Terraform AWS IAM迭代呈现的JSON策略
如何在Terraform AWS IAM迭代呈现的JSON策略,terraform,amazon-iam,Terraform,Amazon Iam,如何在aws\u iam\u策略中迭代JSON呈现的数据.aws\u iam\u策略文档 data "aws_iam_policy_document" "role_1" { statement { sid = "CloudFront1" actions = [ "cloudfront:ListDistributions", "cloudfront:ListSt
aws\u iam\u策略
中迭代JSON呈现的数据.aws\u iam\u策略
文档
data "aws_iam_policy_document" "role_1" {
statement {
sid = "CloudFront1"
actions = [
"cloudfront:ListDistributions",
"cloudfront:ListStreamingDistributions"
]
resources = ["*"]
}
}
data "aws_iam_policy_document" "role_2" {
statement {
sid = "CloudFront2"
actions = [
"cloudfront:CreateInvalidation",
"cloudfront:GetDistribution",
"cloudfront:GetInvalidation",
"cloudfront:ListInvalidations"
]
resources = ["*"]
}
}
variable "role_policy_docs" {
type = list(string)
description = "Policies associated with Role"
default = [
"data.aws_iam_policy_document.role_1.json",
"data.aws_iam_policy_document.role_2.json",
]
}
locals {
role_policy_docs = { for s in var.role_policy_docs: index(var.role_policy_docs, s) => s}
}
resource "aws_iam_policy" "role" {
for_each = local.role_policy_docs
name = format("RolePolicy-%02d", each.key)
description = "Custom Policies for Role"
policy = each.value
}
resource "aws_iam_role_policy_attachment" "role" {
for_each = { for p in aws_iam_policy.role : p.name => p.arn }
role = aws_iam_role.role.name
policy_arn = each.value
}
这个例子已经简化到最基本的部分。策略文档是使用source_json
和override_json
约定动态生成的。我不能简单地将这些声明合并成一份政策文件
地形错误:
Error: "policy" contains an invalid JSON policy
on role.tf line 35, in resource "aws_iam_policy" "role":
35: policy = each.value
这:
将这些默认值定义为字符串,因此您得到的是:
+ role_policy_docs = {
+ 0 = "data.aws_iam_policy_document.role_1.json"
+ 1 = "data.aws_iam_policy_document.role_2.json"
}
如果您试图删除数据块
周围的引号,则该引号无效,因为您无法在默认定义中使用变量。相反,将您的策略文档分配给新的本地,并在for
循环中使用该本地:
locals {
role_policies = [
data.aws_iam_policy_document.role_1.json,
data.aws_iam_policy_document.role_2.json,
]
role_policy_docs = {
for s in local.role_policies :
index(local.role_policies, s) => s
}
}
谢谢,泰勒!关于在默认定义中不使用变量的澄清是我被绊倒的原因。
locals {
role_policies = [
data.aws_iam_policy_document.role_1.json,
data.aws_iam_policy_document.role_2.json,
]
role_policy_docs = {
for s in local.role_policies :
index(local.role_policies, s) => s
}
}