[Terraform] 05 - IAM: group, user, role, and ec2 init
Goto: https://www.udemy.com/course/terraform-cn/learn/lecture/21404200#questions
一、Group and Users
[iam.tf 文件]
要创建这么一个 group: "administrators"。
# group definition resource "aws_iam_group" "administrators" { name = "administrators" }
因为是 groups,故用了列表。
resource "aws_iam_policy_attachment" "administrators-attach" { name = "administrators-attach" groups = [aws_iam_group.administrators.name] policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" }
定义两个 users。
# user resource "aws_iam_user" "admin1" { name = "admin1" } resource "aws_iam_user" "admin2" { name = "admin2" }
将 groups 与 两个users 绑定。
resource "aws_iam_group_membership" "administrators-users" { name = "administrators-users" users = [ aws_iam_user.admin1.name, aws_iam_user.admin2.name, ] group = aws_iam_group.administrators.name }
输出,只是提醒,没其他太多意思。
output "warning" { value = "WARNING: make sure you're not using the AdministratorAccess policy for other users/groups/roles. If this is the case, don't run terraform destroy, but manually unlink the created resources" }
二、操作S3 的一个 role
演习:创建了一个ec2实例以及对应的role,操作一个s3的bucket。
这个role赋予了ec2操作s3的权限。
instance.tf 文件定义。
resource "aws_instance" "example" { ami = var.AMIS[var.AWS_REGION] instance_type = "t2.micro" # the VPC subnet subnet_id = aws_subnet.main-public-1.id # the security group vpc_security_group_ids = [aws_security_group.example-instance.id] # the public SSH key key_name = aws_key_pair.mykeypair.key_name # role: iam_instance_profile = aws_iam_instance_profile.s3-mybucket-role-instanceprofile.name }
可以用于绑定 EC2实例。
resource "aws_iam_instance_profile" "s3-mybucket-role-instanceprofile" { name = "s3-mybucket-role" role = aws_iam_role.s3-mybucket-role.name }
定义一个 role policy,其中包含了 role的定义。
resource "aws_iam_role_policy" "s3-mybucket-role-policy" { name = "s3-mybucket-role-policy" role = aws_iam_role.s3-mybucket-role.id policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::mybucket-c29df12312", # --> s3.tf "arn:aws:s3:::mybucket-c29df12312/*" ] } ] } EOF }
-
-
role 的定义
-
定义一个 操作s3 的 policy。
resource "aws_iam_role" "s3-mybucket-role" {
name = "s3-mybucket-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
-
-
bucket 的定义
-
s3.tf:s3的bucket的定义。
resource "aws_s3_bucket" "b" { bucket = "mybucket-c29df12312" acl = "private" tags = { Name = "mybucket-c29df12312" } }
三、EC2.tf 配置
resource "aws_instance" "example" { ami = var.AMIS[var.AWS_REGION] instance_type = "t2.micro" # the VPC subnet subnet_id = aws_subnet.main-public-1.id # the security group vpc_security_group_ids = [aws_security_group.allow-ssh.id] # the public SSH key key_name = aws_key_pair.mykeypair.key_name # # user data user_data = data.template_cloudinit_config.cloudinit-example.rendered # <---- }
四、cloudinit.tf 文件(初始化)
part 代表不同的工作。
使用 rendered函数 来进行渲染。
data "template_cloudinit_config" "cloudinit-example" {
gzip = false base64_encode = false part { filename = "init.cfg" content_type = "text/cloud-config" content = data.template_file.init-script.rendered } part { content_type = "text/x-shellscript" content = data.template_file.shell-script.rendered } }
如下,调用了./scripts文件夹中的脚本。
data "template_file" "init-script" { template = file("scripts/init.cfg") vars = { REGION = var.AWS_REGION } } data "template_file" "shell-script" { template = file("scripts/volumes.sh") vars = { DEVICE = var.INSTANCE_DEVICE_NAME } }
End.
