我将记录下连接到AWS并进行管理的方法，使用Terraform Cloud。

请参考

前提 tí)

1. 已在Terraform Cloud上创建了项目和工作区。

程序使用VSC进行管理。

操作步骤

1. 创建OIDC身份提供者。

1. 创建IAM角色。

将创建的IAM角色信息注册到工作空间的变量中。

创建OIDC身份提供者

从AWS管理控制台的IAM > 访问管理 > ID提供程序 > 添加提供程序处进行创建。

创建IAM角色

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<アカウントID>:oidc-provider/app.terraform.io"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "app.terraform.io:aud": "aws.workload.identity",
+                    "app.terraform.io:sub": "organization:urushibata-org:project:urushibata-aws-management:workspace:aws-managed-terraform:run_phase:*"
                }
            }
        }
    ]
}

变量注册

执行 (shí

本土开发

Terraform Cloud内负责管理state文件。在本地进行开发时，希望能参考云端的state文件进行测试计划，以下会详细描述这种方法。

在Terraform中添加组织和工作空间的名称如下。

terraform {
  cloud {
    organization = "urushibata-org"
    workspaces {
      name = "aws-managed-terraform"
    }
  }
}

我将登录并尝试执行计划。

$ terraform login
Terraform will request an API token for app.terraform.io using your browser.

If login is successful, Terraform will store the token in plain text in
the following file for use by subsequent commands:
    /home/s-urushibata/.terraform.d/credentials.tfrc.json

Do you want to proceed?
  Only 'yes' will be accepted to confirm.

  Enter a value: yes


---------------------------------------------------------------------------------

Open the following URL to access the tokens page for app.terraform.io:
    https://app.terraform.io/app/settings/tokens?source=terraform-login


---------------------------------------------------------------------------------

Generate a token using your browser, and copy-paste it into this prompt.

Terraform will store the token in plain text in the following file
for use by subsequent commands:
    /home/s-urushibata/.terraform.d/credentials.tfrc.json

Token for app.terraform.io:
  Enter a value:


Retrieved token for user urush1batalala


---------------------------------------------------------------------------------

                                          -
                                          -----                           -
                                          ---------                      --
                                          ---------  -                -----
                                           ---------  ------        -------
                                             -------  ---------  ----------
                                                ----  ---------- ----------
                                                  --  ---------- ----------
   Welcome to Terraform Cloud!                     -  ---------- -------
                                                      ---  ----- ---
   Documentation: terraform.io/docs/cloud             --------   -
                                                      ----------
                                                      ----------
                                                       ---------
                                                           -----
                                                               -


   New to TFC? Follow these steps to instantly apply an example configuration:

   $ git clone https://github.com/hashicorp/tfc-getting-started.git
   $ cd tfc-getting-started
   $ scripts/setup.sh

$ terraform plan
Running plan in Terraform Cloud. Output will stream here. Pressing Ctrl-C
will stop streaming the logs, but will not stop the plan running remotely.

Preparing the remote plan...

The remote workspace is configured to work with configuration at
./environment/mng relative to the target repository.

Terraform will upload the contents of the following directory,
excluding files or directories as defined by a .terraformignore file
at /home/s-urushibata/work/terraform/aws-managed-terraform/.terraformignore (if it is present),
in order to capture the filesystem context the remote workspace expects:
    /home/s-urushibata/work/terraform/aws-managed-terraform

To view this run in a browser, visit:
https://app.terraform.io/app/urushibata-org/aws-managed-terraform/runs/run-AXSufPxmKGuezL13

Waiting for the plan to start...

Terraform v1.5.3
on linux_amd64
Initializing plugins and modules...
module.organization.data.aws_iam_policy_document.region_restriction: Refreshing...
module.organization.data.aws_iam_policy_document.region_restriction: Refresh complete after 0s [id=1127618634]
module.organization.aws_organizations_policy.region_restriction_policy: Refreshing state... [id=p-4kuo19vh]
module.organization.aws_organizations_policy.region_restriction_policy: Drift detected (update)

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are
needed.

------------------------------------------------------------------------

Cost Estimation:

Resources: 0 of 1 estimated
           $0.0/mo +$0.0

如果您在版本控制系统(VCS)中管理源代码，即使意外地在本地应用了它，也会出现错误，因此可以放心。

$ terraform apply
╷
│ Error: Apply not allowed for workspaces with a VCS connection
│
│ A workspace that is connected to a VCS requires the VCS-driven workflow to ensure that the VCS remains the single
│ source of truth.
╵