我正在我的terraform文件中为AWS IAM定义基于属性的访问控制(ABAC)。策略示例如下
resource "aws_iam_role_policy" "testS3" {
name = "testS3"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::dev-${aws:PrincipalTag/team}*"
}
]
}
EOF
}
怎么说呢?${block} 在terraform中?Terraform将其转化为自己的变量。
它与额外的工作 $ 的字符串中。
resource "aws_iam_role_policy" "testS3" {
name = "testS3"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::dev-$${aws:PrincipalTag/team}*"
}
]
}
EOF
}
我也试过用 variables.tf 文件,并在json中引用了这里的变量。
变量.tf
variable "principaltag" {
default = "$${aws:PrincipalTag/tedteam}"
}
****
政策.tf
resource "aws_iam_role_policy" "testS3" {
name = "testS3"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::dev-${var.principaltag}*"
}
]
}
EOF
}