堆棧內存溢出
  簡體   English   中英

AWS無效政策-Terraform

[英]AWS invalid policy - terraform

 原文  2018-08-31 23:04:01       amazon-web-services/ terraform/ amazon-iam/ terraform-provider-aws

問題描述

我正在為API網關創建策略和角色,以使用以下terraform配置訪問dynamodb api端點。 我想念什么? 我在terraform plan收到無效的政策錯誤 

resource "aws_iam_role_policy" "api_dbaccess_policy" {
  name = "api_dbaccess_policy"
  role = "${aws_iam_role.apiGatewayDynamoDbAccessRole.id}"

  policy = <<EOF
  {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:BatchGet*",
                "dynamodb:DescribeStream",
                "dynamodb:DescribeTable",
                "dynamodb:Get*",
                "dynamodb:Query",
                "dynamodb:Scan",
                "dynamodb:BatchWrite*",
                "dynamodb:CreateTable",
                "dynamodb:Delete*",
                "dynamodb:Update*",
                "dynamodb:PutItem"
            ],
            "Resource": "*"
        }
    ]
  }
  EOF

  # depends_on = [ 
  #   "aws_dynamodb_table.us-east-1"
  # ]
}

resource "aws_iam_role" "apiGatewayDynamoDbAccessRole" {
  name = "apiGatewayDynamoDbAccessRole"

  assume_role_policy = <<EOF
  {
      "Version": "2012-10-17",
      "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "Service": [
                  "apigateway.amazonaws.com"
              ]
            },
            "Action": "sts:AssumeRole"
              }
      ]
      }
  EOF
}

我究竟做錯了什么? 我收到無效的政策錯誤。

1 個解決方案

解決方案1
 0  2018-09-03 11:47:35

如前所述,只需刪除EOF塊中的縮進即可...

另一個選擇是使用aws_iam_policy_document數據源。 對我而言,這是一種更清潔的方法,並且具有更好的可維護性,例如,當您使用具有Terraform支持的IDE時。 您的配置看起來像這樣( "Effect": "Allow"在這里不需要,因為它是默認行為): 

resource "aws_iam_role_policy" "api_dbaccess_policy" {
  name = "api_dbaccess_policy"
  role = "${aws_iam_role.apiGatewayDynamoDbAccessRole.id}"

  policy = "${data.aws_iam_policy_document.dynamodb.json}"
}

resource "aws_iam_role" "apiGatewayDynamoDbAccessRole" {
  name = "apiGatewayDynamoDbAccessRole"

  assume_role_policy = "${data.aws_iam_policy_document.apigateway.json}"
}

data "aws_iam_policy_document" "dynamodb" {
  statement {
    actions = [
      "dynamodb:BatchGet*",
      "dynamodb:DescribeStream",
      "dynamodb:DescribeTable",
      "dynamodb:Get*",
      "dynamodb:Query",
      "dynamodb:Scan",
      "dynamodb:BatchWrite*",
      "dynamodb:CreateTable",
      "dynamodb:Delete*",
      "dynamodb:Update*",
      "dynamodb:PutItem"
    ]

    resources = ["*"]
  }
}

data "aws_iam_policy_document" "apigateway" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["apigateway.amazonaws.com"]
    }
  }
}

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 Terraform AWS IAM 角色“inline_policy.0.policy”包含使用 ${file xyz} 和 jsonencode 的無效 JSON 策略 Terraform 覆蓋 AWS 托管策略 Terraform 和 AWS:修改現有策略 存儲桶策略 Terraform AWS 中的未知原則 導入 terraform aws_iam_policy 如何在 terraform 的 AWS 策略中插入變量 Terraform 依賴於 aws_iam_policy 對於 Terraform 用戶,最好的內置 AWS 策略是什么? 具有策略分配的 terraform aws iam 角色 aws autscaling api 通過 terraform 訪問策略
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM