IAM 與完整基礎設施

🔥 Vibe Prompt

「定義 EC2、ECS 和 CI/CD 的 IAM 角色。應用最低權限原則與資源基礎政策。」

IAM 角色

# EC2 角色——最小權限
resource "aws_iam_role" "ec2" {
  name = "ec2-app-role"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Action = "sts:AssumeRole"
      Effect = "Allow"
      Principal = { Service = "ec2.amazonaws.com" }
    }]
  })
}

resource "aws_iam_role_policy" "ec2_s3" {
  name = "ec2-s3-read"
  role = aws_iam_role.ec2.id
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Effect = "Allow"
      Action = ["s3:GetObject", "s3:ListBucket"]
      Resource = [
        aws_s3_bucket.assets.arn,
        "${aws_s3_bucket.assets.arn}/*"
      ]
    }]
  })
}

# CI/CD 角色
resource "aws_iam_role" "cicd" {
  name = "github-actions-role"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Action = "sts:AssumeRoleWithWebIdentity"
      Effect = "Allow"
      Principal = {
        Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"
      }
      Condition = {
        StringEquals = { "token.actions.githubusercontent.com:sub": "repo:myorg/myapp:ref:refs/heads/main" }
      }
    }]
  })
}

完整基礎設施架構

CloudFront (CDN + WAF)
    ↓
ALB(HTTPS 終止)
    ↓
ECS Fargate(3 個容器)
    ↓
RDS Postgres(Multi-AZ)+ ElastiCache Redis
    ↓
S3(靜態檔案、日誌)+ ECR(映像檔)

CI/CD 管線

GitHub Push → 建置 Docker → 推送到 ECR → 更新 ECS → 煙霧測試
     ↓
  IAM 角色(OIDC)

AWS 雲端課程完成!🎉

  • ✅ VPC & EC2
  • ✅ RDS & S3
  • ✅ ECS & EKS
  • ✅ CloudFront & WAF
  • ✅ IAM & 完整基礎設施

本章總結

  • 理解核心概念與原理
  • 掌握實作方法與技巧
  • 熟悉常見問題與解決方案
  • 能夠應用於實際專案

延伸閱讀

  • 官方文件與 API 參考
  • GitHub 開源專案範例
  • 相關技術書籍與課程
  • 社群討論與技術部落格

解鎖完整教學內容

本章為付費內容。加入專案即可解鎖超過 5000 字的深度解析,包含 10 個以上神級 Prompt 與真實 Source Code 範例!