问题描述
正在尝试使用shell脚本自动化导入多个AWS IAM策略和IAM角色到tfstate文件。当尝试导入IAM策略时,似乎导入的状态会覆盖先前的导入结果,并且总是出现以下错误:
| Error: Invalid index | |
| │ on /project/iam_role.tf line 14, in resource "aws_iam_role" "roles": | |
| │ 14: aws_iam_policy.policies["S3FullWithoutDelete"].arn, | |
| │ ├──────────────── | |
| │ │ aws_iam_policy.policies is object with 1 attribute "IAMEnableMFA" | |
| │ │ The given key does not identify an element in this collection value. |
以下是用户尝试运行的命令示例:
terraform import 'aws_iam_policy.policies["IAMEnableMFA"]' arn:aws:iam::XXXXXXXXXXXX:policy/IAMEnableMFA
以下是iam_policy.tf文件的配置:
| resource "aws_iam_policy" "policies" { | |
| for_each = { | |
| "Billing-Organizations" = "billing_organizations.json" | |
| "BillReadOnly" = "bill_readonly.json" | |
| "AccountAndTaxsettings" = "account_and_tax.json" | |
| "S3FullWithoutDelete" = "s3_full_without_delete.json" | |
| "ConsolidatedBillingForMOCB" = "consolidated_billing_for_mocb.json" | |
| "Organizations" = "organizations.json" | |
| "CostExplorerAPI" = "cost_explorer_api.json" | |
| "Invite_Account_To_Organization" = "invite_account_to_organization.json" | |
| "IAMEnableMFA" = "iam_enabled_mfa.json" | |
| "OrganizationsReadOnly" = "organizations_read_only.json" | |
| "Modify_EC2_RI" = "modify_ec2_ri.json" | |
| "billing-upload-s3-cur" = "billing_upload_s3_cur.json" | |
| } | |
| name = each.key | |
| policy = file("${path.module}/policy/${each.value}") | |
| tags = var.resource_tags | |
| } |
以下是iam_role.tf文件的配置:
| resource "aws_iam_role" "roles" { | |
| for_each = { | |
| "ADFS-Billing" = { | |
| "file" = "adfs_billing.json" | |
| "policy_arns" = [ | |
| aws_iam_policy.policies["Billing-Organizations"].arn, | |
| aws_iam_policy.policies["Modify_EC2_RI"].arn, | |
| data.aws_iam_policy.policies["IAMFullAccess"].arn, | |
| data.aws_iam_policy.policies["Billing"].arn, | |
| data.aws_iam_policy.policies["ReadOnlyAccess"].arn, | |
| data.aws_iam_policy.policies["AWSSupportAccess"].arn, | |
| data.aws_iam_policy.policies["AWSCloudTrail_FullAccess"].arn, | |
| data.aws_iam_policy.policies["AWSBillingConductorFullAccess"].arn, | |
| aws_iam_policy.policies["S3FullWithoutDelete"].arn, | |
| aws_iam_policy.policies["AccountAndTaxsettings"].arn | |
| ] | |
| } | |
| # There are other similar items, but omitted for brevity | |
| } | |
| name = each.key | |
| assume_role_policy = file("${path.module}/trust_relationships/${each.value["file"]}") | |
| managed_policy_arns = each.value["policy_arns"] | |
| tags = var.resource_tags | |
| } |
用户想知道如何正确导入所有这些策略到tfstate文件中。
解决方案
请注意以下操作注意版本差异及修改前做好备份。
方案1
根据您提供的配置文件,您可以使用以下步骤正确导入所有这些策略到tfstate文件中:
1. 确保您已经安装了Terraform,并且已经配置了AWS凭证。
2. 在您的Terraform项目目录中,创建一个新的.tf文件,例如import.tf。
3. 在import.tf文件中,添加以下内容:
| # 导入IAM策略 | |
| data "aws_iam_policy" "policies" { | |
| for_each = aws_iam_policy.policies | |
| name = each.key | |
| arn = each.value | |
| } | |
| # 导入IAM角色 | |
| data "aws_iam_role" "roles" { | |
| for_each = aws_iam_role.roles | |
| name = each.key | |
| arn = each.value | |
| } |
- 在命令行中,导航到您的Terraform项目目录,并运行以下命令导入策略和角色:
| terraform init | |
| terraform import aws_iam_policy.policies["Billing-Organizations"] arn:aws:iam::XXXXXXXXXXXX:policy/Billing-Organizations | |
| terraform import aws_iam_policy.policies["BillReadOnly"] arn:aws:iam::XXXXXXXXXXXX:policy/BillReadOnly | |
| terraform import aws_iam_policy.policies["AccountAndTaxsettings"] arn:aws:iam::XXXXXXXXXXXX:policy/AccountAndTaxsettings | |
| terraform import aws_iam_policy.policies["S3FullWithoutDelete"] arn:aws:iam::XXXXXXXXXXXX:policy/S3FullWithoutDelete | |
| terraform import aws_iam_policy.policies["ConsolidatedBillingForMOCB"] arn:aws:iam::XXXXXXXXXXXX:policy/ConsolidatedBillingForMOCB | |
| terraform import aws_iam_policy.policies["Organizations"] arn:aws:iam::XXXXXXXXXXXX:policy/Organizations | |
| terraform import aws_iam_policy.policies["CostExplorerAPI"] arn:aws:iam::XXXXXXXXXXXX:policy/CostExplorerAPI | |
| terraform import aws_iam_policy.policies["Invite_Account_To_Organization"] arn:aws:iam::XXXXXXXXXXXX:policy/Invite_Account_To_Organization | |
| terraform import aws_iam_policy.policies["IAMEnableMFA"] arn:aws:iam::XXXXXXXXXXXX:policy/IAMEnableMFA | |
| terraform import aws_iam_policy.policies["OrganizationsReadOnly"] arn:aws:iam::XXXXXXXXXXXX:policy/OrganizationsReadOnly | |
| terraform import aws_iam_policy.policies["Modify_EC2_RI"] arn:aws:iam::XXXXXXXXXXXX:policy/Modify_EC2_RI | |
| terraform import aws_iam_policy.policies["billing-upload-s3-cur"] arn:aws:iam::XXXXXXXXXXXX:policy/billing-upload-s3-cur | |
| terraform import aws_iam_role.roles["ADFS-Billing"] arn:aws:iam::XXXXXXXXXXXX:role/ADFS-Billing |
请确保将XXXXXXXXXXXX替换为您的AWS账户ID。
5. 运行以上命令后,Terraform将会将这些策略和角色导入到您的tfstate文件中。
方案2
如果方案1无法解决您的问题,请提供更多关于您的环境和问题的详细信息,以便我们能够更好地帮助您解决问题。
根据您提供的信息,方案1应该可以正确导入策略和角色。如果您仍然遇到问题,请确保您的IAM策略和角色的ARN是正确的,并且您的AWS凭证具有足够的权限来导入这些资源。如果问题仍然存在,请提供更多关于您的环境和问题的详细信息,以便我们能够更好地帮助您解决问题。
正文完