gpt4 book ai didi

amazon-s3 - terraform,s3 存储桶策略

转载 作者:行者123 更新时间:2023-12-02 16:55:52 25 4
gpt4 key购买 nike

我正在使用这个模块 https://github.com/turnerlabs/terraform-s3-user创建一些 s3 存储桶和相关的 iam 用户。

这很好用:

module "my_bucket" {
source = "github.com/turnerlabs/terraform-s3-user?ref=v2.1"

bucket_name = "my-bucket"

tag_team = "developers"
tag_contact-email = "xxxxx"
tag_application = "xxxxx"
tag_environment = "prod"
tag_customer = "xxxxx"
}

现在我想修复此模块创建的 s3 存储桶的默认策略。

terrafom show 给我看这个:

module.my_bucket.aws_s3_bucket_policy.bucket_policy:
id = my-bucket
bucket = my-bucket
policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::____________:user/srv_my-bucket"
},
"Action": [ "s3:*" ],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}

我应该如何修改我的 .tf 以具有其他策略?

最佳答案

我喜欢使用 IAM 角色。例如,如果使用 kubernetes,您可以为您的 pod 分配一个 IAM 角色。

下面的基本示例显示了如何向 S3 存储桶授予读取权限。为简单起见对值进行硬编码,但最好使用合适的变量。

resource "aws_iam_role_policy" "my-s3-read-policy" {
name = "inline-policy-name-that-will-show-on-aws"
role = "some-existing-iam-role-name"
policy = data.aws_iam_policy_document.s3_read_permissions.json
}


data "aws_iam_policy_document" "s3_read_permissions" {
statement {
effect = "Allow"

actions = [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:ListBucket",
]

resources = ["arn:aws:s3:::my-bucket-1",
"arn:aws:s3:::my-bucket-1/*",
"arn:aws:s3:::my-bucket-2",
"arn:aws:s3:::mybucket-2/*",
]
}
}

您可以按如下方式制定有针对性的计划:

terraform plan -target=aws_iam_role_policy.my-s3-read-policy

哪个会输出:

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create

Terraform will perform the following actions:

# aws_iam_role_policy.my-s3-read-policy will be created
+ resource "aws_iam_role_policy" "my-s3-read-policy" {
+ id = (known after apply)
+ name = "inline-policy-name-that-will-show-on-aws"
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = [
+ "s3:ListBucket",
+ "s3:GetObjectAcl",
+ "s3:GetObject",
]
+ Effect = "Allow"
+ Resource = [
+ "arn:aws:s3:::mybucket-2/*",
+ "arn:aws:s3:::my-bucket-2",
+ "arn:aws:s3:::my-bucket-1/*",
+ "arn:aws:s3:::my-bucket-1",
]
+ Sid = ""
},
]
+ Version = "2012-10-17"
}
)
+ role = "some-existing-iam-role-name"
}

Plan: 1 to add, 0 to change, 0 to destroy.

关于amazon-s3 - terraform,s3 存储桶策略,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/56457420/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com