Amazon web services 如何通过terraform授予写入全局二级索引的权限?
我的同事已经建立了terraform来构建dynamo DB表+全局二级索引Amazon web services 如何通过terraform授予写入全局二级索引的权限?,amazon-web-services,terraform,Amazon Web Services,Terraform,我的同事已经建立了terraform来构建dynamo DB表+全局二级索引 global_secondary_index { name = "${lookup(var.archive_metadata, "gsi_name")}" hash_key = "${lookup(var.archive_metadata, "gsi_hash_key")}" read_capacity = "${lookup(var.archive_
global_secondary_index {
name = "${lookup(var.archive_metadata, "gsi_name")}"
hash_key = "${lookup(var.archive_metadata, "gsi_hash_key")}"
read_capacity = "${lookup(var.archive_metadata, "read_capacity")}"
write_capacity = "${lookup(var.archive_metadata, "write_capacity")}"
projection_type = "ALL"
}
我们试图弄清楚如何授予lambda函数的写访问权。我们试过这个
data aws_iam_policy_document "archive_metadata_write" {
statement {
actions = [
"dynamodb:BatchGetItem",
"dynamodb:Describe*",
"dynamodb:Get*",
"dynamodb:List*",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
]
resources = [
"${aws_dynamodb_table.archive_metadata.arn}",
"${aws_dynamodb_table.archive_metadata.global_secondary_index}"
]
}
}
不走运
也试过
"${aws_dynamodb_table.archive_metadata.global_secondary_index.gsi_name}"
及
最终起作用的是
"${aws_dynamodb_table.archive_metadata.arn}/index/*"
感觉有点不舒服。如果有人有更好的主意,我很乐意听听。根据文件,这是正确的做法。所以这不是黑客。
"${aws_dynamodb_table.archive_metadata.arn}/index/*"