Auto-sync: update nexus workspace
This commit is contained in:
59
wiki/entities/TF-State-Bucket-Accessor.md
Normal file
59
wiki/entities/TF-State-Bucket-Accessor.md
Normal file
@@ -0,0 +1,59 @@
|
||||
---
|
||||
title: "TF State Bucket Accessor"
|
||||
type: entity
|
||||
entity_type: product
|
||||
tags:
|
||||
- Terraform
|
||||
- IAM
|
||||
- S3
|
||||
- State-Management
|
||||
- AWS
|
||||
sources:
|
||||
- ctp-topic-16-cross-account-terraform-modules.md
|
||||
last_updated: 2026-05-15
|
||||
---
|
||||
|
||||
## Overview
|
||||
|
||||
TF State Bucket Accessor 是部署在目标 AWS 账号中的一种专门 IAM 角色,仅允许部署工具(ECS Deploy Runner)访问存储在该账号 S3 桶中的 Terraform 状态文件。
|
||||
|
||||
## Purpose
|
||||
|
||||
Terraform 通过状态文件(state file)追踪基础设施的实际部署状态。在跨账号场景中:
|
||||
|
||||
- **状态文件位置**:存储在目标 Workload 账号的 S3 桶中
|
||||
- **访问控制问题**:Shared Account 的 ECS Deploy Runner 需要读取这些状态文件,但直接赋予 S3 访问权限存在安全风险
|
||||
- **解决方案**:创建专门的 IAM 角色,仅允许特定的部署执行器 Assume 该角色
|
||||
|
||||
## IAM Policy Design
|
||||
|
||||
```json
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Principal": {
|
||||
"AWS": "arn:aws:iam::<SharedAccount>:role/ecs-deploy-runner-execution-role"
|
||||
},
|
||||
"Action": [
|
||||
"s3:GetObject",
|
||||
"s3:PutObject"
|
||||
],
|
||||
"Resource": "arn:aws:s3:::<target-account>-terraform-state/*"
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
## Relationships
|
||||
|
||||
- [[ECS-Deploy-Runner]] ← reads_state ← [[TF-State-Bucket-Accessor]]
|
||||
- [[Cross-account-ECS-Deploy-Runner-Role]] ← sibling_role ← [[TF-State-Bucket-Accessor]]
|
||||
- [[TerraformState]] ← protected_by ← [[TF-State-Bucket-Accessor]]
|
||||
|
||||
## Related Concepts
|
||||
|
||||
- [[TerraformState]]:状态文件管理是 IaC 的核心问题
|
||||
- [[Assume-Role]]:EDR 通过 Assume Role 获取该角色的临时凭证
|
||||
- [[Blast-Radius]]:专门角色限制了凭证泄露时的爆炸半径
|
||||
Reference in New Issue
Block a user