Terraform：AWS Redshift IAM角色

Question

我试图设置将有权访问群集的红移群集和IAM角色。我正在使用terraform。根据documentation我需要创建一个服务角色并将AmazonS3ReadOnlyAccess策略附加到它。我有以下的配置在我terraform脚本：

resource "aws_iam_role" "my_admin_role" { 
    name = "my-role" 
    policy = <<EOF 
{ 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Effect": "Allow", 
     "Action": [ 
     "s3:Get*", 
     "s3:List*", 
     "redshift:*" 
     ], 
     "Resource": "*" 
    } 
    ] 
} 
EOF 
} 

但是这给了我一个错误：

错误：

* aws_iam_role.my_admin_role: "assume_role_policy": required field is not set 
    * aws_iam_role.my_admin_role: : invalid or unknown key: policy 

如何设置红移一个服务的角色？

Answer 1

你混的资源资源资源的aws_iam_role

resource "aws_iam_role" "test_role" { 
    name = "test_role" 

    assume_role_policy = <<EOF 
{ 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Action": "sts:AssumeRole", 
     "Principal": { 
     "Service": "ec2.amazonaws.com" 
     }, 
     "Effect": "Allow", 
     "Sid": "" 
    } 
    ] 
} 
EOF 
} 

样品使用的aws_iam_role和aws_iam_role_policy

使用范例aws_iam_role_policy

resource "aws_iam_role_policy" "test_policy" { 
    name = "test_policy" 
    role = "${aws_iam_role.test_role.id}" 

    policy = <<EOF 
{ 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Action": [ 
     "ec2:Describe*" 
     ], 
     "Effect": "Allow", 
     "Resource": "*" 
    } 
    ] 
} 
EOF 
}