[英]Terraform use existing policy for s3 bucket
在我的terraform配置中,我有一個附加到某些roles
的policy
。
創建s3存儲桶時如何重用此策略?
resource "aws_iam_policy" "s3-read-access" {
name = "my-warehouse-read-access"
version = "2019-05-28"
policy = "${data.aws_iam_policy_document.s3-read-access.json}"
}
resource "aws_s3_bucket" "my-warehouse" {
bucket = "my-bucket"
acl = "private"
policy = "${aws_iam_policy.s3-read-access.arn}"
}
不幸的是,我收到一個錯誤: Error putting S3 policy: MalformedPolicy: Policies must be valid JSON and the first byte must be '{'
。
似乎該policy
需要在heredoc
-notation中使用json配置,但是我必須重用現有策略。
如何在s3-bucket創建中引用該策略?
您可以通過多種方式實現這一目標。 您可以擁有策略JSON並在每個存儲桶中引用它:
resource "aws_s3_bucket" "b" {
bucket = "s3-website-test.hashicorp.com"
acl = "public-read"
policy = "${file("policy.json")}"
}
或者您可以創建一個數據塊:
data "aws_iam_policy_document" "your_super_amazing_policy" {
count = "${length(keys(var.statement))}"
statement {
sid = "CloudfrontBucketActions"
actions = ["s3:GetObject"]
resources = ["*"]
}
而你在水桶上:
resource "aws_s3_bucket" "private_bucket" {
bucket = "acme-private-bucket"
acl = "private"
policy = "${data.aws_iam_policy_document.your_super_amazing_policy.json}"
tags {
Name = "private-bucket"
terraform = "true"
}
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.