![](/img/trans.png)
[英]How can I add multiple inline policy on AWS permission set using terraform?
[英]How to add multiple policy using loop in terraform
我正在嘗試在 SQS 中創建多個 SNS 主題訂閱。 我確實有如下 json 格式的配置文件
"snsSubscriptionArns": [
"arn:aws:sns:<region>:<accountno>:test1",
"arn:aws:sns:<region>:<accountno>:test2",
"arn:aws:sns:<region>:<accountno>:test3"
]
上面提到的 Arns 將基於要求。 它是動態的。 它可以是 0,也可以是 5 .. 我正在嘗試使用以下內容創建策略
locals {
# Load all of the data from json
config = jsondecode(file("testsqs.json"))
}
data "aws_iam_policy_document" "sns_policy" {
for_each = lookup(local.config, "snsSubscriptionArns", null) == null ? toset([]) : [ for i in local.config.snsSubscriptionArns : i ]
statement {
sid = "topic-subscription-${each.key}"
effect = "Allow"
actions = [
"sqs:SendMessage"
]
resources = [
"test-arn"
]
condition {
test = "ArnLike"
variable = "aws:SourceArn"
values = [
"${each.key}"
]
}
}
policy = data.aws_iam_policy_document.sns_policy[each.key].json
}
我需要收集所有策略,然后我將使用資源塊創建具有上述策略的 SQS,如下所示
resource "aws_sqs_queue_policy" "sqs_queue_policy" {
queue_url = aws_sqs_queue.queue.id
policy = data.aws_iam_policy_document.sns_policy.json
}
但我收到以下錯誤消息。
Error: Unsupported argument
on main.tf line 36, in data "aws_iam_policy_document" "sns_policy":
36: policy = data.aws_iam_policy_document.sns_policy[each.key].json
An argument named "policy" is not expected here.
看來我的方法在 terraform 中是錯誤的。 有人可以指導我實現嗎? 提前致謝。
policy
不是iam_policy_document
數據源的有效屬性,請參閱: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
預計在aws_iam_policy
數據源上,您必須使用 foreach 循環創建aws_iam_policy
資源
正如您從數據源 aws_iam_policy_document的文檔中看到的那樣,沒有policy
屬性。 我相信這兩個選項中的任何一個都應該有效。 你很親密。
給定源 json 文件 testsqs.json:
{
"snsSubscriptionArns": [
"arn:aws:sns:<region>:<accountno>:test1",
"arn:aws:sns:<region>:<accountno>:test2",
"arn:aws:sns:<region>:<accountno>:test3"
]
}
和 main.tf:
locals {
config = jsondecode(file("testsqs.json"))
arns = lookup(local.config, "snsSubscriptionArns", [])
}
data "aws_iam_policy_document" "sns_policy_one_statement" {
statement {
actions = ["sqs:SendMessage"]
resources = ["test-arn"]
condition {
test = "ArnLike"
variable = "aws:SourceArn"
values = local.arns
}
}
}
data "aws_iam_policy_document" "sns_policy_many_statements" {
dynamic "statement" {
for_each = local.arns
content {
sid = "topic-subscription-${statement.key}"
actions = ["sqs:SendMessage"]
resources = ["test-arn"]
condition {
test = "ArnLike"
variable = "aws:SourceArn"
values = [statement.value]
}
}
}
}
output "sns_policy_one_statement" {
value = data.aws_iam_policy_document.sns_policy_one_statement.json
}
output "sns_policy_many_statements" {
value = data.aws_iam_policy_document.sns_policy_many_statements.json
}
你會得到如下輸出:
Changes to Outputs:
+ sns_policy_many_statements = jsonencode(
{
+ Statement = [
+ {
+ Action = "sqs:SendMessage"
+ Condition = {
+ ArnLike = {
+ "aws:SourceArn" = "arn:aws:sns:<region>:<accountno>:test1"
}
}
+ Effect = "Allow"
+ Resource = "test-arn"
+ Sid = "topic-subscription-0"
},
+ {
+ Action = "sqs:SendMessage"
+ Condition = {
+ ArnLike = {
+ "aws:SourceArn" = "arn:aws:sns:<region>:<accountno>:test2"
}
}
+ Effect = "Allow"
+ Resource = "test-arn"
+ Sid = "topic-subscription-1"
},
+ {
+ Action = "sqs:SendMessage"
+ Condition = {
+ ArnLike = {
+ "aws:SourceArn" = "arn:aws:sns:<region>:<accountno>:test3"
}
}
+ Effect = "Allow"
+ Resource = "test-arn"
+ Sid = "topic-subscription-2"
},
]
+ Version = "2012-10-17"
}
)
+ sns_policy_one_statement = jsonencode(
{
+ Statement = [
+ {
+ Action = "sqs:SendMessage"
+ Condition = {
+ ArnLike = {
+ "aws:SourceArn" = [
+ "arn:aws:sns:<region>:<accountno>:test1",
+ "arn:aws:sns:<region>:<accountno>:test2",
+ "arn:aws:sns:<region>:<accountno>:test3",
]
}
}
+ Effect = "Allow"
+ Resource = "test-arn"
+ Sid = ""
},
]
+ Version = "2012-10-17"
}
)
如果要創建多個該資源,則只需要在資源級別for_each 。 就您而言,我認為您只需要一項政策。 您可以決定哪些適用於aws_sqs_queue_policy
。 這使用動態塊。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.