0

我正在尝试附加一个已创建为地图列表的策略 ARN 列表。请看下面:

variables.tf

variable "arns_map" {   type  = "map"
     default = {
    default       = [
      "default"
    ]
    bakery   = [    
        "arn:aws:iam::aws:policy/AmazonECS_FullAccess",
        "arn:aws:iam::aws:policy/AmazonS3FullAccess",
        "arn:aws:iam::aws:policy/AmazonSNSFullAccess"
    ]
    lambda = [
    "arn:aws:iam::aws:policy/AWSLambdaFullAccess"
    ]
    media-server  = [
    "arn:aws:iam::aws:policy/AmazonSQSFullAccess",
    "arn:aws:iam::aws:policy/AmazonS3FullAccess",
    "arn:aws:iam::aws:policy/AmazonElasticTranscoder_FullAccess",
    "arn:aws:iam::aws:policy/AmazonECS_FullAccess",
    "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"
    ]
    recognition = [
    "arn:aws:iam::aws:policy/AmazonESFullAccess",
    "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
    "arn:aws:iam::aws:policy/AmazonS3FullAccess",
    "arn:aws:iam::aws:policy/AmazonECS_FullAccess"
    ]
    frontends = [
      "arn:aws:iam::aws:policy/CloudFrontFullAccess"
    ]
    elasticbeanstalk = [
      "arn:aws:iam::aws:policy/AWSElasticBeanstalkFullAccess"
    ]
    docker = [
      "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess"
    ]
    media = [
        "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess",
        "arn:aws:iam::aws:policy/AmazonSQSFullAccess",
        "arn:aws:iam::aws:policy/AmazonS3FullAccess",
        "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
      ]   } }

我的资源是这些:

主文件

resource "aws_iam_role" "tenant_roles" {
  count = length(var.role_names)
  name  = element(var.role_names, count.index)
  description = "Dedicated role for tenants"
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "${var.kops_nodes_role_arn}"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF

  tags  = {
    Managedby = "terraform"
  }
}

resource "aws_iam_role_policy_attachment" "tenant_policies" {
  count       = length(values(var.arns_map))
  role        = join(",", keys(var.arns_map))
  # policy_arn  = element(var.role_names, count.index)
  policy_arn  = join(",", values(var.arns_map))

  depends_on = [
    aws_iam_role.tenant_roles,
  ]
}

我收到以下错误:

Error: Invalid function argument

  on ../../_platform_modules/roles/main.tf line 38, in resource "aws_iam_role_policy_attachment" "tenant_policies":
  38:   policy_arn  = join(",", values(var.arns_map))
    |----------------
    | var.arns_map is map of list of string with 9 elements

Invalid value for "lists" parameter: incorrect list element type: string
required.


Error: Invalid function argument

  on ../../_platform_modules/roles/main.tf line 38, in resource "aws_iam_role_policy_attachment" "tenant_policies":
  38:   policy_arn  = join(",", values(var.arns_map))
    |----------------
    | var.arns_map is map of list of string with 9 elements

Invalid value for "lists" parameter: incorrect list element type: string
required.

我正在使用 terraform 0.12.6 来管理 AWS 资源。

关于如何做到这一点的任何想法?

提前致谢

4

1 回答 1

1

这是因为需要从资源中得到aws_iam_role_policy_attachment字符串化的 arn,如示例中所述,并且您正在尝试提供.aws_iam_policylist(string)

我对 AWS IAM 的经验有限,我不确定role参数,但看起来你想迭代地图。像这样:

resource "aws_iam_role_policy_attachment" "tenant_policies" {
  count       = length(keys(var.arns_map))
  role        = element(keys(var.arns_map), count.index)
  policy_arn  = join(",", var.arns_map[element(keys(var.arns_maps), count.index))]
}

您也可以使用局部变量:

locals {
  arns_keys = keys(var.arns_map)
  arns_values = [for k in keys(var.arns_map) : join(",", var.arns_map[k])]
}

resource "aws_iam_role_policy_attachment" "tenant_policies" {
  count       = length(local.arns_keys)
  role        = join(",", local.arns_keys)
  policy_arn  = element(local.arns_values, count.index)
}
于 2019-08-20T19:22:08.907 回答