Terraform不断更新aws\u iam\u政策\u附件
我正在创建并尝试使用aws_iam_策略_附件来附加两个aws管理策略和一个自定义策略。然而,Terraform坚持更新每个计划,即使apply已经完成 我被难住了,我将不胜感激 请参阅下面我的地形应用Terraform不断更新aws\u iam\u政策\u附件,terraform,Terraform,我正在创建并尝试使用aws_iam_策略_附件来附加两个aws管理策略和一个自定义策略。然而,Terraform坚持更新每个计划,即使apply已经完成 我被难住了,我将不胜感激 请参阅下面我的地形应用 data "aws_iam_policy" "test_amazon_ecs_task_execution_role_policy" { arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
data "aws_iam_policy" "test_amazon_ecs_task_execution_role_policy" {
arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}
data "aws_iam_policy" "test_amazon_elastic_map_reduce_full_access" {
arn = "arn:aws:iam::aws:policy/AmazonElasticMapReduceFullAccess"
}
data "template_file" "test_assume_role_policy" {
template = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow"
}
]
}
POLICY
}
resource "aws_iam_role" "test_role" {
name = "${var.env}-test-role"
assume_role_policy = "${data.template_file.test_assume_role_policy.rendered}"
description = "IAM role for granting test policies"
}
resource "aws_iam_policy" "test_policy" {
name = "${var.env}-test-policy"
path = "/"
description = "IAM Policy for granting test permissions"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_policy_attachment" "test_amazon_ecs_task_execution_role_policy_attachment" {
name = "${var.env}-test-amazon-ecs-task-execution-role-policy-attachment"
roles = "${aws_iam_role.test_role.name}"
policy_arn = "${data.aws_iam_policy.test_amazon_ecs_task_execution_role_policy.arn}"
}
resource "aws_iam_policy_attachment" "test_amazon_elastic_map_reduce_full_access_attachment" {
name = "${var.env}-test-amazon-elastic-map-reduce-full-access-attachment"
roles = ["${aws_iam_role.test_role.name}"]
policy_arn = "${data.aws_iam_policy.test_amazon_elastic_map_reduce_full_access.arn}"
}
resource "aws_iam_policy_attachment" "test_policy_attachment" {
name = "${var.env}-test-policy-attachment"
roles = ["${aws_iam_role.test_role.name}"]
policy_arn = "${aws_iam_policy.test_policy.arn}"
}
数据“aws\u iam\u策略”“测试\u亚马逊\u ecs\u任务\u执行\u角色\u策略”{
arn=“arn:aws:iam::aws:policy/service role/AmazonECSTaskExecutionRolePolicy”
}
数据“aws\u iam\u策略”“测试\u亚马逊\u弹性\u地图\u减少\u完全访问”{
arn=“arn:aws:iam::aws:policy/AmazonElasticMapReduceFullAccess”
}
数据“模板文件”“测试\u承担\u角色\u策略”{
template=如果我们省略了roles=“${aws\u iam\u role.test\u role.name}”中的输入错误,您应该在值周围使用[]
,此代码应该可以正常工作,并且不应该要求重新创建资源,除非您在每次运行时为var.env
提供不同的值
同时,您可以利用aws_iam_policy_document
使代码更加清晰:
data "aws_iam_policy_document" "test_assume_role_policy" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
resource "aws_iam_role" "test_role" {
name = "${var.env}-test-role"
assume_role_policy = "${data.aws_iam_policy_document.test_assume_role_policy.json}"
description = "IAM role for granting test policies"
}
data "aws_iam_policy_document" "test_policy" {
statement {
effect = "Allow"
actions = ["s3:*"]
resources = ["*"]
}
}
resource "aws_iam_policy" "test_policy" {
name = "${var.env}-test-policy"
path = "/"
description = "IAM Policy for granting test permissions"
policy = "${data.aws_iam_policy_document.test_policy.json}"
}
resource "aws_iam_policy_attachment" "test_amazon_ecs_task_execution_role_policy_attachment" {
name = "${var.env}-test-amazon-ecs-task-execution-role-policy-attachment"
roles = ["${aws_iam_role.test_role.name}"]
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}
resource "aws_iam_policy_attachment" "test_amazon_elastic_map_reduce_full_access_attachment" {
name = "${var.env}-test-amazon-elastic-map-reduce-full-access-attachment"
roles = ["${aws_iam_role.test_role.name}"]
policy_arn = "arn:aws:iam::aws:policy/AmazonElasticMapReduceFullAccess"
}
resource "aws_iam_policy_attachment" "test_policy_attachment" {
name = "${var.env}-test-policy-attachment"
roles = ["${aws_iam_role.test_role.name}"]
policy_arn = "${aws_iam_policy.test_policy.arn}"
}
您可以显示计划输出吗?我可以使用aws_role_iam_policy_附件而不是aws_iam_policy_附件来解决我的问题。我发现aws_iam_policy_附件是这里定义的排他性附件