英文:
Looping through iam user arn's to pass to aws_lakeformation_permissions
问题
我正在定义湖泊形成权限,我想循环遍历所有属于管理员和安全IAM组的用户,并将它们作为以下方式传递到主体部分:
resource "aws_lakeformation_permissions" "example" {
for_each = data.aws_iam_users.users
principal = "从管理员IAM组获取的IAM用户ARN列表"
permissions = ["CREATE_TABLE", "ALTER", "DROP"]
database {
name = aws_glue_catalog_database.example.name
catalog_id = "110376042874"
}
}
我查看了 Terraform 的文档,以使用数据源,但不确定如何引用特定的IAM组:
data "aws_iam_users" "users" {}
我明白我需要使用for_each
,但不太确定如何获取属于IAM组"admin"和"security"的IAM用户ARN列表。是否不可能通过数据源实现这一点?
我尝试使用了这个数据源:https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_users
英文:
I am defining lake formation permissions and I wanted to loop through all user's that are part of the admin and security IAM Group and pass them in the principal section as follows :
resource "aws_lakeformation_permissions" "example" {
for_each = data.aws_iam_users.users
principal = "A LIST OF IAM USER ARNS FROM ADMIN IAM GROUP"
permissions = ["CREATE_TABLE", "ALTER", "DROP"]
database {
name = aws_glue_catalog_database.example.name
catalog_id = "110376042874"
}
}
I have looked at the following documentation on terraform to make use of the data source but am not sure how to reference a specific IAM Group within this :
data "aws_iam_users" "users" {}
I understand I need to make use of for_each but not entirely sure of how to obtain the list of IAM User arns that are part of the IAM Group admin and security. Is it not possible to do this via the data source
data "aws_iam_users" "users" {}
I have tried to make use of this data source : https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_users
答案1
得分: 0
这里是翻译好的部分:
- 使用
aws_iam_group
而不是aws_iam_users
,因为后者无法为您提供按组列出用户的列表。 for_each
可以循环遍历一组字符串或一个映射。您需要使用{ for ... }
循环将data.aws_iam_group.admin.users
对象列表转换为映射。更多信息请查看这里 - https://developer.hashicorp.com/terraform/language/expressions/for#result-types。
英文:
Here you go:
data "aws_iam_group" "admin" {
group_name = "admin"
}
data "aws_iam_group" "security" {
group_name = "security"
}
resource "aws_lakeformation_permissions" "example" {
for_each = { for usr in concat(data.aws_iam_group.admin.users, data.aws_iam_group.security.users): usr.user_name => usr.arn }
principal = each.value
permissions = ["CREATE_TABLE", "ALTER", "DROP"]
database {
name = aws_glue_catalog_database.example.name
catalog_id = "110376042874"
}
}
- Use
aws_iam_group
instead ofaws_iam_users
because the latter cannot give you a list of users by group. for_each
can loop over a set of strings or a map. You have to use{ for ... }
loop to transformdata.aws_iam_group.admin.users
list of objects into a map. More about it here - https://developer.hashicorp.com/terraform/language/expressions/for#result-types.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论