第 6 章:IAM 權限設定
Reference Link
IAM User
IAM User
resource "aws_iam_user" "lb" {
name = "loadbalancer"
path = "/system/"
tags = {
tag-key = "tag-value"
}
}
resource "aws_iam_access_key" "lb" {
user = aws_iam_user.lb.name
}
data "aws_iam_policy_document" "lb_ro" {
statement {
effect = "Allow"
actions = ["ec2:Describe*"]
resources = ["*"]
}
}
resource "aws_iam_user_policy" "lb_ro" {
name = "test"
user = aws_iam_user.lb.name
policy = data.aws_iam_policy_document.lb_ro.json
}
IAM Policy
IAM Policy
resource "aws_iam_user_policy" "lb_ro" {
name = "test"
user = aws_iam_user.lb.name
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:Describe*",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
resource "aws_iam_user" "lb" {
name = "loadbalancer"
path = "/system/"
}
resource "aws_iam_access_key" "lb" {
user = aws_iam_user.lb.name
}
resource "aws_iam_user" "user" {
name = "test-user"
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = "{ ... policy JSON ... }"
}
resource "aws_iam_user_policy_attachment" "test-attach" {
user = aws_iam_user.user.name
policy_arn = aws_iam_policy.policy.arn
}
IAM role
IAM role
resource "aws_iam_role" "test_role" {
name = "test_role"
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "ec2.amazonaws.com"
}
},
]
})
tags = {
tag-key = "tag-value"
}
}
Example of Using Data Source for Assume Role Policy
data "aws_iam_policy_document" "instance_assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
resource "aws_iam_role" "instance" {
name = "instance_role"
path = "/system/"
assume_role_policy = data.aws_iam_policy_document.instance_assume_role_policy.json
}
Example of Exclusive Inline Policies
resource "aws_iam_role" "example" {
name = "yak_role"
assume_role_policy = data.aws_iam_policy_document.instance_assume_role_policy.json # (not shown)
inline_policy {
name = "my_inline_policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = ["ec2:Describe*"]
Effect = "Allow"
Resource = "*"
},
]
})
}
inline_policy {
name = "policy-8675309"
policy = data.aws_iam_policy_document.inline_policy.json
}
}
data "aws_iam_policy_document" "inline_policy" {
statement {
actions = ["ec2:DescribeAccountAttributes"]
resources = ["*"]
}
}
Example of Removing Inline Policies
resource "aws_iam_role" "example" {
name = "yak_role"
assume_role_policy = data.aws_iam_policy_document.instance_assume_role_policy.json # (not shown)
inline_policy {}
}
Example of Exclusive Managed Policies
resource "aws_iam_role" "example" {
name = "yak_role"
assume_role_policy = data.aws_iam_policy_document.instance_assume_role_policy.json # (not shown)
managed_policy_arns = [aws_iam_policy.policy_one.arn, aws_iam_policy.policy_two.arn]
}
resource "aws_iam_policy" "policy_one" {
name = "policy-618033"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = ["ec2:Describe*"]
Effect = "Allow"
Resource = "*"
},
]
})
}
resource "aws_iam_policy" "policy_two" {
name = "policy-381966"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = ["s3:ListAllMyBuckets", "s3:ListBucket", "s3:HeadBucket"]
Effect = "Allow"
Resource = "*"
},
]
})
}
Example of Removing Managed Policies
resource "aws_iam_role" "example" {
name = "yak_role"
assume_role_policy = data.aws_iam_policy_document.instance_assume_role_policy.json # (not shown)
managed_policy_arns = []
}
IAM role policy
IAM role policy
resource "aws_iam_role_policy" "test_policy" {
name = "test_policy"
role = aws_iam_role.test_role.id
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:Describe*",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
resource "aws_iam_role" "test_role" {
name = "test_role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "ec2.amazonaws.com"
}
},
]
})
}
IAM role attachment
IAM role attachment
data "aws_iam_policy_document" "assume_role" {
statement {
effect = "Allow"
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
actions = ["sts:AssumeRole"]
}
}
resource "aws_iam_role" "role" {
name = "test-role"
assume_role_policy = data.aws_iam_policy_document.assume_role.json
}
data "aws_iam_policy_document" "policy" {
statement {
effect = "Allow"
actions = ["ec2:Describe*"]
resources = ["*"]
}
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = data.aws_iam_policy_document.policy.json
}
resource "aws_iam_role_policy_attachment" "test-attach" {
role = aws_iam_role.role.name
policy_arn = aws_iam_policy.policy.arn
}