Terraform:如何导入AWS跨账户资源?
[英]Terraform: how to import AWS cross-account resource?
问题描述
How do I import an existing AWS resource into Terraform state, where that resource exists within a different account?
如何将现有 AWS 资源导入 Terraform state,该资源存在于不同账户中?
terraform import module.mymodule.aws_iam_policy.policy arn:aws:iam::123456789012:policy/mypolicy
gives the following error:给出以下错误:
Error: Cannot import non-existent remote object
While attempting to import an existing object to aws_iam_policy.policy, the
provider detected that no object exists with the given id. Only pre-existing
objects can be imported; check that the id is correct and that it is
associated with the provider's configured region or endpoint, or use
"terraform apply" to create a new remote object for this resource.
The resource was created in one account using a different provisioner defined within a module called mymodule :该资源是使用在名为mymodule的模块中定义的不同配置器在一个帐户中创建的:
module "mymodule" {
// ... define variables for the module
}
// within the module
provider "aws" {
alias = "cross-account"
region = "eu-west-2"
assume_role {
role_arn = var.provider_role_arn
}
}
resource "aws_iam_policy" "policy" {
provider = "aws.cross-account"
name = var.policy-name
path = var.policy-path
description = var.policy-description
policy = var.policy-document
}
How do I import cross-account resources?如何导入跨账户资源?
Update: using the -provider flag, I get a different error:更新:使用-provider标志,我得到一个不同的错误:
Error: Provider configuration not present
To work with module.mymodule.aws_iam_policy.policy (import
id "arn:aws:iam::123456789012:policy/somepolicytoimport") its original provider
configuration at provider.aws.cross-account is required, but it has been
removed. This occurs when a provider configuration is removed while objects
created by that provider still exist in the state. Re-add the provider
configuration to destroy
module.mymodule.aws_iam_policy.policy (import id
"arn:aws:iam::123456789012:policy/somepolicytoimport"), after which you can remove
the provider configuration again.
2 个解决方案
解决方案1
0 2019-11-03 09:25:53
I think you have to assume the role of the second account as follows.我认为您必须承担以下第二个帐户的角色。
provider "aws" {
assume_role {
role_arn = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
session_name = "SESSION_NAME"
external_id = "EXTERNAL_ID"
}
}
[1]: https://www.terraform.io/docs/providers/aws/index.html [1]: https://www.terraform.io/docs/providers/aws/index.html
解决方案2
0 2020-07-28 16:29:11
I've got the same error while trying to import AWS acm certificate.我在尝试导入 AWS acm 证书时遇到了同样的错误。
As the first step, before importing the resource, you need to create its configuration in the root module (or other relevant module):作为第一步,在导入资源之前,您需要在根模块(或其他相关模块)中创建其配置:
resource "aws_acm_certificate" "cert" {
# (resource arguments)
}
Or you'll got the following error:或者你会得到以下错误:
Error: resource address "aws_acm_certificate.cert" does not exist in the configuration.
Then you can import the resource by providing its relevant arn:然后,您可以通过提供相关的 arn 来导入资源:
$ terraform import aws_acm_certificate.cert <certificate-arn>
Like @ydaetskcoR mentioned in the comments - you don't need to assume the role of the second account if you're using v0.12.10+ .就像评论中提到的@ydaetskcoR - 如果您使用的是v0.12.10+ ,则不需要承担第二个帐户的角色。
But Terraform do need Access credentials to the second account - so please make sure you provide the relevant account's credentials (and not the source account credentials) or you'll be stuck with the但是 Terraform 确实需要访问第二个帐户的凭据 - 因此请确保您提供相关帐户的凭据(而不是源帐户凭据),否则您将无法使用Error: Cannot import non-existent remote object
for a few hours like me (:像我一样几个小时(:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.