Terraform 将存储桶策略附加到 s3 存储桶时抛出存储桶区域错误
[英]Terraform throwing bucket region error when attaching bucket policy to s3 bucket
问题描述
我正在尝试使用 terraform 创建和附加 s3 存储桶策略并将其附加到 s3 存储桶。 Terraform 引发以下错误:BucketRegionError 和 AccessDenied 错误。 这是说我试图将策略附加到的存储桶不是指定的区域,即使它部署在该区域中。 关于如何附加此政策的任何建议都会有所帮助。 以下是错误以及我如何创建存储桶、存储桶策略以及我如何附加。 谢谢!
resource "aws_s3_bucket" "dest_buckets" {
provider = aws.dest
for_each = toset(var.s3_bucket_names)
bucket = "${each.value}-replica"
acl = "private"
force_destroy = "true"
versioning {
enabled = true
}
}
resource "aws_s3_bucket_policy" "dest_policy" {
provider = aws.dest
for_each = aws_s3_bucket.dest_buckets
bucket = each.key
policy = data.aws_iam_policy_document.dest_policy.json
}
data "aws_iam_policy_document" "dest_policy" {
statement {
actions = [
"s3:GetBucketVersioning",
"s3:PutBucketVersioning",
]
resources = [
for bucket in aws_s3_bucket.dest_buckets : bucket.arn
]
principals {
type = "AWS"
identifiers = [
"arn:aws:iam::${data.aws_caller_identity.source.account_id}:role/${var.replication_role}"
]
}
}
statement {
actions = [
"s3:ReplicateObject",
"s3:ReplicateDelete",
]
resources = [
for bucket in aws_s3_bucket.dest_buckets : "${bucket.arn}/*"
]
}
}
错误:
Error: Error putting S3 policy: AccessDenied: Access Denied
status code: 403, request id: 7F17A032D84DE672, host id: EjX+cDYt57caooCIlGX9wPf5s8B2JlXqAZpG8mA5KZtuw/4varoutQfxlkC/9JstdMdjN8EYBtg=
on main.tf line 36, in resource "aws_s3_bucket_policy" "dest_policy":
36: resource "aws_s3_bucket_policy" "dest_policy" {
Error: Error putting S3 policy: BucketRegionError: incorrect region, the bucket is not in 'us-east-2' region at endpoint ''
status code: 301, request id: , host id:
on main.tf line 36, in resource "aws_s3_bucket_policy" "dest_policy":
36: resource "aws_s3_bucket_policy" "dest_policy" {
存储桶创建没有问题,我只是在附加此策略时遇到问题。
更新:下面是 aws.dest 的提供程序块、我定义的变量以及 my.aws/config 文件。
provider "aws" {
alias = "dest"
profile = var.dest_profile
region = var.dest_region
}
variable "dest_region" {
default = "us-east-2"
}
variable "dest_profile" {
default = "replica"
}
[profile replica]
region = us-east-2
output = json
2 个解决方案
解决方案1
0 2020-07-16 15:41:10
我相信您需要将provider = aws.dest添加到您的data "aws_iam_policy_document" "dest_policy"数据 object 中。
provider指令也适用于data对象。
解决方案2
0 已采纳 2020-07-16 20:17:26
我设法执行了您的配置并注意到了一些问题:
- 在您的策略中,在第二个语句中缺少
principals。
statement {
actions = [
"s3:ReplicateObject",
"s3:ReplicateDelete",
]
resources = [
for bucket in aws_s3_bucket.dest_buckets : "${bucket.arn}/*"
]
}
- 此块正在正确创建存储桶(最后使用
-replica):
provider = aws.dest
for_each = toset(var.s3_bucket_names)
bucket = "${each.value}-replica"
acl = "private"
force_destroy = "true"
versioning {
enabled = true
}
}
但是,通过激活调试,我注意到对于此资源, each.key引用了不带-replica的存储桶名称,因此我收到了 404。
resource "aws_s3_bucket_policy" "dest_policy" {
provider = aws.dest
for_each = aws_s3_bucket.dest_buckets
bucket = each.key
policy = data.aws_iam_policy_document.dest_policy.json
}
将其更改为与它工作的存储桶创建相同的模式:
resource "aws_s3_bucket_policy" "dest_policy" {
provider = aws.dest
for_each = aws_s3_bucket.dest_buckets
bucket = "${each.key}-replica"
policy = data.aws_iam_policy_document.dest_policy.json
}
关于 403,可能是创建此资源的用户缺少权限。
让我知道这是否对您有帮助。
使用依赖于存储桶名称的模板设置 S3 存储桶策略时如何避免循环错误?
[英]How to avoid cycle error when setting an S3 bucket policy with a template that depends on the bucket name?
terraform cloudfront 分发源 - 如何更新 s3 存储桶策略
[英]terraform cloudfront distribution origin - how to update s3 bucket policy
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.