我試圖在我的三個環境中的每一個中為用戶附加不同型別的策略:開發、暫存和生產。
環境資訊以字串格式存盤為 terraform 變數,例如“dev”。
resource "aws_iam_policy" "s3-dev-policy" {
count = var.stage != "dev" ? 1 : 0
name = "s3-bucket-policy-${var.stage}"
description = "Access rights for cicd-user to Bucket on Dev"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3::: dev-bucket-pushed",
"arn:aws:s3::: dev-bucket-pushed/*"
]
}
}
EOF
}
resource "aws_iam_group_policy_attachment" "attach_cicd-users_s3_dev_group_policy" {
count = var.stage != "dev" ? 1 : 0
group = aws_iam_group.cicd-users.name
policy_arn = aws_iam_policy.s3-dev-policy[count.index]
}
Terraform apply 不會抱怨語法,但即使階段設定為“dev”,它也不會應用此資源。條件是否僅適用于布林值作為資料型別?
uj5u.com熱心網友回復:
您的條件不正確,策略有語法錯誤,arn 不正確,以及其他問題。這一切都應該是:
resource "aws_iam_policy" "s3-dev-policy" {
count = var.stage == "dev" ? 1 : 0
name = "s3-bucket-policy111-${var.stage}"
description = "Access rights for cicd-user to Bucket on Dev"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::dev-bucket-pushed",
"arn:aws:s3:::dev-bucket-pushed/*"
]
}
]
}
EOF
}
resource "aws_iam_group_policy_attachment" "attach_cicd-users_s3_dev_group_policy" {
count = var.stage == "dev" ? 1 : 0
group = aws_iam_group.cicd-users.name
policy_arn = aws_iam_policy.s3-dev-policy[count.index].arn
}
轉載請註明出處,本文鏈接:https://www.uj5u.com/shujuku/339927.html