaccount.."'

for oidc in local.federated

【问题讨论】:

    标签: terraform amazon-iam amazon-eks


    【解决方案1】:

    Terraform format 函数要求每个占位符都有一个参数。来自文档:

    规范是一个字符串,其中包含以 % 字符引入的格式化动词。对于规范中的每个动词序列,函数调用必须有一个附加参数。只要每个给定的参数都可以转换为格式动词所需的类型,动词就会与连续的参数匹配并按照指示进行格式化。

    话虽如此,您需要提供四个参数,即使在您的情况下它是相同的局部变量:

    format(local.eks_policy, "my-namepsace", local.Launcher, "my-namepsace", local.Launcher)
    

    根据您的用例,您还可以考虑定义具有配置的对象列表并使用循环构建策略语句以准备最终字符串。

    更新 1

    动态生成示例可能如下所示,其中角色可以由变量local.params 中的任何帐户承担:

    locals {
      # key = account ID, value could be whatever
      params = {
        "1111" = { foo = "bar" },
        "2222" = { x = "y" }
      }
    
      assume_role_str = jsonencode({
        # skipped beginning for brevity
        Effect = "Allow",
        Principal = {
          Federated: [ for account in keys(local.params): "arn:aws:iam::11111111111:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/:${account}" ]
        }
      })
    }
    

    【讨论】:

    • 我怎样才能使更多动态,有几个角色,所以我们希望避免对角色进行更新,而是如何使它成为动态,它需要两个 eks id 在假设策略
    • @user6826691 我更新了答案并添加了动态生成的示例
    猜你喜欢
    • 2018-10-22
    • 1970-01-01
    • 2019-11-17
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2019-08-24
    • 1970-01-01
    相关资源
    最近更新 更多