stackoom
  简体   繁体   中英

Terraform throwing bucket region error when attaching bucket policy to s3 bucket

 原文  2020-07-15 18:51:59       amazon-web-services/ amazon-s3/ terraform/ terraform-provider-aws

Question

I am trying to create and attach and attach s3 bucket policies to s3 buckets with terraform. Terraform is throwing the following errors: BucketRegionError and AccessDenied errors. It is saying the bucket I am trying to attach the policy to is not the specified region even though it is deployed in that region. Any advice on how I can attach this policy would be helpful. Below are the errors and how I am creating the buckets, the bucket policy, and how I am attaching. Thanks!

resource "aws_s3_bucket" "dest_buckets" {


provider      = aws.dest
  for_each      = toset(var.s3_bucket_names)
  bucket        = "${each.value}-replica"
  acl           = "private"
  force_destroy = "true"

  versioning {
    enabled = true
  }
}

resource "aws_s3_bucket_policy" "dest_policy" {
  provider = aws.dest
  for_each = aws_s3_bucket.dest_buckets
  bucket   = each.key
  policy   = data.aws_iam_policy_document.dest_policy.json
}

data "aws_iam_policy_document" "dest_policy" {
  statement {
    actions = [
      "s3:GetBucketVersioning",
"s3:PutBucketVersioning",
    ]

    resources = [
      for bucket in aws_s3_bucket.dest_buckets : bucket.arn
    ]

    principals {
      type = "AWS"

      identifiers = [
        "arn:aws:iam::${data.aws_caller_identity.source.account_id}:role/${var.replication_role}"
      ]
    }
  }

  statement {
    actions = [
      "s3:ReplicateObject",
      "s3:ReplicateDelete",
    ]
resources = [
      for bucket in aws_s3_bucket.dest_buckets : "${bucket.arn}/*"
    ]
  }
}

Errors:

    Error: Error putting S3 policy: AccessDenied: Access Denied
        status code: 403, request id: 7F17A032D84DE672, host id: EjX+cDYt57caooCIlGX9wPf5s8B2JlXqAZpG8mA5KZtuw/4varoutQfxlkC/9JstdMdjN8EYBtg=

  on main.tf line 36, in resource "aws_s3_bucket_policy" "dest_policy":
  36: resource "aws_s3_bucket_policy" "dest_policy" {



Error: Error putting S3 policy: BucketRegionError: incorrect region, the bucket is not in 'us-east-2' region at endpoint ''
        status code: 301, request id: , host id:

  on main.tf line 36, in resource "aws_s3_bucket_policy" "dest_policy":
  36: resource "aws_s3_bucket_policy" "dest_policy" {

The buckets create with no issue, I'm just having issues with attaching this policy.

UPDATE: Below is the provider block for aws.dest, the variables I have defined, and also my.aws/config file.

  provider "aws" {
  alias   = "dest"
  profile = var.dest_profile
  region  = var.dest_region
}

variable "dest_region" {
default = "us-east-2"
}

variable "dest_profile" {
  default = "replica"
}

[profile replica]
region = us-east-2
output = json

2 answers

solution1
 0  2020-07-16 15:41:10

I believe you need to add provider = aws.dest to your data "aws_iam_policy_document" "dest_policy" data object.

The provider directive also works with data objects.

solution2
 0 ACCPTED  2020-07-16 20:17:26

I managed to execute your configuration and noticed some issues:

  1. In your policy, in the second statement the principals is missing.
statement {
  actions = [
    "s3:ReplicateObject",
    "s3:ReplicateDelete",
  ]
  resources = [
    for bucket in aws_s3_bucket.dest_buckets : "${bucket.arn}/*"
  ]
}
  1. This block is creating the bucket correctly (with -replica in the end):
  provider      = aws.dest
  for_each      = toset(var.s3_bucket_names)
  bucket        = "${each.value}-replica"
  acl           = "private"
  force_destroy = "true"

  versioning {
    enabled = true
  }
}

However, by activating the debug, I've noticed that for this resource each.key references the bucket name without -replica so that I was receiving a 404.

resource "aws_s3_bucket_policy" "dest_policy" {
  provider = aws.dest
  for_each = aws_s3_bucket.dest_buckets
  bucket   = each.key
  policy   = data.aws_iam_policy_document.dest_policy.json
}

Changing to it to the same pattern as the bucket creation it worked:

resource "aws_s3_bucket_policy" "dest_policy" {
  provider = aws.dest
  for_each = aws_s3_bucket.dest_buckets
  bucket   = "${each.key}-replica"
  policy   = data.aws_iam_policy_document.dest_policy.json
}

Regarding the 403, it may be the lack of permissions for the user which is creating this resource.

Let me know if this helps you.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Terraform use existing policy for s3 bucket S3 bucket access restriction with bucket policy Error after Creating S3 bucket with Terraform Error when creating S3 bucket notification in Terraform Getting error when trying to setup Amazon S3 bucket policy Determine S3 Bucket Region How to avoid cycle error when setting an S3 bucket policy with a template that depends on the bucket name? Terraform tries to create s3 bucket policy although it exists terraform cloudfront distribution origin - how to update s3 bucket policy AWS S3 bucket policy
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM