![](/img/trans.png)
[英]Terraform: associate an aws_iam_role with an aws_iam_policy
[英]Difference between aws_iam_policy and aws_iam_role_policy
我有一個要添加策略的aws_iam_role
。 通常,我會使用aws_iam_role_policy_attachment
創建一個策略,並使用aws_iam_role
將其附加到角色。
但是,我已經看到一些使用aws_iam_role_policy
的文檔,在我看來,它似乎在做同樣的事情。
我是正確的還是有我遺漏的細微差別?
區別在於托管策略和內聯策略
當您創建aws_iam_policy
時,這是一個托管策略,可以重復使用。
當您創建作為內聯策略的aws_iam_role_policy
對於給定角色, aws_iam_role_policy資源與使用
aws_iam_role
資源inline_policy
參數不兼容。 使用該參數和該資源時,兩者都將嘗試管理角色的內聯策略,並且 Terraform 將顯示永久差異。
重現上述state的代碼
resource "aws_iam_role_policy" "test_policy" {
name = "test_policy"
role = aws_iam_role.test_role.id
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:Describe*",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
resource "aws_iam_role" "test_role" {
name = "test_role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "ec2.amazonaws.com"
}
},
]
})
}
resource "aws_iam_role" "role" {
name = "test-role1"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "test-attach" {
role = aws_iam_role.role.name
policy_arn = aws_iam_policy.policy.arn
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.