如何从 terraform 中的 aws_iam_user 获取 aws 帐户 ID？

Question

我正在尝试将以下策略添加到使用 terraform 的 iam 用户。如何在 upload_user_user 的策略中添加帐户 ID？

resource "aws_iam_user" "product_upload_user" {
  name = "cc-${terraform.workspace}-product-upload-user"
}

resource "aws_iam_user_policy" "allow_upload" {
  user   = aws_iam_user.product_upload_user.name
  policy = data.aws_iam_policy_document.allow_upload.json
}

data "aws_iam_policy_document" "allow_upload" {

  statement {
    sid       = "STSToken"
    effect    = "Allow"
    actions   = ["sts:GetFederationToken"]
    # resources = ["arn:aws:sts::${aws_iam_user.product_upload_user.<account_id>}:federated-user/S3UploadWebToken"]
  }
}

尝试实施本教程中的策略： https://next-s3-upload.codingvalue.com/setup

Answer 1

您可以使用 Terraform 数据资源aws_caller_identity 。 数据资源有一个可以导出的account_id属性。 这也可以防止将帐户 ID 硬编码到您的代码中。 我已经将附加内容添加到您可以测试的代码中。

resource "aws_iam_user" "product_upload_user" {
  name = "cc-${terraform.workspace}-product-upload-user"
}

resource "aws_iam_user_policy" "allow_upload" {
  user   = aws_iam_user.product_upload_user.name
  policy = data.aws_iam_policy_document.allow_upload.json
}

data "aws_iam_policy_document" "allow_upload" {
  statement {
    sid       = "STSToken"
    effect    = "Allow"
    actions   = ["sts:GetFederationToken"]
    resources = ["arn:aws:sts::${data.aws_caller_identity.current.account_id}:federated-user/S3UploadWebToken"]
  }
}

data "aws_caller_identity" "current" {}