Terraform每次重新创建aws_iam_access_key

Question

我有一个Terraform模块，它为我的CI环境创建要发布到ECR的用户。

resource "aws_iam_user" "continuous-deployment" {
  name = "continuous-deployment"
  path = "/system/"
}

resource "aws_iam_access_key" "continuous-deployment" {
  user    = "${aws_iam_user.continuous-deployment.name}"
  pgp_key = "${var.pgp_key}"
}

resource "aws_iam_user_policy" "continuous-deployment" {
  name = "continuous-deployment"
  user = "${aws_iam_user.continuous-deployment.name}"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
          "ecr:GetAuthorizationToken",
          "ecr:BatchCheckLayerAvailability",
          "ecr:GetDownloadUrlForLayer",
          "ecr:GetRepositoryPolicy",
          "ecr:DescribeRepositories",
          "ecr:ListImages",
          "ecr:DescribeImages",
          "ecr:BatchGetImage",
          "ecr:InitiateLayerUpload",
          "ecr:UploadLayerPart",
          "ecr:CompleteLayerUpload",
          "ecr:PutImage",
          "ecr:GetLoginToken"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

output "aws_access_key_id" {
  value = "${aws_iam_access_key.continuous-deployment.id}"
}

output "aws_secret_access_key" {
  value = "${aws_iam_access_key.continuous-deployment.encrypted_secret}"
}

我遇到的问题是，在每个terraform apply上，Terraform希望删除并重新创建这些资源，即使它们没有更改。

不幸的是，我不知道为什么会发生这种情况，也找不到有类似情况的人。想法？

Answer 1

这通常发生在一些IAM策略或s3策略定义中。

当与terraform plan/apply一起运行时，它会导出需要重新创建的一些资源，并在一行中列出策略更改，这样您就无法轻松识别这些更改。

请使用terraform-landscape将地形计划输出重定向到它，并获得经过良好排序的输出。然后，您应该很容易地识别出需要修复的部分。

gem install terraform_landscape

terraform plan ... | landscape