[Terraform] IAM Role - MalformedPolicyDocument: Has prohibited field Resource 에러

HashiCorp./terraform

[Terraform] IAM Role - MalformedPolicyDocument: Has prohibited field Resource 에러

인쥭 2020. 12. 3. 10:37

IAM Role을 인스턴스에 붙여줄 경우 assumeRole 설정을 누락했기 때문.
다음과 같은 형식으로 작성해보자

resource "aws_iam_role" "ec2-role" {
  name = "default-role"
  assume_role_policy = data.aws_iam_policy_document.sts_assumerole.json
}
resource "aws_iam_role_policy" "ec2-role-policy" {
  policy = data.aws_iam_policy_document.privilege.json
  role = aws_iam_role.ec2-role.id
}
resource "aws_iam_instance_profile" "ec2-role-profile" {
  name = "instance-profile"
  role = aws_iam_role.ec2-role.id
}

이하는 data source 및 ec2 설정

data "aws_iam_policy_document" "sts_assumerole" {
  statement {
    sid = "ec2StsAssumeRole"
    effect = "Allow"
    actions = [
      "sts:AssumeRole"
    ]
    principals {
      identifiers = ["ec2.amazonaws.com"]
      type = "Service"
    }
  }
}

data "aws_iam_policy_document" "least_privilege" {
  statement {
    sid = "DefaultPolicy"
    effect = "Allow"
    actions = [
      "s3:ListAllMyBuckets",
      "s3:ListBucket",
      "s3:GetObject",
      "s3:PutObject",
      "s3:DeleteObject",
    ]
    resources = [
      "*"
    ]
  }
}

resource "aws_instance" "server" {

// ... 중략
  iam_instance_profile = aws_iam_instance_profile.ec2-role-profile.id
// ... 후략
}

저작자표시 (새창열림)