AWS leverages a standard JSON Identity and Access Management (IAM)
policy document format across many services to control authorization
to resources and API actions
terraform https://www.terraform.io/docs/providers/aws/r/iam_role_policy.html
resource "aws_iam_role_policy" "s3_policy" { name = "s3_policy" role = "${aws_iam_role.lambda_s3_role.id}" policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Sid": "ListObjectsInBucket", "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::bucket-name"] }, { "Sid": "AllObjectActions", "Effect": "Allow", "Action": "s3:*Object", "Resource": ["arn:aws:s3:::bucket-name/*"] } ] } EOF } resource "aws_iam_role" "lambda_s3_role" { name = "lambda_s3_role" assume_role_policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Principal": { "Service": "lambda.
运行环境 terraform -v Terraform v0.12.16 + provider.aws v2.39.0 创建函数 main.js
'use strict' exports.handler = function(event, context, callback) { var response = { statusCode: 200, headers: { 'Content-Type': 'text/html; charset=utf-8' }, body: '<p>Hello world!</p>' } callback(null, response) } zip ../example.zip main.js 上传 awslocal s3api create-bucket --bucket=terraform-serverless-example awslocal s3 cp example.zip s3://terraform-serverless-example/v1.0.0/example.zip 创建资源 lambda.tf
resource "aws_lambda_function" "example" { function_name = "ServerlessExample" # The bucket name as created earlier with "aws s3api create-bucket" s3_bucket = "terraform-serverless-example" s3_key = "v1.
前提条件 配置AWS aws configure list Name Value Type Location ---- ----- ---- -------- profile <not set> None None access_key ****************s-ok shared-credentials-file secret_key ****************-key shared-credentials-file region local config-file ~/.aws/config ~/.aws/config
[default] output = json region = local ~/.aws/credentials
[default] aws_access_key_id = any-id-is-ok aws_secret_access_key = fake-key 启动aws本地服务 localstack start 创建EC2 配置 mkdir ec2 cd ec2 touch ec2.tf ec2.tf
provider "aws" { profile = "default" region = "us-east-1" endpoints { ec2 = "http://localhost:4597" sts = "http://localhost:4592" } } resource "aws_instance" "example" { ami = "ami-2757f631" instance_type = "t2.