问题描述
我有一个 aws_iam_role,我想向其中添加策略。通常,我会使用 aws_iam_role 创建一个策略,并使用 aws_iam_role_policy_attachment 将其附加到角色。
但是,我看过一些使用 aws_iam_role_policy 的文档,在我看来,它似乎在做同样的事情。
我是对的还是我遗漏了细微的差别?
解决方法
区别是Managed policies and inline policies
当您创建 aws_iam_policy 时,这是一项托管策略,可以重复使用。
当您创建作为内联策略的 aws_iam_role_policy 时
对于给定的角色,aws_iam_role_policy 资源与使用 aws_iam_role 资源 inline_policy 参数不兼容。使用该参数和此资源时,两者都将尝试管理角色的内联策略,Terraform 将显示出永久性差异。
重现上述状态的代码
resource "aws_iam_role_policy" "test_policy" {
name = "test_policy"
role = aws_iam_role.test_role.id
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:Describe*",]
Effect = "Allow"
Resource = "*"
},]
})
}
resource "aws_iam_role" "test_role" {
name = "test_role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "ec2.amazonaws.com"
}
},]
})
}
resource "aws_iam_role" "role" {
name = "test-role1"
assume_role_policy = <<EOF
{
"Version": "2012-10-17","Statement": [
{
"Action": "sts:AssumeRole","Principal": {
"Service": "ec2.amazonaws.com"
},"Effect": "Allow","Sid": ""
}
]
}
EOF
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = <<EOF
{
"Version": "2012-10-17","Statement": [
{
"Action": [
"ec2:Describe*"
],"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "test-attach" {
role = aws_iam_role.role.name
policy_arn = aws_iam_policy.policy.arn
}