循环遍历 IAM 用户的 ARN,以传递给 aws_lakeformation_permissions。

huangapple go评论66阅读模式
英文:

Looping through iam user arn's to pass to aws_lakeformation_permissions

问题

我正在定义湖泊形成权限,我想循环遍历所有属于管理员和安全IAM组的用户,并将它们作为以下方式传递到主体部分:

resource "aws_lakeformation_permissions" "example" {
  for_each = data.aws_iam_users.users
  principal   = "从管理员IAM组获取的IAM用户ARN列表"
  permissions = ["CREATE_TABLE", "ALTER", "DROP"]

  database {
    name       = aws_glue_catalog_database.example.name
    catalog_id = "110376042874"
  }
}

我查看了 Terraform 的文档,以使用数据源,但不确定如何引用特定的IAM组:

data "aws_iam_users" "users" {}

我明白我需要使用for_each,但不太确定如何获取属于IAM组"admin"和"security"的IAM用户ARN列表。是否不可能通过数据源实现这一点?

我尝试使用了这个数据源:https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_users

英文:

I am defining lake formation permissions and I wanted to loop through all user's that are part of the admin and security IAM Group and pass them in the principal section as follows :

resource "aws_lakeformation_permissions" "example" {
  for_each = data.aws_iam_users.users
  principal   = "A LIST OF IAM USER ARNS FROM ADMIN IAM GROUP"
  permissions = ["CREATE_TABLE", "ALTER", "DROP"]

  database {
    name       = aws_glue_catalog_database.example.name
    catalog_id = "110376042874"
  }
}

I have looked at the following documentation on terraform to make use of the data source but am not sure how to reference a specific IAM Group within this :

data "aws_iam_users" "users" {}

I understand I need to make use of for_each but not entirely sure of how to obtain the list of IAM User arns that are part of the IAM Group admin and security. Is it not possible to do this via the data source

data "aws_iam_users" "users" {}

I have tried to make use of this data source : https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_users

答案1

得分: 0

这里是翻译好的部分:

  1. 使用 aws_iam_group 而不是 aws_iam_users,因为后者无法为您提供按组列出用户的列表。
  2. for_each 可以循环遍历一组字符串或一个映射。您需要使用 { for ... } 循环将 data.aws_iam_group.admin.users 对象列表转换为映射。更多信息请查看这里 - https://developer.hashicorp.com/terraform/language/expressions/for#result-types
英文:

Here you go:

data "aws_iam_group" "admin" {
  group_name = "admin"
}

data "aws_iam_group" "security" {
  group_name = "security"
}

resource "aws_lakeformation_permissions" "example" {
  for_each = { for usr in concat(data.aws_iam_group.admin.users, data.aws_iam_group.security.users): usr.user_name => usr.arn }
  principal   = each.value
  permissions = ["CREATE_TABLE", "ALTER", "DROP"]

  database {
    name       = aws_glue_catalog_database.example.name
    catalog_id = "110376042874"
  }
}
  1. Use aws_iam_group instead of aws_iam_users because the latter cannot give you a list of users by group.
  2. for_each can loop over a set of strings or a map. You have to use { for ... } loop to transform data.aws_iam_group.admin.users list of objects into a map. More about it here - https://developer.hashicorp.com/terraform/language/expressions/for#result-types.

huangapple
  • 本文由 发表于 2023年3月7日 23:12:30
  • 转载请务必保留本文链接:https://go.coder-hub.com/75663766.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定