文章/答案/技术大牛

发布

社区首页 >问答首页 >如何使用Terraform传递AssumeRole并将SSM文档与EC2关联

问如何使用Terraform传递AssumeRole并将SSM文档与EC2关联
EN

Stack Overflow用户

提问于 2021-10-25 18:14:54

回答 1查看 742关注 0票数 3

我正在尝试将一个SSM文档(它将一个linux与AD域连接起来)与一个EC2实例相关联。

我在联想中发现了以下错误-

aws_ssm_association.rhel: Creating...
╷
│ Error: Error creating SSM association: ValidationException: The assume role is invalid.
│       status code: 400, request id: 3e2e23f0-da9e-4d0d-947f-2f121aa653e9
│ 
│   with aws_ssm_association.rhel,
│   on ssm.tf line 10, in resource "aws_ssm_association" "rhel":
│   10: resource "aws_ssm_association" "rhel" {

这是我的地形密码-

main.tf

provider "aws" {
  region              = "us-west-2"
  allowed_account_ids = ["1234"]

  assume_role {
    role_arn = "arn:aws:iam::1234:role/my-role"
  }
}

terraform {
  required_version = "= 1.0.9"
}

ec2.tf

resource "aws_key_pair" "rhel" {
  key_name_prefix = "rhel_domain_join_test"
  public_key      = "ssh-rsa AMAMAMMMxxxx"
}

resource "aws_instance" "rhel" {
  ami                    = "ami-0b28dfc7adc3xxx" # us-west-2
  instance_type          = "t3.medium"
  subnet_id              = "subnet-023db3ebxxx"
  iam_instance_profile   = aws_iam_instance_profile.rhel_instance_profile.id
  vpc_security_group_ids = ["sg-077f9f9aceexxxx"]
  key_name               = aws_key_pair.rhel.id

  tags = {
    Name = "w2domainjointestpoc"
  }
}

iam.tf

resource "aws_iam_instance_profile" "rhel_instance_profile" {
  name_prefix = "rhel_instance_profile"
  role        = aws_iam_role.rhel_instance_role.name
}

resource "aws_iam_role" "rhel_instance_role" {
  name_prefix        = "rhel_instance_role"
  path               = "/"
  assume_role_policy = data.aws_iam_policy_document.ssm_role_policy.json
}

resource "aws_iam_role_policy_attachment" "rhel_instance" {
  role       = aws_iam_role.rhel_instance_role.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole"
}

resource "aws_iam_role_policy_attachment" "rhel_instance_2" {
  role       = aws_iam_role.rhel_instance_role.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
}

resource "aws_iam_role_policy_attachment" "ec2-attach" {
  role       = aws_iam_role.rhel_instance_role.name
  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
}


resource "aws_iam_policy" "ssm_role_passrole" {
  name_prefix = "ssm_automation"
  description = "My test policy"
  policy      = data.aws_iam_policy_document.ssm_role_passrole.json
}

resource "aws_iam_role_policy_attachment" "ssm_role_passrole" {
  role       = aws_iam_role.rhel_instance_role.name
  policy_arn = aws_iam_policy.ssm_role_passrole.arn
}

data.tf

data "aws_iam_policy_document" "ssm_role_policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["ec2.amazonaws.com", "ssm.amazonaws.com"]
    }
  }
}


data "aws_iam_policy_document" "ssm_role_passrole" {
  statement {
    actions   = ["iam:GetRole", "iam:PassRole"]
    resources = [aws_iam_role.rhel_instance_role.arn]
  }
}

ssm.tf

resource "aws_ssm_document" "rhel_domain_join_document" {
  name            = "rhel_domain_join_document"
  document_format = "JSON"
  document_type   = "Automation"


  content = file("${path.module}/redhat_linux_launch_automation_document.json")
}

resource "aws_ssm_association" "rhel" {
  name = aws_ssm_document.rhel_domain_join_document.name

  targets {
    key    = "InstanceIds"
    values = [aws_instance.rhel.id]
  }
}

你能帮我理解我在这里错过了什么吗？

谢谢

amazon-web-services

amazon-ec2

terraform

aws-ssm

回答 1

Stack Overflow用户

回答已采纳

发布于 2021-10-29 08:27:59

我认为您混淆了SSM文档类型。对于SSM状态管理器，可以使用三种类型的 of 文档

政策
命令
自动化

您的redhat_linux_launch_automation_document.json是一个自动化。正因为如此，targets块在您的aws_ssm_association.rhel中并不完全适用。targets块仅适用于前两种文档类型或速率控制的Automation。

对于自动化类型的简单执行，您只需在aws_ssm_association.rhel中提供parameters，假设您不需要任何速率或计划的执行控制。而且，您的redhat_linux_launch_automation_document.json没有承担任何角色。

所以应该是：

redhat_linux_launch_automation_document.json (部分视图)

添加角色AutomationAssumeRole

{
    "description": "Launch Automation for RedHat Linux instance",
    "schemaVersion": "0.3",
    "assumeRole": "{{AutomationAssumeRole}}",    
    "parameters": {
        "instanceIds": {
            "type": "StringList",
            "description": "InstanceIds to run launch setup"
        },
        "AutomationAssumeRole": {
          "default": "",
          "type": "String",
          "description": "(Optional) The ARN of the role that allows Automation to perform the actions on your behalf."
        }        
    },

main.tf

创建SSM角色：

resource "aws_iam_role" "ssm" {
  path               = "/"
  assume_role_policy = <<EOL
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": ["ec2.amazonaws.com", "ssm.amazonaws.com"]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOL

  managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole"]

  inline_policy {
    name = "my_inline_policy"

    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Action   = ["iam:PassRole"]
          Effect   = "Allow"
          Resource = "*"
        },
      ]
    })
  }

}

并最终修复aws_ssm_association.rhel

resource "aws_ssm_association" "rhel" {

  name = aws_ssm_document.rhel_domain_join_document.name
  
  parameters = {
      AutomationAssumeRole = aws_iam_role.ssm.arn
      instanceIds = aws_instance.rhel.id
  }  
}

注意:我的回答只针对你的错误信息。我没有检查您的自动化文档是否实际工作。为此，您可能需要创建新的问题。

票数 1

页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持

原文链接：

https://stackoverflow.com/questions/69712898

复制

相似问题

问如何使用Terraform传递AssumeRole并将SSM文档与EC2关联
EN

回答 1

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问如何使用Terraform传递AssumeRole并将SSM文档与EC2关联EN

回答 1

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问如何使用Terraform传递AssumeRole并将SSM文档与EC2关联
EN