Amazon web services Terraform AWS IAM用户在备用Terraform apply命令上添加和从IAM组中删除
我有一个奇怪的现象,一群IAM用户在随后的Amazon web services Terraform AWS IAM用户在备用Terraform apply命令上添加和从IAM组中删除,amazon-web-services,terraform,amazon-iam,Amazon Web Services,Terraform,Amazon Iam,我有一个奇怪的现象,一群IAM用户在随后的terraform apply操作中被添加或从IAM组中删除。尽管其他一切都没有改变 我知道这些IAM用户没有完全正常工作,因为仍然需要添加登录配置文件,但计划只是为了节省一些精力并手动完成用户设置 在Ubuntu20.1上使用Terraform13.5 # main.tf # Create a group for them resource "aws_iam_group" "proj" { name =
terraform apply# main.tf
# Create a group for them
resource "aws_iam_group" "proj" {
name = "proj-AdminGroup-Nov-2020"
}
# Create the individual users
resource "aws_iam_user" "example" {
count = length(var.iam_users)
name = element(var.iam_users,count.index)
force_destroy = true
}
# Attach the standard AdministratorAccess policy to the group
# Use 'data' to get the arn of the policy
data "aws_iam_policy" "AdministratorAccess" {
arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
# Attach the policy to the group
resource "aws_iam_group_policy_attachment" "test-attach" {
group = aws_iam_group.proj.name
policy_arn = data.aws_iam_policy.AdministratorAccess.arn
}
# Assign the Users to the group
resource "aws_iam_group_membership" "team" {
name = "tf-proj-group-membership"
count = length(var.iam_users)
users = [
element(aws_iam_user.example.*.name, count.index)
]
group = aws_iam_group.proj.name
}
第一个地形后的状态适用。 第二次之后的状态 第二个地形应用输出:
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# aws_iam_group_membership.team[0] will be updated in-place
~ resource "aws_iam_group_membership" "team" {
group = "proj-AdminGroup-Nov-2020"
id = "tf-proj-group-membership"
name = "tf-proj-group-membership"
~ users = [
"user1",
- "user2",
]
}
# aws_iam_group_membership.team[1] will be updated in-place
~ resource "aws_iam_group_membership" "team" {
group = "proj-AdminGroup-Nov-2020"
id = "tf-proj-group-membership"
name = "tf-proj-group-membership"
~ users = [
- "user1",
"user2",
]
}
Plan: 0 to add, 2 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
我不太清楚为什么在您的
aws\u iam\u组成员资格中使用count=length(var.iam\u users)
。通常,您只需这样做:
resource "aws_iam_group_membership" "team" {
name = "tf-proj-group-membership"
users = aws_iam_user.example[*].name
group = aws_iam_group.proj.name
}
上述内容确实按预期工作,并且没有显示您正在描述的行为。我不确定您为什么在aws\u iam\u组成员身份中使用count=length(var.iam\u users)
。通常,您只需这样做:
resource "aws_iam_group_membership" "team" {
name = "tf-proj-group-membership"
users = aws_iam_user.example[*].name
group = aws_iam_group.proj.name
}
上述操作确实按预期工作,并且没有显示您正在描述的行为。使用aws\u iam\u用户\u组\u成员身份,而不是aws\u iam\u组\u成员身份,您可以根据需要运行多次
发件人:
警告:
具有相同组名的多个aws\u iam\u组成员身份将产生不一致的行为 使用aws\u iam\u用户组成员资格而不是aws\u iam\u组成员资格,您可以根据需要运行多次
发件人:
警告:
具有相同组名的多个aws\u iam\u组成员身份将产生不一致的行为 谢谢你把它修好了。仍然不清楚为什么我会看到自己的行为。但是谢谢你,谢谢你把它修好了。仍然不清楚为什么我会看到自己的行为。但是谢谢你。