在Terraform中获取IAM用户名 [英] Getting IAM username in terraform

问题描述

我们有许多IAM用户，他们都使用Terraform在EC2上创建自助式基础结构.用户不一定要为其实例设置密钥，因此很难将实例绑定到特定用户.我意识到我们可以深入研究CloudTrail来找出哪些用户正在创建实例，但是用当前IAM用户名标记实例似乎更简单.

We have many IAM users, all creating self-serve infrastructure on EC2 using Terraform. Users don't necessarily set the key for their instances, so it's hard to tie an instance to a particular user. I realize we could dig through CloudTrail to find out which users are creating instances, but it seems like it would be simpler to tag the instances with the current IAM username.

问题是Terraform似乎没有暴露这一点-我可以使用aws_caller_identity或aws_canonical_user_id，但是它们似乎都返回了组织帐户，而不是特定的IAM用户名. Terraform中是否有数据源可以返回创建实例的IAM用户?

The problem is Terraform doesn't appear to expose this - I can use aws_caller_identity or aws_canonical_user_id, but they both appear to return the organization account, not the specific IAM username. Is there a data source in Terraform that will return the IAM user creating the instances?

推荐答案

它看起来像 STS GetCallerId端点，它将能够提供您所需的信息-特别是运行该命令的用户的UserId和Arn.

It looks like aws_caller_identity doesn't actually call the STS GetCallerId endpoint which would be able to provide the information you need - specifically the UserId and the Arn of the user running the command.

相反，它采用了更简单的选项，并仅使用AWS客户端已定义的accountid并仅返回该值.

Instead it takes the simpler option and simply uses the accountid that the AWS client has already defined and simply returns that.

因此，您在这里有几个选择.您可以提出拉取请求，以使aws_caller_identity数据源实际调用STS GetCallerId端点，或者可以使用本地预配器将其脱壳，然后使用它来标记资源.

So you have a couple of options here. You could raise a pull request to have the aws_caller_identity data source actually call the STS GetCallerId endpoint or you could shell out using a local provisioner and use that to tag your resources.

很显然，如果人们在编写Terraform来直接使用Terraform提供的原始资源，那么除了要杀死某些没有标记的东西之外，你不能真正执行此操作，但是仍然存在人们使用别人的UserId或其他东西标记东西的问题.阿恩.

Obviously if people are writing Terraform to directly use the raw resources that Terraform provides then you can't really enforce this other than having something kill anything that's not tagged but that still leaves the issue of people tagging things using someone else's UserId or Arn.

如果相反，您有一堆可供人们使用的模块，那么您可以在创建EC2实例的模块中做类似这样的事情:

If instead you have a bunch of modules that people then source to use those instead then you could do something ugly like this in the modules that create the EC2 instances:

resource "aws_instance" "instance" {
    ami = "ami-123456"
    instance_type = "t2.micro"
    tags {
        Name = "HelloWorld"
    }
    lifecycle {
        ignore_changes = [ "tags.Owner" ]
    }
    provisioner "local-exec" {
        command = <<EOF
owner=`aws sts get-caller-identity --output text --query 'Arn' | cut -d"/" -f2`
aws ec2 create-tags --resources ${self.id} --tags Key=Owner,Value=$${owner}
EOF
    }
}

上述Terraform将正常创建EC2实例，但随后忽略所有者".标签.在创建实例之后，它将运行本地外壳脚本，该脚本为用户获取IAM帐户名称/角色，然后在其中创建一个所有者".标记使用该值的实例.

The above Terraform will create an EC2 instance as normal but then ignore the "Owner" tag. After creating the instance it will run a local shell script that fetches the IAM account name/role for the user and then create an "Owner" tag for the instance using that value.

这篇关于在Terraform中获取IAM用户名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！