我需要通过 Terraform 创建一个新的 IAM 角色。该角色应该有一个在 AWS (AmazonSSMFullAccess) 中预定义的策略,但我找不到任何地方应该如何添加已经创建的策略。代码模板应如下所示:
resource "aws_iam_role" "role" {
name = var.name
assume_role_policy = var.assume_role_policy
max_session_duration = var.max_session_duration
description = var.description
}
resource "aws_iam_role_policy_attachment" "attach_policy" {
policy_arn = var.policy_to_attach
role = aws_iam_role.role.name
}
对于现有的 aws 策略,您可以直接从控制台复制其 arn。然后只需将 arn 粘贴为 policy_arn 参数。在你的情况下:
resource "aws_iam_role_policy_attachment" "attach_policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonSSMFullAccess"
role = aws_iam_role.role.name
}
为了使其更加安全,您可以首先使用数据源导入策略:
data "aws_iam_policy" "example" {
arn = "arn:aws:iam::aws:policy/AmazonSSMFullAccess"
}
resource "aws_iam_role_policy_attachment" "attach_policy" {
policy_arn = data.aws_iam_policy.example.arn
role = aws_iam_role.role.name
}
编辑:数据源也可以通过名称召唤:
data "aws_iam_policy" "test" {
name = "AmazonSSMFullAccess"
}
正如评论中所说,数据源将有助于在 terraform 尝试执行其他任何操作之前检查您是否可以找到并阅读给定的策略。