aws_iam_policy与aws_iam_role_policy的区别

Question

我有一个aws_iam_role，我想给它添加一个策略。通常，我会用aws_iam_role创建一个策略，并将其附加到aws_iam_role_policy_attachment的角色中。

然而，我看到了一些使用aws_iam_role_policy的文档，在我看来，这些文档似乎也在做同样的事情。

我是正确的，还是有细微的不同，我错过了？

Answer 1

区别是管理策略和内联策略

创建aws_iam_policy时，这是一个托管策略，可以重用。

​

​

创建aws_iam_role_policy时，这是一个内联策略

​

​

对于给定的角色，政策资源与使用aws_iam_role资源inline_policy参数不兼容。当使用该参数和此资源时，两者都将尝试管理角色的内联策略，Terraform将显示出永久的不同。

复制上述状态的代码

resource "aws_iam_role_policy" "test_policy" {
  name = "test_policy"
  role = aws_iam_role.test_role.id

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "ec2:Describe*",
        ]
        Effect   = "Allow"
        Resource = "*"
      },
    ]
  })
}

resource "aws_iam_role" "test_role" {
  name = "test_role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Sid    = ""
        Principal = {
          Service = "ec2.amazonaws.com"
        }
      },
    ]
  })
}
resource "aws_iam_role" "role" {
  name = "test-role1"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

resource "aws_iam_policy" "policy" {
  name        = "test-policy"
  description = "A test policy"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}
resource "aws_iam_role_policy_attachment" "test-attach" {
  role       = aws_iam_role.role.name
  policy_arn = aws_iam_policy.policy.arn
}