Fatal编程技术网
  • terraform/
  • Terraform AWS IAM迭代呈现的JSON策略

Terraform AWS IAM迭代呈现的JSON策略

terraform

Terraform AWS IAM迭代呈现的JSON策略,terraform,amazon-iam,Terraform,Amazon Iam,如何在aws\u iam\u策略中迭代JSON呈现的数据.aws\u iam\u策略文档 data "aws_iam_policy_document" "role_1" { statement { sid = "CloudFront1" actions = [ "cloudfront:ListDistributions", "cloudfront:ListSt

如何在
aws\u iam\u策略
中迭代JSON呈现的
数据.aws\u iam\u策略
文档

data "aws_iam_policy_document" "role_1" {

  statement {
    sid = "CloudFront1"

    actions = [
      "cloudfront:ListDistributions",
      "cloudfront:ListStreamingDistributions"
    ]
    resources = ["*"]
  }
}

data "aws_iam_policy_document" "role_2" {
  statement {
    sid = "CloudFront2"

    actions = [
      "cloudfront:CreateInvalidation",
      "cloudfront:GetDistribution",
      "cloudfront:GetInvalidation",
      "cloudfront:ListInvalidations"
    ]
    resources = ["*"]
  }
}

variable "role_policy_docs" {
  type        = list(string)
  description = "Policies associated with Role"
  default     = [
    "data.aws_iam_policy_document.role_1.json",
    "data.aws_iam_policy_document.role_2.json",
  ]
}

locals {
  role_policy_docs = { for s in var.role_policy_docs: index(var.role_policy_docs, s) => s}
}

resource "aws_iam_policy" "role" {
  for_each = local.role_policy_docs

  name        = format("RolePolicy-%02d", each.key)
  description = "Custom Policies for Role"

  policy = each.value
}

resource "aws_iam_role_policy_attachment" "role" {
  for_each   = { for p in aws_iam_policy.role : p.name => p.arn }
  role       = aws_iam_role.role.name
  policy_arn = each.value
}
这个例子已经简化到最基本的部分。策略文档是使用
source_json
override_json
约定动态生成的。我不能简单地将这些声明合并成一份政策文件

地形错误:

Error: "policy" contains an invalid JSON policy

  on role.tf line 35, in resource "aws_iam_policy" "role":
  35:   policy = each.value
这:

将这些默认值定义为字符串,因此您得到的是:

  + role_policy_docs = {
      + 0 = "data.aws_iam_policy_document.role_1.json"
      + 1 = "data.aws_iam_policy_document.role_2.json"
    }
如果您试图删除
数据块
周围的引号,则该引号无效,因为您无法在默认定义中使用变量。相反,将您的策略文档分配给新的本地,并在
for
循环中使用该本地:

locals {
  role_policies = [
    data.aws_iam_policy_document.role_1.json,
    data.aws_iam_policy_document.role_2.json,
  ]
  

  role_policy_docs = { 
    for s in local.role_policies : 
      index(local.role_policies, s) => s 
    }
}
谢谢,泰勒!关于在默认定义中不使用变量的澄清是我被绊倒的原因。 
locals {
  role_policies = [
    data.aws_iam_policy_document.role_1.json,
    data.aws_iam_policy_document.role_2.json,
  ]
  

  role_policy_docs = { 
    for s in local.role_policies : 
      index(local.role_policies, s) => s 
    }
}