如何正确导入多个IAM策略到tfstate文件

53次阅读
没有评论

问题描述

正在尝试使用shell脚本自动化导入多个AWS IAM策略和IAM角色到tfstate文件。当尝试导入IAM策略时,似乎导入的状态会覆盖先前的导入结果,并且总是出现以下错误:

Error: Invalid index
│   on /project/iam_role.tf line 14, in resource "aws_iam_role" "roles":
│   14:         aws_iam_policy.policies["S3FullWithoutDelete"].arn,
│     ├────────────────
│     │ aws_iam_policy.policies is object with 1 attribute "IAMEnableMFA"
│ │ The given key does not identify an element in this collection value.

以下是用户尝试运行的命令示例:

terraform import 'aws_iam_policy.policies["IAMEnableMFA"]' arn:aws:iam::XXXXXXXXXXXX:policy/IAMEnableMFA

以下是iam_policy.tf文件的配置:

resource "aws_iam_policy" "policies" {
  for_each = {
    "Billing-Organizations"          = "billing_organizations.json"
    "BillReadOnly"                   = "bill_readonly.json"
    "AccountAndTaxsettings"          = "account_and_tax.json"
    "S3FullWithoutDelete"            = "s3_full_without_delete.json"
    "ConsolidatedBillingForMOCB"     = "consolidated_billing_for_mocb.json"
    "Organizations"                  = "organizations.json"
    "CostExplorerAPI"                = "cost_explorer_api.json"
    "Invite_Account_To_Organization" = "invite_account_to_organization.json"
    "IAMEnableMFA"                   = "iam_enabled_mfa.json"
    "OrganizationsReadOnly"          = "organizations_read_only.json"
    "Modify_EC2_RI"                  = "modify_ec2_ri.json"
    "billing-upload-s3-cur"          = "billing_upload_s3_cur.json"
  }
  name   = each.key
  policy = file("${path.module}/policy/${each.value}")
  tags   = var.resource_tags
}

以下是iam_role.tf文件的配置:

resource "aws_iam_role" "roles" {
  for_each = {
    "ADFS-Billing" = {
      "file" = "adfs_billing.json"
      "policy_arns" = [
        aws_iam_policy.policies["Billing-Organizations"].arn,
        aws_iam_policy.policies["Modify_EC2_RI"].arn,
        data.aws_iam_policy.policies["IAMFullAccess"].arn,
        data.aws_iam_policy.policies["Billing"].arn,
        data.aws_iam_policy.policies["ReadOnlyAccess"].arn,
        data.aws_iam_policy.policies["AWSSupportAccess"].arn,
        data.aws_iam_policy.policies["AWSCloudTrail_FullAccess"].arn,
        data.aws_iam_policy.policies["AWSBillingConductorFullAccess"].arn,
        aws_iam_policy.policies["S3FullWithoutDelete"].arn,
        aws_iam_policy.policies["AccountAndTaxsettings"].arn
      ]
    }
   # There are other similar items, but omitted for brevity
  }
  name                = each.key
  assume_role_policy  = file("${path.module}/trust_relationships/${each.value["file"]}")
  managed_policy_arns = each.value["policy_arns"]
  tags                = var.resource_tags
}

用户想知道如何正确导入所有这些策略到tfstate文件中。

解决方案

请注意以下操作注意版本差异及修改前做好备份。

方案1

根据您提供的配置文件,您可以使用以下步骤正确导入所有这些策略到tfstate文件中:
1. 确保您已经安装了Terraform,并且已经配置了AWS凭证。
2. 在您的Terraform项目目录中,创建一个新的.tf文件,例如import.tf。
3. 在import.tf文件中,添加以下内容:

# 导入IAM策略
data "aws_iam_policy" "policies" {
  for_each = aws_iam_policy.policies

  name = each.key
  arn  = each.value
}

# 导入IAM角色
data "aws_iam_role" "roles" {
  for_each = aws_iam_role.roles

  name = each.key
  arn  = each.value
}
  1. 在命令行中,导航到您的Terraform项目目录,并运行以下命令导入策略和角色:
terraform init
terraform import aws_iam_policy.policies["Billing-Organizations"] arn:aws:iam::XXXXXXXXXXXX:policy/Billing-Organizations
terraform import aws_iam_policy.policies["BillReadOnly"] arn:aws:iam::XXXXXXXXXXXX:policy/BillReadOnly
terraform import aws_iam_policy.policies["AccountAndTaxsettings"] arn:aws:iam::XXXXXXXXXXXX:policy/AccountAndTaxsettings
terraform import aws_iam_policy.policies["S3FullWithoutDelete"] arn:aws:iam::XXXXXXXXXXXX:policy/S3FullWithoutDelete
terraform import aws_iam_policy.policies["ConsolidatedBillingForMOCB"] arn:aws:iam::XXXXXXXXXXXX:policy/ConsolidatedBillingForMOCB
terraform import aws_iam_policy.policies["Organizations"] arn:aws:iam::XXXXXXXXXXXX:policy/Organizations
terraform import aws_iam_policy.policies["CostExplorerAPI"] arn:aws:iam::XXXXXXXXXXXX:policy/CostExplorerAPI
terraform import aws_iam_policy.policies["Invite_Account_To_Organization"] arn:aws:iam::XXXXXXXXXXXX:policy/Invite_Account_To_Organization
terraform import aws_iam_policy.policies["IAMEnableMFA"] arn:aws:iam::XXXXXXXXXXXX:policy/IAMEnableMFA
terraform import aws_iam_policy.policies["OrganizationsReadOnly"] arn:aws:iam::XXXXXXXXXXXX:policy/OrganizationsReadOnly
terraform import aws_iam_policy.policies["Modify_EC2_RI"] arn:aws:iam::XXXXXXXXXXXX:policy/Modify_EC2_RI
terraform import aws_iam_policy.policies["billing-upload-s3-cur"] arn:aws:iam::XXXXXXXXXXXX:policy/billing-upload-s3-cur
terraform import aws_iam_role.roles["ADFS-Billing"] arn:aws:iam::XXXXXXXXXXXX:role/ADFS-Billing

请确保将XXXXXXXXXXXX替换为您的AWS账户ID。
5. 运行以上命令后,Terraform将会将这些策略和角色导入到您的tfstate文件中。

方案2

如果方案1无法解决您的问题,请提供更多关于您的环境和问题的详细信息,以便我们能够更好地帮助您解决问题。
根据您提供的信息,方案1应该可以正确导入策略和角色。如果您仍然遇到问题,请确保您的IAM策略和角色的ARN是正确的,并且您的AWS凭证具有足够的权限来导入这些资源。如果问题仍然存在,请提供更多关于您的环境和问题的详细信息,以便我们能够更好地帮助您解决问题。

正文完
devops 运维
发表至: 运维问题
2023-12-02
 
什么可以被视为工件
Jenkins配置:为每次构建重启代理
如何在AWS KMS中每年自动旋转密钥
Octopus Deploy 如何在 GitHub 上创建新发布时触发新发布
androiddevopsiphone移动端运维
-「
最新文章