我有一个aws_iam_role
我想添加一个策略。通常,我会创建一个策略aws_iam_role
并将其附加到角色上aws_iam_role_policy_attachment
.
但是,我看过一些使用的文档aws_iam_role_policy
在我看来,这似乎做了同样的事情。
我是正确的还是我错过了细微的差别?
区别在于托管策略和内联策略 https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html
当您创建一个aws_iam_policy
,这是一个托管策略,可以重复使用。
当您创建一个aws_iam_role_policy
这是一个内联策略
对于给定的角色,aws_iam_role_policy https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy资源与使用不兼容aws_iam_role
资源inline_policy
争论。当使用该参数和该资源时,两者都将尝试管理角色的内联策略,并且 Terraform 将显示永久差异。
重现上述状态的代码
resource "aws_iam_role_policy" "test_policy" {
name = "test_policy"
role = aws_iam_role.test_role.id
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:Describe*",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
resource "aws_iam_role" "test_role" {
name = "test_role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "ec2.amazonaws.com"
}
},
]
})
}
resource "aws_iam_role" "role" {
name = "test-role1"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "test-attach" {
role = aws_iam_role.role.name
policy_arn = aws_iam_policy.policy.arn
}
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)