使用 Terraform 创建 StringLike 条件
[英]Creating a StringLike condition with Terraform
问题描述
I am trying to generate some terraform for an aws IAM policy.
我正在尝试为 aws IAM 策略生成一些 terraform。 The condition in the policy looks like this政策中的条件看起来像这样
"StringLike": {
"kms:EncryptionContext:aws:cloudtrail:arn": [
"arn:aws:cloudtrail:*:aws-account-id:trail/*"
]
I am looking at the documentation for aws_iam_policy_document : https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document , but it's not clear to me as to how to write this in terraform. Any help would be greatly apprecaited.我正在查看aws_iam_policy_document的文档: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document ,但我不清楚如何在 terraform 中编写此文档。任何帮助将不胜感激。 This is my attempt这是我的尝试
condition {
test = "StringLike"
variable = "kms:EncryptionContext:aws:cloudtrail:arn"
values = [
"arn:aws:cloudtrail:*:aws-account-id:trail/*"
]
}
1 个解决方案
解决方案1
3 已采纳 2020-11-12 13:02:58
Hello Evan you logic is correct just to add:你好埃文你的逻辑是正确的只是添加:
Each document configuration may have one or more statement每个文档配置可能有一个或多个statement
data "aws_iam_policy_document" "example" {
statement {
actions = [
"*", *//specify your actions here*
]
resources = [
"*", *//specify your resources here*
]
condition {
test = "StringLike"
variable = "kms:EncryptionContext:aws:cloudtrail:arn"
values = [
"arn:aws:cloudtrail:*:aws-account-id:trail/*"
]
}
}
Each policy statement may have zero or more condition blocks, which each accept the following arguments:每个策略语句可能有零个或多个条件块,每个条件块接受以下 arguments:
-
test(Required) The name of the IAM condition operator to evaluate.test(必需)要评估的 IAM 条件运算符的名称。 -
variable(Required) The name of a Context Variable to apply the condition to.variable(必需)要应用条件的上下文变量的名称。 Context variables may either be standard AWS variables starting with aws:, or service-specific variables prefixed with the service name.上下文变量可以是以 aws: 开头的标准 AWS 变量,也可以是以服务名称为前缀的特定于服务的变量。 -
values(Required) The values to evaluate the condition against.values(必需)用于评估条件的值。 If multiple values are provided, the condition matches if at least one of them applies.如果提供了多个值,则如果其中至少一个适用,则条件匹配。 (That is, the tests are combined with the "OR" boolean operation.) (即测试与“或”boolean 操作相结合。)
When multiple condition blocks are provided, they must all evaluate to true for the policy statement to apply.当提供多个条件块时,它们必须全部评估为真才能应用策略语句。 (In other words, the conditions are combined with the "AND" boolean operation.) (换句话说,条件与“AND” boolean 运算相结合。)
Here's the REF from terraform这是来自terraform的 REF
IN Addition to create the policy from the document you created you use it like this:除了从您创建的文档创建策略外,您还可以像这样使用它:
resource "aws_iam_policy" "example" {
policy = data.aws_iam_policy_document.example.json
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.