IAM 與完整基礎設施
🔥 Vibe Prompt
「定義 EC2、ECS 和 CI/CD 的 IAM 角色。應用最低權限原則與資源基礎政策。」
IAM 角色
# EC2 角色——最小權限
resource "aws_iam_role" "ec2" {
name = "ec2-app-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = { Service = "ec2.amazonaws.com" }
}]
})
}
resource "aws_iam_role_policy" "ec2_s3" {
name = "ec2-s3-read"
role = aws_iam_role.ec2.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Action = ["s3:GetObject", "s3:ListBucket"]
Resource = [
aws_s3_bucket.assets.arn,
"${aws_s3_bucket.assets.arn}/*"
]
}]
})
}
# CI/CD 角色
resource "aws_iam_role" "cicd" {
name = "github-actions-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRoleWithWebIdentity"
Effect = "Allow"
Principal = {
Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"
}
Condition = {
StringEquals = { "token.actions.githubusercontent.com:sub": "repo:myorg/myapp:ref:refs/heads/main" }
}
}]
})
}
完整基礎設施架構
CloudFront (CDN + WAF)
↓
ALB(HTTPS 終止)
↓
ECS Fargate(3 個容器)
↓
RDS Postgres(Multi-AZ)+ ElastiCache Redis
↓
S3(靜態檔案、日誌)+ ECR(映像檔)
CI/CD 管線
GitHub Push → 建置 Docker → 推送到 ECR → 更新 ECS → 煙霧測試
↓
IAM 角色(OIDC)
AWS 雲端課程完成!🎉
- ✅ VPC & EC2
- ✅ RDS & S3
- ✅ ECS & EKS
- ✅ CloudFront & WAF
- ✅ IAM & 完整基礎設施
本章總結
- 理解核心概念與原理
- 掌握實作方法與技巧
- 熟悉常見問題與解決方案
- 能夠應用於實際專案
延伸閱讀
- 官方文件與 API 參考
- GitHub 開源專案範例
- 相關技術書籍與課程
- 社群討論與技術部落格