60 lines
1.7 KiB
Markdown
60 lines
1.7 KiB
Markdown
---
|
||
title: "TF State Bucket Accessor"
|
||
type: entity
|
||
entity_type: product
|
||
tags:
|
||
- Terraform
|
||
- IAM
|
||
- S3
|
||
- State-Management
|
||
- AWS
|
||
sources:
|
||
- ctp-topic-16-cross-account-terraform-modules.md
|
||
last_updated: 2026-05-15
|
||
---
|
||
|
||
## Overview
|
||
|
||
TF State Bucket Accessor 是部署在目标 AWS 账号中的一种专门 IAM 角色,仅允许部署工具(ECS Deploy Runner)访问存储在该账号 S3 桶中的 Terraform 状态文件。
|
||
|
||
## Purpose
|
||
|
||
Terraform 通过状态文件(state file)追踪基础设施的实际部署状态。在跨账号场景中:
|
||
|
||
- **状态文件位置**:存储在目标 Workload 账号的 S3 桶中
|
||
- **访问控制问题**:Shared Account 的 ECS Deploy Runner 需要读取这些状态文件,但直接赋予 S3 访问权限存在安全风险
|
||
- **解决方案**:创建专门的 IAM 角色,仅允许特定的部署执行器 Assume 该角色
|
||
|
||
## IAM Policy Design
|
||
|
||
```json
|
||
{
|
||
"Version": "2012-10-17",
|
||
"Statement": [
|
||
{
|
||
"Effect": "Allow",
|
||
"Principal": {
|
||
"AWS": "arn:aws:iam::<SharedAccount>:role/ecs-deploy-runner-execution-role"
|
||
},
|
||
"Action": [
|
||
"s3:GetObject",
|
||
"s3:PutObject"
|
||
],
|
||
"Resource": "arn:aws:s3:::<target-account>-terraform-state/*"
|
||
}
|
||
]
|
||
}
|
||
```
|
||
|
||
## Relationships
|
||
|
||
- [[ECS-Deploy-Runner]] ← reads_state ← [[TF-State-Bucket-Accessor]]
|
||
- [[Cross-account-ECS-Deploy-Runner-Role]] ← sibling_role ← [[TF-State-Bucket-Accessor]]
|
||
- [[TerraformState]] ← protected_by ← [[TF-State-Bucket-Accessor]]
|
||
|
||
## Related Concepts
|
||
|
||
- [[TerraformState]]:状态文件管理是 IaC 的核心问题
|
||
- [[Assume-Role]]:EDR 通过 Assume Role 获取该角色的临时凭证
|
||
- [[Blast-Radius]]:专门角色限制了凭证泄露时的爆炸半径
|