amazon-s3 - terraform，s3 存储桶策略

Question

我正在使用这个模块 https://github.com/turnerlabs/terraform-s3-user创建一些 s3 存储桶和相关的 iam 用户。

这很好用:

module "my_bucket" {
  source = "github.com/turnerlabs/terraform-s3-user?ref=v2.1"

  bucket_name = "my-bucket"

  tag_team          = "developers"
  tag_contact-email = "xxxxx"
  tag_application   = "xxxxx"
  tag_environment   = "prod"
  tag_customer      = "xxxxx"
}

现在我想修复此模块创建的 s3 存储桶的默认策略。

terrafom show 给我看这个:

module.my_bucket.aws_s3_bucket_policy.bucket_policy:
  id = my-bucket
  bucket = my-bucket
  policy = {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::____________:user/srv_my-bucket"
      },
      "Action": [ "s3:*" ],
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ]
    }
  ]
}

我应该如何修改我的 .tf 以具有其他策略？

Answer 1

我喜欢使用 IAM 角色。例如，如果使用 kubernetes，您可以为您的 pod 分配一个 IAM 角色。

下面的基本示例显示了如何向 S3 存储桶授予读取权限。为简单起见对值进行硬编码，但最好使用合适的变量。

resource "aws_iam_role_policy" "my-s3-read-policy" {
  name   = "inline-policy-name-that-will-show-on-aws"
  role   = "some-existing-iam-role-name"
  policy = data.aws_iam_policy_document.s3_read_permissions.json
}


data "aws_iam_policy_document" "s3_read_permissions" {
  statement {
    effect = "Allow"

    actions = [
      "s3:GetObject",
      "s3:GetObjectAcl",
      "s3:ListBucket",
    ]

    resources = ["arn:aws:s3:::my-bucket-1",
                  "arn:aws:s3:::my-bucket-1/*",
                  "arn:aws:s3:::my-bucket-2",
                  "arn:aws:s3:::mybucket-2/*",
    ]
  }
}

您可以按如下方式制定有针对性的计划:

terraform plan -target=aws_iam_role_policy.my-s3-read-policy

哪个会输出:

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_iam_role_policy.my-s3-read-policy will be created
  + resource "aws_iam_role_policy" "my-s3-read-policy" {
      + id     = (known after apply)
      + name   = "inline-policy-name-that-will-show-on-aws"
      + policy = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "s3:ListBucket",
                          + "s3:GetObjectAcl",
                          + "s3:GetObject",
                        ]
                      + Effect   = "Allow"
                      + Resource = [
                          + "arn:aws:s3:::mybucket-2/*",
                          + "arn:aws:s3:::my-bucket-2",
                          + "arn:aws:s3:::my-bucket-1/*",
                          + "arn:aws:s3:::my-bucket-1",
                        ]
                      + Sid      = ""
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + role   = "some-existing-iam-role-name"
    }

Plan: 1 to add, 0 to change, 0 to destroy.