在备用terraform上的IAM组中添加和删除的Terraform AWS IAM用户apply命令

伯克

我对一堆IAM用户感到很奇怪，这些用户在后续terraform apply操作中被添加或从IAM组中删除。即使没有其他改变。

我知道这些功能还不能完全发挥作用，因为仍然需要添加登录配置文件，但是该计划只是为了节省一些精力并手动完成用户设置。

在Ubuntu 20.1上使用Terraform 13.5。

# main.tf
# Create a group for them
resource "aws_iam_group" "proj" {
    name = "proj-AdminGroup-Nov-2020"
}

# Create the individual users
resource "aws_iam_user" "example" {
  count = length(var.iam_users)
  name = element(var.iam_users,count.index)
  force_destroy = true
}

# Attach the standard AdministratorAccess policy to the group
# Use 'data' to get the arn of the policy
data "aws_iam_policy" "AdministratorAccess" {
    arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
# Attach the policy to the group
resource "aws_iam_group_policy_attachment" "test-attach" {
  group      = aws_iam_group.proj.name
  policy_arn = data.aws_iam_policy.AdministratorAccess.arn
}
# Assign the Users to the group
resource "aws_iam_group_membership" "team" {
  name = "tf-proj-group-membership"
  count = length(var.iam_users)

  users = [
      element(aws_iam_user.example.*.name, count.index)
      ]

  group = aws_iam_group.proj.name
}

# variables.tf
variable "iam_users" {
    type = list
    default =[
        "user1", 
        "user2"
    ]
}

应用第一个地形后的状态。

秒后的状态。

第二地形应用输出：

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_iam_group_membership.team[0] will be updated in-place
  ~ resource "aws_iam_group_membership" "team" {
        group = "proj-AdminGroup-Nov-2020"
        id    = "tf-proj-group-membership"
        name  = "tf-proj-group-membership"
      ~ users = [
            "user1",
          - "user2",
        ]
    }

  # aws_iam_group_membership.team[1] will be updated in-place
  ~ resource "aws_iam_group_membership" "team" {
        group = "proj-AdminGroup-Nov-2020"
        id    = "tf-proj-group-membership"
        name  = "tf-proj-group-membership"
      ~ users = [
          - "user1",
            "user2",
        ]
    }

Plan: 0 to add, 2 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

马辛

我不太确定您为什么要count = length(var.iam_users)在自己的中使用aws_iam_group_membership。通常，您可以这样进行：

resource "aws_iam_group_membership" "team" {
  name = "tf-proj-group-membership"

  users = aws_iam_user.example[*].name

  group = aws_iam_group.proj.name
}

上面的方法确实可以正常工作，并且没有显示您正在描述的行为。

本文收集自互联网，转载请注明来源。

如有侵权，请联系 [email protected] 删除。