Amazon cloudformation IAM策略:格式错误的策略文档:策略中的语法错误
我成功地运行了一个包含以下代码片段的cloudformation堆栈,现在我的最终目标是将其移植到Terraform,但是 即使在AWS控制台中,我也收到一个格式错误的语法错误。我尝试使用AWS控制台的“策略编辑器”并单击“验证”按钮来调试它,但错误是非特定的。有人知道我做错了什么吗?这很奇怪,因为当我部署cloudformation堆栈模板时,这个策略似乎有效。(顺便说一句,这是来自GorillaStack的自动标记项目,如果有帮助的话) 此策略包含以下错误:策略中的语法错误。有关IAM策略语法的更多信息,请参阅AWS IAM策略。Amazon cloudformation IAM策略:格式错误的策略文档:策略中的语法错误,amazon-cloudformation,amazon-iam,terraform,Amazon Cloudformation,Amazon Iam,Terraform,我成功地运行了一个包含以下代码片段的cloudformation堆栈,现在我的最终目标是将其移植到Terraform,但是 即使在AWS控制台中,我也收到一个格式错误的语法错误。我尝试使用AWS控制台的“策略编辑器”并单击“验证”按钮来调试它,但错误是非特定的。有人知道我做错了什么吗?这很奇怪,因为当我部署cloudformation堆栈模板时,这个策略似乎有效。(顺便说一句,这是来自GorillaStack的自动标记项目,如果有帮助的话) 此策略包含以下错误:策略中的语法错误。有关IAM策略语
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStackResource"
],
"Resource": [
{ "Fn::Join": [ "", [ "arn:aws:cloudformation:", { "Ref" : "AWS::Region" }, ":", { "Ref" : "AWS::AccountId" }, ":stack/autotag/*" ] ] }
]
},
{
"Effect": "Allow",
"Action": [
"sts:*"
],
"Resource": [
{ "Fn::GetAtt" : [ "AutoTagMasterRole", "Arn" ] }
]
}
]
}
我的terraform配置有以下资源(包括上面的代码片段)
资源“aws\u iam\u角色\u策略”“自动页面执行策略”{
name=“AutotageExecutionPolicy”
role=“${aws\u iam\u role.AutoTagExecutionRole.id}”
policy=您需要将Cloudformation函数转换为terraform脚本中的变量
data "aws_iam_policy_document" "example" {
statement {
sid = "allow logs"
effect = "Allow"
action = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
]
Resources = [
"arn:aws:logs:*:*:*",
]
}
statement {
sid = "allow s3"
effect = "Allow"
action = [
"s3:GetObject",
"s3:ListBucket",
]
resource = [
"*",
]
}
statement {
sid = "allow cfn"
effect = "Allow"
action = [
"cloudformation:DescribeStackResource",
]
resource = [
"${var.cfn_stack}",
]
}
statement {
sid = "allow sts"
effect = "Allow"
action = [
"sts:*",
]
resource = [
"${var.AutoTagMasterRole_arn}",
]
}
}
然后
当您将策略移动到terraform时,是否删除了像ref这样的Cloudformation函数?不,我没有。您能在此基础上进行推断吗?例如,我是否需要在terraform配置中为Cloudformation模板中的类似项插入值?:{“ref”:“AWS::AccountId”}这些函数中的每一个都是cloudformation自带的,你需要在terraform脚本中将它们转换为变量。该死,我明白了。这并不像我想象的那么简单。我在文档中没有看到任何类似的内容。如果你对这个答案有信心,这就为我指明了正确的方向。我需要转换整行代码:{“Fn::Join”:[“”,[“arn:aws:cloudformation:”,{“Ref:“aws::Region”},:“,{”Ref:“aws::AccountId”},::stack/autotag/*“]]}我不知道那会是什么样子。这里是新手
data "aws_iam_policy_document" "example" {
statement {
sid = "allow logs"
effect = "Allow"
action = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
]
Resources = [
"arn:aws:logs:*:*:*",
]
}
statement {
sid = "allow s3"
effect = "Allow"
action = [
"s3:GetObject",
"s3:ListBucket",
]
resource = [
"*",
]
}
statement {
sid = "allow cfn"
effect = "Allow"
action = [
"cloudformation:DescribeStackResource",
]
resource = [
"${var.cfn_stack}",
]
}
statement {
sid = "allow sts"
effect = "Allow"
action = [
"sts:*",
]
resource = [
"${var.AutoTagMasterRole_arn}",
]
}
}
resource "aws_iam_policy" "example" {
name = "example_policy"
path = "/"
policy = "${data.aws_iam_policy_document.example.json}"
}