■ はじめに
https://dk521123.hatenablog.com/entry/2023/04/09/104204
https://dk521123.hatenablog.com/entry/2023/04/11/152801
https://dk521123.hatenablog.com/entry/2023/04/08/220411
の続き。 今回は、IAM Role を作成することになったので、メモ。
目次
【1】公式ドキュメント 補足:Data Sources / Resource 【2】サンプル 例1:IAM Role / IAM Policy x 2
【1】公式ドキュメント
aws_iam_role
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles
aws_iam_policy
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy
aws_iam_role_policy
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy
aws_iam_policy_document
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment
補足:Data Sources / Resource
Data Sources
* Terraform の外部で定義された情報を参照 * Readonly
https://qiita.com/masato930/items/f287ef1d088c160a514b
Resource
* Terraformで管理するリソース * Terraform で作成したAWSリソースであれば、こっちを使用
【2】サンプル
例1:IAM Role / IAM Policy x 2
# IAM Role resource "aws_iam_role" "demo-your-iam-role" { name = "your-iam-role" description = "This is a sample." managed_policy_arns = [ aws_iam_policy.demo_policy_one.arn, aws_iam_policy.demo_policy_two.arn ] assume_role_policy = <<EOT { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789001:user/abc1-b-self1234" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "MYACCOUNT_SFCRole=*" } } } ] } EOT tags = { Name = "your-iam-role" } } # IAM Policy # Ex1 resource "aws_iam_policy" "demo_policy_one" { name = "your-iam-policy-01" description = "This is a demo policy for S3" policy = jsonencode({ Version = "2012-10-17" sid = "AllowS3BucketReadonly" Statement = [ { Action: [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketLocation", "s3:ListBucket" ], Resource: [ "arn:aws::s3::::your-s3-bucket/*", "arn:aws::s3::::your-s3-bucket" ], Effect = "Allow" }, ] }) } # Ex2 resource "aws_iam_policy" "demo_policy_two" { name = "your-iam-policy-01" path = "/" description = "This is a demo policy for KMS" policy = jsonencode({ Version = "2012-10-17" statement { sid = "AllowUseOfTheKey" actions = [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey", ] Resource: [ "arn:aws::s3::::your-s3-bucket/*", "arn:aws::s3::::your-s3-bucket" ], Effect = "Allow" }) }
関連記事
Terraform ~ 環境構築編 ~
https://dk521123.hatenablog.com/entry/2023/04/05/000224
Terraform ~ AWS S3 ~
https://dk521123.hatenablog.com/entry/2023/04/09/104204
Terraform ~ AWS Secrets Manager ~
https://dk521123.hatenablog.com/entry/2023/04/11/152801
Terraform ~ AWS Glue ~
https://dk521123.hatenablog.com/entry/2023/04/08/220411
Terraform ~ Docker ~
https://dk521123.hatenablog.com/entry/2023/04/10/193239
Terraform ~ Datadog ~
https://dk521123.hatenablog.com/entry/2023/05/12/000000
エラー「Error assuming AWS_ROLE」時の対応
https://dk521123.hatenablog.com/entry/2022/11/25/175912
Snowflake ~ ストレージ統合 ~
https://dk521123.hatenablog.com/entry/2022/06/29/221037
IAM ~ 入門編 ~
https://dk521123.hatenablog.com/entry/2017/02/26/231046
IAM ~ 基本編 ~
https://dk521123.hatenablog.com/entry/2022/07/03/000000