Amazon web services 地形-插值变量值
我试图在下面的函数中调用一个变量,但是现在必须手动输入,有点卡住了。如何让Terraform自动插入变量的值Amazon web services 地形-插值变量值,amazon-web-services,terraform,Amazon Web Services,Terraform,我试图在下面的函数中调用一个变量,但是现在必须手动输入,有点卡住了。如何让Terraform自动插入变量的值 resource "aws_iam_role" "aws-admin-role" { name = "AWS-AdminAccess" description = "Administration of Account from AWSxx" assume_role_policy = <<EOF { "Version":"2012-10-17
resource "aws_iam_role" "aws-admin-role" {
name = "AWS-AdminAccess"
description = "Administration of Account from AWSxx"
assume_role_policy = <<EOF
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::INSERTACCOUNTMANUALLY:root"
},
"Action":"sts:AssumeRole",
"Condition":{
}
}
]
}
EOF
}
Terraform允许您插值它知道的值,例如变量或来自数据源、资源或模块的输出 在您的情况下,您可以使用动态获取调用者的帐户ID,并将其插入IAM策略中,如下所示:
data "aws_caller_identity" "current" {}
resource "aws_iam_role" "aws-admin-role" {
name = "AWS-AdminAccess"
description = "Administration of Account from AWSxx"
assume_role_policy = <<EOF
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
},
"Action":"sts:AssumeRole",
"Condition":{
}
}
]
}
EOF
}
variable "account_id" {}
resource "aws_iam_role" "aws-admin-role" {
name = "AWS-AdminAccess"
description = "Administration of Account from AWSxx"
assume_role_policy = <<EOF
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::${var.account_id}:root"
},
"Action":"sts:AssumeRole",
"Condition":{
}
}
]
}
EOF
}
相反,如果您想使用一个变量引用不同的AWS帐户,您可以执行以下操作:
data "aws_caller_identity" "current" {}
resource "aws_iam_role" "aws-admin-role" {
name = "AWS-AdminAccess"
description = "Administration of Account from AWSxx"
assume_role_policy = <<EOF
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
},
"Action":"sts:AssumeRole",
"Condition":{
}
}
]
}
EOF
}
variable "account_id" {}
resource "aws_iam_role" "aws-admin-role" {
name = "AWS-AdminAccess"
description = "Administration of Account from AWSxx"
assume_role_policy = <<EOF
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::${var.account_id}:root"
},
"Action":"sts:AssumeRole",
"Condition":{
}
}
]
}
EOF
}
INSERTACCOUNTMANUALLY曾经是我放置变量的地方,但是在变量文件中填充了它,我得到的只是空白,所以arn:aws:iam:::rootThank,我必须查看第一个选项。不确定这是否会起作用,因为我正在输入另一个正在运行此功能的帐户。但是,如果该方法能够实现,那么使用该方法可能会很有效。我也尝试过使用AWS:arn:AWS:iam:${var.AWS_admin_account}:root与您的第二个选项非常相似,这似乎被忽略了,即使它在我的变量文件中