gpt4 book ai didi

amazon-web-services - 从帐号的 JSON 数组构建 AWS IAM 策略

转载 作者:行者123 更新时间:2023-12-04 01:38:44 34 4
gpt4 key购买 nike

我有一个 AWS 帐号列表,我想动态使用这些帐号来构建 AWS 策略。这是我的例子:

resource "aws_s3_bucket" "splunk-config-bucket" {
bucket = "${var.config_bucket_name}"
force_destroy = true
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = "${data.aws_kms_alias.kms_name.arn}"
sse_algorithm = "aws:kms"
}
}
}
tags = {
Product = "Splunk - AWS Config Logs"
Service = "Security"
}

lifecycle_rule {
id = "log"
enabled = true

prefix = "*"

transition {
days = 7
storage_class = "GLACIER"
}

expiration {
days = 14
}
}

policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSConfigAclCheck20150319",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::${var.config_bucket_name}"
},
{
"Sid": "AWSConfigWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::${var.config_bucket_name}/AWSLogs/123456789/*”,
"arn:aws:s3:::${var.config_bucket_name}/AWSLogs/123456789/*",
"arn:aws:s3:::${var.config_bucket_name}/AWSLogs/123456789/*",
"arn:aws:s3:::${var.config_bucket_name}/AWSLogs/123456789/*",
"arn:aws:s3:::${var.config_bucket_name}/AWSLogs/123456789/*",
"arn:aws:s3:::${var.config_bucket_name}/AWSLogs/123456789/*",
"arn:aws:s3:::${var.config_bucket_name}/AWSLogs/123456789/*",
"arn:aws:s3:::${var.config_bucket_name}/AWSLogs/123456789/*",
"arn:aws:s3:::${var.config_bucket_name}/AWSLogs/123456789/*",
"arn:aws:s3:::${var.config_bucket_name}/AWSLogs/123456789/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
POLICY
}

resource "aws_s3_bucket_notification" "configlogs_bucketnotification" {
bucket = "${var.config_bucket_name}"

queue {
queue_arn = "${aws_sqs_queue.splunk_configlogs_sqs_queue.arn}"
events = ["s3:ObjectCreated:*"]
}
}

我在 envs.json 文件中有一个帐号列表,它看起来像这样:

{
"accounts": [
"1234567890",
"0987654321",
"1029384756",
"6574839201",
"0192837465"
]
}

我正在尝试使用 AWS 帐号的动态列表生成策略。我们正试图摆脱硬编码帐号并将其从我们拥有的“集中配置”项目中提取出来。

这是我尝试过的:

变量.tf:

locals {
accounts = jsondecode(file("../configuration/envs.json")).accounts
}

配置.tf

            "Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": ${jsonencode(formatlist("arn:aws:s3:::${var.config_bucket_name}/AWSLogs/%s/*", local.accounts))}
"Condition": {

当我运行“terraform plan”时,这会给我以下输出:

Error: "policy" contains an invalid JSON: invalid character '"' after object key:value pair

on central_config.tf line 2, in resource "aws_s3_bucket" "splunk-config-bucket":
2: resource "aws_s3_bucket" "splunk-config-bucket" {

我也试过这个:

变量.tf

locals {
accounts = jsondecode(file("../configuration/envs.json")).accounts
}

output "example" {
value = jsonencode(formatlist("arn:aws:s3:::${var.config_bucket_name}/AWS/AWSLogs/%s/*", local.accounts))
}

配置.tf

            "Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": ${local.accounts.output.value}
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}

这是我得到的输出:

Error: Unsupported attribute

on central_config.tf line 60, in resource "aws_s3_bucket" "splunk-config-bucket":
60: "Resource": ${local.accounts.output.value}
|----------------
| local.accounts is tuple with 35 elements

This value does not have any attributes.

谢谢,

最佳答案

您可以使用 file function 加载文件,然后通过使用 jsondecode 解码 JSON 提取您需要的帐户列表,然后选择 accounts 键。

举个例子:

locals {
accounts = jsondecode(file("accounts.json")).accounts
}

output example {
value = local.accounts
}

这将返回以下内容:

example = [
"1234567890",
"0987654321",
"1029384756",
"6574839201",
"0192837465",
]

如果您随后想将其放入您的政策中,您需要使用 formatlist function 将帐户列表传递为单个字符串格式:

output "example" {
value = formatlist("arn:aws:s3:::bucket_name/AWSLogs/%s/*", local.accounts)
}

这个输出:

example = [
"arn:aws:s3:::bucket_name/AWSLogs/1234567890/*",
"arn:aws:s3:::bucket_name/AWSLogs/0987654321/*",
"arn:aws:s3:::bucket_name/AWSLogs/1029384756/*",
"arn:aws:s3:::bucket_name/AWSLogs/6574839201/*",
"arn:aws:s3:::bucket_name/AWSLogs/0192837465/*",
]

如果您仔细观察,Terraform 在列表中使用尾随逗号,这是无效的 JSON,因此会为您的 IAM 策略创建无效的 JSON 结构。为了解决这个问题,我们可以使用 jsonencode 将其重新编码为 JSON:

output "example" {
value = jsonencode(formatlist("arn:aws:s3:::bucket_name/AWSLogs/%s/*", local.accounts))
}

然后输出:

example = ["arn:aws:s3:::bucket_name/AWSLogs/1234567890/*","arn:aws:s3:::bucket_name/AWSLogs/0987654321/*","arn:aws:s3:::bucket_name/AWSLogs/1029384756/*","arn:aws:s3:::bucket_name/AWSLogs/6574839201/*","arn:aws:s3:::bucket_name/AWSLogs/0192837465/*"]

没有尾随逗号。

综上所述,您可以像这样创建 IAM 策略:

locals {
accounts = jsondecode(file("accounts.json")).accounts
}

resource aws_iam_policy policy {
name = "example"
path = "/"

policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ${jsonencode(formatlist("arn:aws:s3:::bucket_name/AWSLogs/%s/*", local.accounts))}
}
]
}
EOF
}

关于amazon-web-services - 从帐号的 JSON 数组构建 AWS IAM 策略,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/58449155/

34 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com