我对一堆IAM用户感到很奇怪,这些用户在后续terraform apply
操作中被添加或从IAM组中删除。即使没有其他改变。
我知道这些功能还不能完全发挥作用,因为仍然需要添加登录配置文件,但是该计划只是为了节省一些精力并手动完成用户设置。
在Ubuntu 20.1上使用Terraform 13.5。
# main.tf
# Create a group for them
resource "aws_iam_group" "proj" {
name = "proj-AdminGroup-Nov-2020"
}
# Create the individual users
resource "aws_iam_user" "example" {
count = length(var.iam_users)
name = element(var.iam_users,count.index)
force_destroy = true
}
# Attach the standard AdministratorAccess policy to the group
# Use 'data' to get the arn of the policy
data "aws_iam_policy" "AdministratorAccess" {
arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
# Attach the policy to the group
resource "aws_iam_group_policy_attachment" "test-attach" {
group = aws_iam_group.proj.name
policy_arn = data.aws_iam_policy.AdministratorAccess.arn
}
# Assign the Users to the group
resource "aws_iam_group_membership" "team" {
name = "tf-proj-group-membership"
count = length(var.iam_users)
users = [
element(aws_iam_user.example.*.name, count.index)
]
group = aws_iam_group.proj.name
}
# variables.tf
variable "iam_users" {
type = list
default =[
"user1",
"user2"
]
}
秒后的状态。
第二地形应用输出:
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# aws_iam_group_membership.team[0] will be updated in-place
~ resource "aws_iam_group_membership" "team" {
group = "proj-AdminGroup-Nov-2020"
id = "tf-proj-group-membership"
name = "tf-proj-group-membership"
~ users = [
"user1",
- "user2",
]
}
# aws_iam_group_membership.team[1] will be updated in-place
~ resource "aws_iam_group_membership" "team" {
group = "proj-AdminGroup-Nov-2020"
id = "tf-proj-group-membership"
name = "tf-proj-group-membership"
~ users = [
- "user1",
"user2",
]
}
Plan: 0 to add, 2 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
我不太确定您为什么要count = length(var.iam_users)
在自己的中使用aws_iam_group_membership
。通常,您可以这样进行:
resource "aws_iam_group_membership" "team" {
name = "tf-proj-group-membership"
users = aws_iam_user.example[*].name
group = aws_iam_group.proj.name
}
上面的方法确实可以正常工作,并且没有显示您正在描述的行为。
本文收集自互联网,转载请注明来源。
如有侵权,请联系 [email protected] 删除。
我来说两句