问题描述
正在尝试使用shell脚本自动化导入多个AWS IAM策略和IAM角色到tfstate文件。当尝试导入IAM策略时,似乎导入的状态会覆盖先前的导入结果,并且总是出现以下错误:
Error: Invalid index
│ on /project/iam_role.tf line 14, in resource "aws_iam_role" "roles":
│ 14: aws_iam_policy.policies["S3FullWithoutDelete"].arn,
│ ├────────────────
│ │ aws_iam_policy.policies is object with 1 attribute "IAMEnableMFA"
│ │ The given key does not identify an element in this collection value.
以下是用户尝试运行的命令示例:
terraform import 'aws_iam_policy.policies["IAMEnableMFA"]' arn:aws:iam::XXXXXXXXXXXX:policy/IAMEnableMFA
以下是iam_policy.tf文件的配置:
resource "aws_iam_policy" "policies" {
for_each = {
"Billing-Organizations" = "billing_organizations.json"
"BillReadOnly" = "bill_readonly.json"
"AccountAndTaxsettings" = "account_and_tax.json"
"S3FullWithoutDelete" = "s3_full_without_delete.json"
"ConsolidatedBillingForMOCB" = "consolidated_billing_for_mocb.json"
"Organizations" = "organizations.json"
"CostExplorerAPI" = "cost_explorer_api.json"
"Invite_Account_To_Organization" = "invite_account_to_organization.json"
"IAMEnableMFA" = "iam_enabled_mfa.json"
"OrganizationsReadOnly" = "organizations_read_only.json"
"Modify_EC2_RI" = "modify_ec2_ri.json"
"billing-upload-s3-cur" = "billing_upload_s3_cur.json"
}
name = each.key
policy = file("${path.module}/policy/${each.value}")
tags = var.resource_tags
}
以下是iam_role.tf文件的配置:
resource "aws_iam_role" "roles" {
for_each = {
"ADFS-Billing" = {
"file" = "adfs_billing.json"
"policy_arns" = [
aws_iam_policy.policies["Billing-Organizations"].arn,
aws_iam_policy.policies["Modify_EC2_RI"].arn,
data.aws_iam_policy.policies["IAMFullAccess"].arn,
data.aws_iam_policy.policies["Billing"].arn,
data.aws_iam_policy.policies["ReadOnlyAccess"].arn,
data.aws_iam_policy.policies["AWSSupportAccess"].arn,
data.aws_iam_policy.policies["AWSCloudTrail_FullAccess"].arn,
data.aws_iam_policy.policies["AWSBillingConductorFullAccess"].arn,
aws_iam_policy.policies["S3FullWithoutDelete"].arn,
aws_iam_policy.policies["AccountAndTaxsettings"].arn
]
}
# There are other similar items, but omitted for brevity
}
name = each.key
assume_role_policy = file("${path.module}/trust_relationships/${each.value["file"]}")
managed_policy_arns = each.value["policy_arns"]
tags = var.resource_tags
}
用户想知道如何正确导入所有这些策略到tfstate文件中。
解决方案
请注意以下操作注意版本差异及修改前做好备份。
方案1
根据您提供的配置文件,您可以使用以下步骤正确导入所有这些策略到tfstate文件中:
1. 确保您已经安装了Terraform,并且已经配置了AWS凭证。
2. 在您的Terraform项目目录中,创建一个新的.tf文件,例如import.tf。
3. 在import.tf文件中,添加以下内容:
# 导入IAM策略
data "aws_iam_policy" "policies" {
for_each = aws_iam_policy.policies
name = each.key
arn = each.value
}
# 导入IAM角色
data "aws_iam_role" "roles" {
for_each = aws_iam_role.roles
name = each.key
arn = each.value
}
- 在命令行中,导航到您的Terraform项目目录,并运行以下命令导入策略和角色:
terraform init
terraform import aws_iam_policy.policies["Billing-Organizations"] arn:aws:iam::XXXXXXXXXXXX:policy/Billing-Organizations
terraform import aws_iam_policy.policies["BillReadOnly"] arn:aws:iam::XXXXXXXXXXXX:policy/BillReadOnly
terraform import aws_iam_policy.policies["AccountAndTaxsettings"] arn:aws:iam::XXXXXXXXXXXX:policy/AccountAndTaxsettings
terraform import aws_iam_policy.policies["S3FullWithoutDelete"] arn:aws:iam::XXXXXXXXXXXX:policy/S3FullWithoutDelete
terraform import aws_iam_policy.policies["ConsolidatedBillingForMOCB"] arn:aws:iam::XXXXXXXXXXXX:policy/ConsolidatedBillingForMOCB
terraform import aws_iam_policy.policies["Organizations"] arn:aws:iam::XXXXXXXXXXXX:policy/Organizations
terraform import aws_iam_policy.policies["CostExplorerAPI"] arn:aws:iam::XXXXXXXXXXXX:policy/CostExplorerAPI
terraform import aws_iam_policy.policies["Invite_Account_To_Organization"] arn:aws:iam::XXXXXXXXXXXX:policy/Invite_Account_To_Organization
terraform import aws_iam_policy.policies["IAMEnableMFA"] arn:aws:iam::XXXXXXXXXXXX:policy/IAMEnableMFA
terraform import aws_iam_policy.policies["OrganizationsReadOnly"] arn:aws:iam::XXXXXXXXXXXX:policy/OrganizationsReadOnly
terraform import aws_iam_policy.policies["Modify_EC2_RI"] arn:aws:iam::XXXXXXXXXXXX:policy/Modify_EC2_RI
terraform import aws_iam_policy.policies["billing-upload-s3-cur"] arn:aws:iam::XXXXXXXXXXXX:policy/billing-upload-s3-cur
terraform import aws_iam_role.roles["ADFS-Billing"] arn:aws:iam::XXXXXXXXXXXX:role/ADFS-Billing
请确保将XXXXXXXXXXXX
替换为您的AWS账户ID。
5. 运行以上命令后,Terraform将会将这些策略和角色导入到您的tfstate文件中。
方案2
如果方案1无法解决您的问题,请提供更多关于您的环境和问题的详细信息,以便我们能够更好地帮助您解决问题。
根据您提供的信息,方案1应该可以正确导入策略和角色。如果您仍然遇到问题,请确保您的IAM策略和角色的ARN是正确的,并且您的AWS凭证具有足够的权限来导入这些资源。如果问题仍然存在,请提供更多关于您的环境和问题的详细信息,以便我们能够更好地帮助您解决问题。
正文完