Fatal编程技术网
  • terraform/
  • Terraform不断更新aws\u iam\u政策\u附件

Terraform不断更新aws\u iam\u政策\u附件

terraform

Terraform不断更新aws\u iam\u政策\u附件,terraform,Terraform,我正在创建并尝试使用aws_iam_策略_附件来附加两个aws管理策略和一个自定义策略。然而,Terraform坚持更新每个计划,即使apply已经完成 我被难住了,我将不胜感激 请参阅下面我的地形应用 data "aws_iam_policy" "test_amazon_ecs_task_execution_role_policy" { arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"

我正在创建并尝试使用aws_iam_策略_附件来附加两个aws管理策略和一个自定义策略。然而,Terraform坚持更新每个计划,即使apply已经完成

我被难住了,我将不胜感激

请参阅下面我的地形应用

data "aws_iam_policy" "test_amazon_ecs_task_execution_role_policy" {
  arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}

data "aws_iam_policy" "test_amazon_elastic_map_reduce_full_access" {
  arn = "arn:aws:iam::aws:policy/AmazonElasticMapReduceFullAccess"
}

data "template_file" "test_assume_role_policy" {
 template = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow"
    }
  ]
}
POLICY
}

resource "aws_iam_role" "test_role" {
 name               = "${var.env}-test-role"
 assume_role_policy = "${data.template_file.test_assume_role_policy.rendered}"
 description        = "IAM role for granting test policies"
}

resource "aws_iam_policy" "test_policy" {
 name        = "${var.env}-test-policy"
 path        = "/"
 description = "IAM Policy for granting test permissions"
 policy = <<EOF
{
     "Version": "2012-10-17",
     "Statement": [
        {
            "Action": [
                "s3:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
   ]
}
EOF
}

resource "aws_iam_policy_attachment" "test_amazon_ecs_task_execution_role_policy_attachment" {
 name       = "${var.env}-test-amazon-ecs-task-execution-role-policy-attachment"
 roles      = "${aws_iam_role.test_role.name}"
 policy_arn = "${data.aws_iam_policy.test_amazon_ecs_task_execution_role_policy.arn}"
}

resource "aws_iam_policy_attachment" "test_amazon_elastic_map_reduce_full_access_attachment" {
 name       = "${var.env}-test-amazon-elastic-map-reduce-full-access-attachment"
 roles      = ["${aws_iam_role.test_role.name}"]
 policy_arn = "${data.aws_iam_policy.test_amazon_elastic_map_reduce_full_access.arn}"
}

resource "aws_iam_policy_attachment" "test_policy_attachment" {
 name       = "${var.env}-test-policy-attachment"
 roles      = ["${aws_iam_role.test_role.name}"]
 policy_arn = "${aws_iam_policy.test_policy.arn}"
}


数据“aws\u iam\u策略”“测试\u亚马逊\u ecs\u任务\u执行\u角色\u策略”{
arn=“arn:aws:iam::aws:policy/service role/AmazonECSTaskExecutionRolePolicy”
}
数据“aws\u iam\u策略”“测试\u亚马逊\u弹性\u地图\u减少\u完全访问”{
arn=“arn:aws:iam::aws:policy/AmazonElasticMapReduceFullAccess”
}
数据“模板文件”“测试\u承担\u角色\u策略”{

template=如果我们省略了
roles=“${aws\u iam\u role.test\u role.name}”中的输入错误,您应该在值周围使用
[]
,此代码应该可以正常工作,并且不应该要求重新创建资源,除非您在每次运行时为
var.env
提供不同的值

同时,您可以利用aws_iam_policy_document
使代码更加清晰:


data "aws_iam_policy_document" "test_assume_role_policy" {
  statement {
    effect  = "Allow"
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["ec2.amazonaws.com"]
    }
  }
}

resource "aws_iam_role" "test_role" {
  name               = "${var.env}-test-role"
  assume_role_policy = "${data.aws_iam_policy_document.test_assume_role_policy.json}"
  description        = "IAM role for granting test policies"
}

data "aws_iam_policy_document" "test_policy" {
  statement {
    effect    = "Allow"
    actions   = ["s3:*"]
    resources = ["*"]
  }
}

resource "aws_iam_policy" "test_policy" {
  name        = "${var.env}-test-policy"
  path        = "/"
  description = "IAM Policy for granting test permissions"
  policy      = "${data.aws_iam_policy_document.test_policy.json}"
}

resource "aws_iam_policy_attachment" "test_amazon_ecs_task_execution_role_policy_attachment" {
  name       = "${var.env}-test-amazon-ecs-task-execution-role-policy-attachment"
  roles      = ["${aws_iam_role.test_role.name}"]
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}

resource "aws_iam_policy_attachment" "test_amazon_elastic_map_reduce_full_access_attachment" {
  name       = "${var.env}-test-amazon-elastic-map-reduce-full-access-attachment"
  roles      = ["${aws_iam_role.test_role.name}"]
  policy_arn = "arn:aws:iam::aws:policy/AmazonElasticMapReduceFullAccess"
}

resource "aws_iam_policy_attachment" "test_policy_attachment" {
  name       = "${var.env}-test-policy-attachment"
  roles      = ["${aws_iam_role.test_role.name}"]
  policy_arn = "${aws_iam_policy.test_policy.arn}"
}



您可以显示计划输出吗?我可以使用aws_role_iam_policy_附件而不是aws_iam_policy_附件来解决我的问题。我发现aws_iam_policy_附件是这里定义的排他性附件