0

我正在为 API 网关创建一个策略和角色,以使用以下 terraform 配置访问 dynamodb api 端点。我错过了什么?我收到无效的政策错误terraform plan

resource "aws_iam_role_policy" "api_dbaccess_policy" {
  name = "api_dbaccess_policy"
  role = "${aws_iam_role.apiGatewayDynamoDbAccessRole.id}"

  policy = <<EOF
  {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:BatchGet*",
                "dynamodb:DescribeStream",
                "dynamodb:DescribeTable",
                "dynamodb:Get*",
                "dynamodb:Query",
                "dynamodb:Scan",
                "dynamodb:BatchWrite*",
                "dynamodb:CreateTable",
                "dynamodb:Delete*",
                "dynamodb:Update*",
                "dynamodb:PutItem"
            ],
            "Resource": "*"
        }
    ]
  }
  EOF

  # depends_on = [ 
  #   "aws_dynamodb_table.us-east-1"
  # ]
}

resource "aws_iam_role" "apiGatewayDynamoDbAccessRole" {
  name = "apiGatewayDynamoDbAccessRole"

  assume_role_policy = <<EOF
  {
      "Version": "2012-10-17",
      "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "Service": [
                  "apigateway.amazonaws.com"
              ]
            },
            "Action": "sts:AssumeRole"
              }
      ]
      }
  EOF
}

我究竟做错了什么?我收到无效的政策错误。

4

1 回答 1

0

如前所述,只需删除EOF块中的缩进...

另一种选择是使用aws_iam_policy_document数据源。对我来说,这是一种更简洁的方法,并且更易于维护,例如,当您使用支持 terraform 的 IDE 时。你的配置看起来像这样("Effect": "Allow"这里不需要,因为它是默认行为):

resource "aws_iam_role_policy" "api_dbaccess_policy" {
  name = "api_dbaccess_policy"
  role = "${aws_iam_role.apiGatewayDynamoDbAccessRole.id}"

  policy = "${data.aws_iam_policy_document.dynamodb.json}"
}

resource "aws_iam_role" "apiGatewayDynamoDbAccessRole" {
  name = "apiGatewayDynamoDbAccessRole"

  assume_role_policy = "${data.aws_iam_policy_document.apigateway.json}"
}

data "aws_iam_policy_document" "dynamodb" {
  statement {
    actions = [
      "dynamodb:BatchGet*",
      "dynamodb:DescribeStream",
      "dynamodb:DescribeTable",
      "dynamodb:Get*",
      "dynamodb:Query",
      "dynamodb:Scan",
      "dynamodb:BatchWrite*",
      "dynamodb:CreateTable",
      "dynamodb:Delete*",
      "dynamodb:Update*",
      "dynamodb:PutItem"
    ]

    resources = ["*"]
  }
}

data "aws_iam_policy_document" "apigateway" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["apigateway.amazonaws.com"]
    }
  }
}
于 2018-09-03T11:47:35.543 回答