#amazon-web-services #amazon-ec2 #terraform #amazon-iam
Вопрос:
У меня есть приведенная ниже политика iam для создания экземпляров ec2 с тегом «project:test-project»:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowToDescribeAll",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:RegisterImage",
"ec2:CreateImage",
"ec2:CopyImage",
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot",
"ec2:DetachVolume",
"ec2:ModifyImageAttribute"
],
"Resource": "*"
},
{
"Sid": "AllowRunInstancesWithRestrictions",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:key-pair/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/project": "test-project"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"project"
]
}
}
}
]
}
Но когда я создаю экземпляр ec2 с ресурсом ниже terraform:
resource "aws_instance" "test_instance" {
ami = data.aws_ami.ubuntu.id
instance_type = var.instance_machine_type
key_name = var.key_name
iam_instance_profile = aws_iam_instance_profile.test_profile.name
subnet_id = var.subnet_id_1
vpc_security_group_ids = [var.security_group_id]
associate_public_ip_address = "true"
tags = {
Name = "test-instance"
Environment = var.environment
project = "test-project"
}
lifecycle {
create_before_destroy = true
}
connection {
type = "ssh"
user = "ubuntu"
private_key = "${file("./test.pem")}"
host = "${self.public_dns}"
}
provisioner "file" {
source = "run-collector.sh"
destination = "/home/ubuntu/run-collector.sh"
}
provisioner "remote-exec" {
inline = [
"chmod x /home/ubuntu/run-collector.sh",
"sudo /home/ubuntu/run-collector.sh",
]
}
provisioner "remote-exec" {
inline = [
"sudo curl -O https://s3.amazonaws.com/amazoncloudwatch-agent/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb",
"sudo dpkg -i -E ./amazon-cloudwatch-agent.deb",
"sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c file:/home/ubuntu/log_agent_config.json -s"
]
}
}
Я получаю ошибку ниже:
"DecodedMessage": "{"allowed":false,"explicitDeny":false,"matchedStatements":{"items":[]},"failures":{"items":[]},"context":{"principal":{"id":"AIDA3GKLMDVKBZJXS7XUH","name":"terraform_test_user","arn":"arn:aws:iam::769494097236:user/terraform_test_user"},"action":"ec2:RunInstances","resource":"arn:aws:ec2:ap-south-1:769494097236:key-pair/odm","conditions":{"items":[{"key":"aws:Region","values":{"items":[{"value":"ap-south-1"}]}},{"key":"aws:Service","values":{"items":[{"value":"ec2"}]}},{"key":"aws:Resource","values":{"items":[{"value":"key-pair/odm"}]}},{"key":"aws:Account","values":{"items":[{"value":"769494097236"}]}},{"key":"aws:Type","values":{"items":[{"value":"key-pair"}]}},{"key":"ec2:KeyPairType","values":{"items":[{"value":"rsa"}]}},{"key":"ec2:Region","values":{"items":[{"value":"ap-south-1"}]}},{"key":"aws:ARN","values":{"items":[{"value":"arn:aws:ec2:ap-south-1:769494097236:key-pair/odm"}]}},{"key":"ec2:IsLaunchTemplateResource","values":{"items":[{"value":"false"}]}},{"key":"ec2:KeyPairName","values":{"items":[{"value":"odm"}]}}]}}}"
Я не могу понять, почему пометка не работает должным образом с terraform, в то время как, когда я удаляю условие из политики, я могу создать экземпляр.
Моя версия terraform-v1.0.4 с registry.terraform.io/hashicorp/aws v3.53.0 поставщик aws
Комментарии:
1. «удалить условие из политики» — какое условие? Первый, второй или оба?
2. @Marcin, когда я удаляю оба соединения