Terraform - 添加第二个 AWS IAM 策略

Terraform - 添加第二个 AWS IAM 策略

我目前有一个 IAM 角色,其附加策略如下:

data aws_iam_policy_document bucket_access {
  statement {
    actions = [
      "s3:AbortMultipartUpload",
      "s3:CreateMultipartUpload",
      "s3:GetBucketAcl",
      "s3:GetBucketLocation",
      "s3:GetObject",
      "s3:GetObjectAcl",
      "s3:ListBucketMultipartUploads",
      "s3:PutObject",
      "s3:PutObjectAcl",
    ]

    resources = [
      "arn:aws:s3:::bucket.domain.net/*",
    ]
  }

  statement {
    actions = [
      "s3:CreateMultipartUpload",
      "s3:GetBucketLocation",
      "s3:ListBucket",
      "s3:ListBucketMultipartUploads",
      "s3:ListMultipartUploadParts",
    ]

    resources = [
      "arn:aws:s3:::bucket.domain.net",

    ]
  }
}

resource aws_iam_policy bucket_access {
  description = "Allow instances to write and delete in S3 bucket."
  name_prefix = "bucket_access-"
  policy      = "${data.aws_iam_policy_document.bucket_access.json}"
}

resource aws_iam_role_policy_attachment gitlab_runner_bucket_access {
  role       = "${aws_iam_role.gitlab_runner.name}"
  policy_arn = "${aws_iam_policy.bucket_access.arn}"
}

现在我想要第二个策略,允许 IAM 用户删除不同存储桶中的对象。我在同一个文件中添加了以下内容:

data aws_iam_policy_document bucket_access_with_delete {
  statement {
    actions = [
      "s3:AbortMultipartUpload",
      "s3:CreateMultipartUpload",
      "s3:GetBucketAcl",
      "s3:GetBucketLocation",
      "s3:GetObject",
      "s3:GetObjectAcl",
      "s3:ListBucketMultipartUploads",
      "s3:PutObject",
      "s3:PutObjectAcl",
      "s3:DeleteObject",
    ]

    resources = [
      "arn:aws:s3:::bucket2.domain.net/*",
    ]
  }

  statement {
    actions = [
      "s3:CreateMultipartUpload",
      "s3:GetBucketLocation",
      "s3:ListBucket",
      "s3:ListBucketMultipartUploads",
      "s3:ListMultipartUploadParts",
    ]

    resources = [
      "arn:aws:s3:::bucket2.domain.net",

    ]
  }
}

resource aws_iam_policy bucket_access_with_delete {
  description = "Allow instances to write and delete in S3 bucket."
  name_prefix = "bucket_access_with_delete-"
  policy      = "${data.aws_iam_policy_document.bucket_access_with_delete.json}"
}

resource aws_iam_role_policy_attachment gitlab_runner_bucket_access_width_delete {
  role       = "${aws_iam_role.gitlab_runner.name}"
  policy_arn = "${aws_iam_policy.bucket_access_with_delete.arn}"
}

它实际上是相同的,但我做了以下更改:

1) 添加了操作“s3:DeleteObject” 2) 将存储桶更改为 bucket2.domain.net 3) 将策略和 arn 的名称更改为 _with_delete

当文件只有第一个时,它可以正常工作。当我添加我的时,它没有通过自动检查,我真的不知道为什么。由于它是远程的,我无法访问实际的调试信息,但这是在 Terraform 中添加第二个策略的正确方法吗?

相关内容