[英]Terraform AWS IAM Role “inline_policy.0.policy” contains an invalid JSON policy using ${file xyz} and jsonencode
[英]AWS invalid policy - terraform
我正在為API網關創建策略和角色,以使用以下terraform配置訪問dynamodb api端點。 我想念什么? 我在terraform plan
收到無效的政策錯誤
resource "aws_iam_role_policy" "api_dbaccess_policy" {
name = "api_dbaccess_policy"
role = "${aws_iam_role.apiGatewayDynamoDbAccessRole.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:BatchGet*",
"dynamodb:DescribeStream",
"dynamodb:DescribeTable",
"dynamodb:Get*",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWrite*",
"dynamodb:CreateTable",
"dynamodb:Delete*",
"dynamodb:Update*",
"dynamodb:PutItem"
],
"Resource": "*"
}
]
}
EOF
# depends_on = [
# "aws_dynamodb_table.us-east-1"
# ]
}
resource "aws_iam_role" "apiGatewayDynamoDbAccessRole" {
name = "apiGatewayDynamoDbAccessRole"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"apigateway.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
我究竟做錯了什么? 我收到無效的政策錯誤。
如前所述,只需刪除EOF
塊中的縮進即可...
另一個選擇是使用aws_iam_policy_document
數據源。 對我而言,這是一種更清潔的方法,並且具有更好的可維護性,例如,當您使用具有Terraform支持的IDE時。 您的配置看起來像這樣( "Effect": "Allow"
在這里不需要,因為它是默認行為):
resource "aws_iam_role_policy" "api_dbaccess_policy" {
name = "api_dbaccess_policy"
role = "${aws_iam_role.apiGatewayDynamoDbAccessRole.id}"
policy = "${data.aws_iam_policy_document.dynamodb.json}"
}
resource "aws_iam_role" "apiGatewayDynamoDbAccessRole" {
name = "apiGatewayDynamoDbAccessRole"
assume_role_policy = "${data.aws_iam_policy_document.apigateway.json}"
}
data "aws_iam_policy_document" "dynamodb" {
statement {
actions = [
"dynamodb:BatchGet*",
"dynamodb:DescribeStream",
"dynamodb:DescribeTable",
"dynamodb:Get*",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWrite*",
"dynamodb:CreateTable",
"dynamodb:Delete*",
"dynamodb:Update*",
"dynamodb:PutItem"
]
resources = ["*"]
}
}
data "aws_iam_policy_document" "apigateway" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["apigateway.amazonaws.com"]
}
}
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.