如何为ek假设策略处理列表

Question

作为我们升级的一部分，我有两个ek集群。我想要处理假设策略，这样它就可以访问两个ek集群。在同一个AWS帐户中的两个集群。

我希望我的政策看起来像下面的政策。这样，我们就不会更新任何角色，而只是假设策略来处理两个集群。

locals.tf

  eks_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::11111111111:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/yyyyyyyyyyyyyyyyyy",
        "Federated": "arn:aws:iam::11111111111:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/yyyyyyyyyyyyyyyyyy"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.us-east-1.amazonaws.com/id/xxxxxxxxxxxxxx:sub": "system:serviceaccount:%s:%s",
          "oidc.eks.us-east-1.amazonaws.com/id/xxxxxxxxxxxxx:sub": "system:serviceaccount:%s:%s"
        }
      }
    }
  ]
}
EOF

发射器=“工作启动器”

Role.tf

resource "aws_iam_role" "launcher" {
  name               = local.Launcher
  assume_role_policy = format(local.eks_policy, "my-namepsace", local.Launcher)
  tags = {
    terraform = "true"
    owner     = "stg"
  }
}

所以我试着在locals.tf上这样做

  count = length(var.federated)

      eks_policy = <<EOF
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Federated": "arn:aws:iam::11111111111:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/${join(",",${element(var.federated, count.index)})}",
          },
          "Action": "sts:AssumeRoleWithWebIdentity",
          "Condition": {
            "StringEquals": {
              "oidc.eks.us-east-1.amazonaws.com/id/${join(",", ${element(var.federated, count.index)})}:sub": "system:serviceaccount:%s:%s"
            }
          }
        }
      ]
    }

但是我得到了一个错误，因为计数不能在locals.tf中使用，有人能帮我吗？

Update2:

我们怎么能得到这样的东西？

"Condition": {
        "StringEquals": {
          "oidc.eks.us-east-1.amazonaws.com/id/xxxxxxxxxxxxx:sub": "system:serviceaccount:ihr-system:ihr-system-external-dns18",
          "oidc.eks.us-east-1.amazonaws.com/id/yyyyyyyyyyyyy:sub": "system:serviceaccount:ihr-system:ihr-system-external-dns"
        }
      }

我试过这个，

联邦=“

    Condition : {
      "StringEquals" : {
        join("",[for oidc in local.federated:"oidc.eks.us-east-1.amazonaws.com/id/${oidc}:sub:","system:serviceaccount:%s:%s"])
    }

语法错误接近，本地预期和另一个错误得到'，‘或'}’预期got‘“系统:服务帐户.”

for oidc in local.federated

Answer 1

Terraform 格式化函数要求每个占位符都有一个参数。从文件中：

该规范是一个字符串，它包括使用%字符引入的格式化谓词。然后，函数调用必须为规范中的每个动词序列增加一个参数。只要每个给定的参数都可转换为格式动词所需的类型，这些谓词就会与连续的参数匹配，并按指示格式化。

尽管在您的例子中是相同的局部变量，但是您需要提供四个参数：

format(local.eks_policy, "my-namepsace", local.Launcher, "my-namepsace", local.Launcher)

根据用例，还可以考虑定义具有配置的对象列表，并使用循环构建策略语句，以便准备最终字符串。

更新1

动态生成的示例可能如下所示，其中角色可以由变量local.params中的任何帐户承担。

locals {
  # key = account ID, value could be whatever
  params = {
    "1111" = { foo = "bar" },
    "2222" = { x = "y" }
  }

  assume_role_str = jsonencode({
    # skipped beginning for brevity
    Effect = "Allow",
    Principal = {
      Federated: [ for account in keys(local.params): "arn:aws:iam::11111111111:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/:${account}" ]
    }
  })
}