To improve code reusability and manageability, DevOps engineers are modularizing their code.
Dependencies Inverse
Depth of Modules
How to pass parameters between modules
Thursday, November 26, 2020
Tuesday, November 24, 2020
Terraform: using template to cast policy
data "aws_caller_identity" "current" {
}
# Allow the AWS Config role to deliver logs to configured S3 Bucket.
# Derived from IAM Policy document found at https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html
data "template_file" "aws_config_policy" {
template = <<JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSConfigBucketPermissionsCheck",
"Effect": "Allow",
"Action": "s3:GetBucketAcl",
"Resource": "$${bucket_arn}"
},
{
"Sid": "AWSConfigBucketExistenceCheck",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "$${bucket_arn}"
},
{
"Sid": "AWSConfigBucketDelivery",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "$${resource}",
"Condition": {
"StringLike": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
JSON
vars = {
bucket_arn = format("arn:%s:s3:::%s", data.aws_partition.current.partition, var.config_logs_bucket)
resource = format(
"arn:%s:s3:::%s%s%s/AWSLogs/%s/Config/*",
data.aws_partition.current.partition,
var.config_logs_bucket,
var.config_logs_prefix == "" ? "" : "/",
var.config_logs_prefix,
data.aws_caller_identity.current.account_id,
)
}
}
Subscribe to:
Posts (Atom)