Terraform 计划命令失败

Question

我正在尝试使用其他用户以及自定义策略来执行我的 Terraform 计划命令，但我无法弄清楚我缺少什么策略操作来运行此命令。我不想允许ec2:*。

资源已经在运行，我们只是试图将代码移动到不同的项目。

当我以ec2:* 权限运行计划时，它运行正常。

错误：

Error refreshing state: 2 error(s) occurred:

    * module.mesos.aws_instance.master: 3 error(s) occurred:      
    * module.mesos.aws_instance.master[2]: aws_instance.master.2: UnauthorizedOperation: You are not authorized to perform this operation.
        status code: 403, request id: 484574e1-0dd0-4c43-b829-42c034763bad
    * module.mesos.aws_instance.master[1]: aws_instance.master.1: UnauthorizedOperation: You are not authorized to perform this operation.
        status code: 403, request id: e0499d28-d55c-46e8-af1a-91262427b422
    * module.mesos.aws_instance.master[0]: aws_instance.master.0: UnauthorizedOperation: You are not authorized to perform this operation.
        status code: 403, request id: f1fb50ac-7bb5-47d6-b1b4-b24b38a61fdd
    * module.mesos.data.aws_ami.agent: 1 error(s) occurred:    
    * module.mesos.data.aws_ami.agent: data.aws_ami.agent: UnauthorizedOperation: You are not authorized to perform this operation.
        status code: 403, request id: a7dcf75b-30d1-4c74-8c30-a002644db313

代码：

{
       "Sid": "gitec2",
       "Effect": "Allow",
       "Action": [
           "ec2:DescribeInstances",
           "ec2:DescribeVolumeStatus",
           "ec2:StartInstances",
           "ec2:DescribeVolumes",
           "ec2:RunInstances",
           "ec2:StopInstances",
           "ec2:AssignPrivateIpAddresses",
           "ec2:DescribeVolumeAttribute",
           "ec2:DescribeSubnets",
           "ec2:AttachVolume",
           "ec2:DescribeRegions",
           "ec2:DescribeVpcAttribute",
           "ec2:DescribeAvailabilityZones",
           "ec2:DescribeInstanceStatus",
           "ec2:DescribeSecurityGroups",
           "ec2:DescribeVpcs",
           "ec2:DescribeNetworkAcls",
           "ec2:DescribeRouteTables",
           "ec2:DescribeLaunchTemplates",
           "ec2:DescribeAddresses",
           "ec2:DescribeInstanceAttributes",
           "ec2:DescribeNetworkInterfaces",
           "ec2:CreateSecurityGroup",
           "ec2:TerminateInstances",
           "ec2:DescribeIamInstanceProfileAssociations",
           "ec2:DescribeTags",
           "ec2:DescribeImageAttribute",
           "ec2:DescribeSecurityGroupReferences",
           "ec2:AssociateIamInstanceProfile",
           "ec2:AttachInternetGateway",
           "ec2:AttachNetworkGateway",
           "ec2:AssociateIamInstanceProfile",
           "ec2:DeleteSecurityGroup"
          ],
       "Resource": "*"
 }

Answer 1

aws_instance resource 读取方法（刷新状态时调用）调用 DescribeInstances、DescribeInstanceAttribute、DescribeIamInstanceProfileAssociations 端点，这些端点分别需要 ec2:DescribeInstances、ec2:DescribeInstanceAttribute 和 ec2:DescribeIamInstanceProfileAssociations。

aws_ami data source 调用需要 ec2:DescribeImages IAM 操作的 DescribeImages 端点。

因此，您缺少ec2:DescribeInstanceAttribute（您有ec2:DescribeInstanceAttributes，这不是一个有效的操作）和ec2:DescribeImages。

可以通过查看源代码（aws_instance 和 aws_ami）来发现 Terraform 进行的调用，而相关的 IAM 操作可以在 AM docs for EC2 中找到。

如果有充分的理由不允许ec2:Describe*，我会感到惊讶，因为这些只是只读操作，不应暴露任何敏感内容。