我有一个 terraform 脚本,它在 aws 上提供了一个 lambda 函数来发送电子邮件。我从网络上的教程和模板中拼凑出这个 terraform 脚本,以使用 AWS SES、Api Gateway、Lambda 和 Cloudwatch 服务。
不过,为了获得工作权限,我必须运行脚本,然后在 AWS 控制台中单独构建一个策略并将其应用于 lambda 函数,以便它可以完全访问 SES 和 Cloudwatch 服务。但是我完全不清楚如何采用该工作策略并将其适应我的 terraform 脚本。任何人都可以提供或指出有关此事的指导吗?
我的 terraform 脚本中的有限/不充分但在其他方面起作用的角色如下所示:
resource "aws_iam_role" "iam_for_lambda" {
name = "${var.role_name}"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Effect": "Allow",
"Sid": ""
}
]
} EOF
}
...以及在控制台中生成的工作策略(通过将两个角色组合在一起以实现所有 Cloudwatch 和所有 SES 访问):
{
"permissionsBoundary": {},
"roleName": "las_role_new",
"policies": [
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:Describe*",
"cloudwatch:*",
"logs:*",
"sns:*",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/events.amazonaws.com/AWSServiceRoleForCloudWatchEvents*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "events.amazonaws.com"
}
}
}
]
},
"name": "CloudWatchFullAccess",
"id": "ANPAIKEABORKUXN6DEAZU",
"type": "managed",
"arn": "arn:aws:iam::aws:policy/CloudWatchFullAccess"
},
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:*"
],
"Resource": "*"
}
]
},
"name": "AmazonSESFullAccess",
"id": "ANPAJ2P4NXCHAT7NDPNR4",
"type": "managed",
"arn": "arn:aws:iam::aws:policy/AmazonSESFullAccess"
}
],
"trustedEntities": [
"lambda.amazonaws.com"
]
}
有字段所以我总结的问题,最笼统地说,是这样的:
给定在 aws 控制台中构建的“策略”(通过选择一堆角色等),如何将其转换为 terraform 脚本所需的“角色”?