Terraform 將存儲桶策略附加到 s3 存儲桶時拋出存儲桶區域錯誤
[英]Terraform throwing bucket region error when attaching bucket policy to s3 bucket
問題描述
我正在嘗試使用 terraform 創建和附加 s3 存儲桶策略並將其附加到 s3 存儲桶。 Terraform 引發以下錯誤:BucketRegionError 和 AccessDenied 錯誤。 這是說我試圖將策略附加到的存儲桶不是指定的區域,即使它部署在該區域中。 關於如何附加此政策的任何建議都會有所幫助。 以下是錯誤以及我如何創建存儲桶、存儲桶策略以及我如何附加。 謝謝!
resource "aws_s3_bucket" "dest_buckets" {
provider = aws.dest
for_each = toset(var.s3_bucket_names)
bucket = "${each.value}-replica"
acl = "private"
force_destroy = "true"
versioning {
enabled = true
}
}
resource "aws_s3_bucket_policy" "dest_policy" {
provider = aws.dest
for_each = aws_s3_bucket.dest_buckets
bucket = each.key
policy = data.aws_iam_policy_document.dest_policy.json
}
data "aws_iam_policy_document" "dest_policy" {
statement {
actions = [
"s3:GetBucketVersioning",
"s3:PutBucketVersioning",
]
resources = [
for bucket in aws_s3_bucket.dest_buckets : bucket.arn
]
principals {
type = "AWS"
identifiers = [
"arn:aws:iam::${data.aws_caller_identity.source.account_id}:role/${var.replication_role}"
]
}
}
statement {
actions = [
"s3:ReplicateObject",
"s3:ReplicateDelete",
]
resources = [
for bucket in aws_s3_bucket.dest_buckets : "${bucket.arn}/*"
]
}
}
錯誤:
Error: Error putting S3 policy: AccessDenied: Access Denied
status code: 403, request id: 7F17A032D84DE672, host id: EjX+cDYt57caooCIlGX9wPf5s8B2JlXqAZpG8mA5KZtuw/4varoutQfxlkC/9JstdMdjN8EYBtg=
on main.tf line 36, in resource "aws_s3_bucket_policy" "dest_policy":
36: resource "aws_s3_bucket_policy" "dest_policy" {
Error: Error putting S3 policy: BucketRegionError: incorrect region, the bucket is not in 'us-east-2' region at endpoint ''
status code: 301, request id: , host id:
on main.tf line 36, in resource "aws_s3_bucket_policy" "dest_policy":
36: resource "aws_s3_bucket_policy" "dest_policy" {
存儲桶創建沒有問題,我只是在附加此策略時遇到問題。
更新:下面是 aws.dest 的提供程序塊、我定義的變量以及 my.aws/config 文件。
provider "aws" {
alias = "dest"
profile = var.dest_profile
region = var.dest_region
}
variable "dest_region" {
default = "us-east-2"
}
variable "dest_profile" {
default = "replica"
}
[profile replica]
region = us-east-2
output = json
2 個解決方案
解決方案1
0 2020-07-16 15:41:10
我相信您需要將provider = aws.dest添加到您的data "aws_iam_policy_document" "dest_policy"數據 object 中。
provider指令也適用於data對象。
解決方案2
0 已采納 2020-07-16 20:17:26
我設法執行了您的配置並注意到了一些問題:
- 在您的策略中,在第二個語句中缺少
principals。
statement {
actions = [
"s3:ReplicateObject",
"s3:ReplicateDelete",
]
resources = [
for bucket in aws_s3_bucket.dest_buckets : "${bucket.arn}/*"
]
}
- 此塊正在正確創建存儲桶(最后使用
-replica):
provider = aws.dest
for_each = toset(var.s3_bucket_names)
bucket = "${each.value}-replica"
acl = "private"
force_destroy = "true"
versioning {
enabled = true
}
}
但是,通過激活調試,我注意到對於此資源, each.key引用了不帶-replica的存儲桶名稱,因此我收到了 404。
resource "aws_s3_bucket_policy" "dest_policy" {
provider = aws.dest
for_each = aws_s3_bucket.dest_buckets
bucket = each.key
policy = data.aws_iam_policy_document.dest_policy.json
}
將其更改為與它工作的存儲桶創建相同的模式:
resource "aws_s3_bucket_policy" "dest_policy" {
provider = aws.dest
for_each = aws_s3_bucket.dest_buckets
bucket = "${each.key}-replica"
policy = data.aws_iam_policy_document.dest_policy.json
}
關於 403,可能是創建此資源的用戶缺少權限。
讓我知道這是否對您有幫助。
使用依賴於存儲桶名稱的模板設置 S3 存儲桶策略時如何避免循環錯誤?
[英]How to avoid cycle error when setting an S3 bucket policy with a template that depends on the bucket name?
terraform cloudfront 分發源 - 如何更新 s3 存儲桶策略
[英]terraform cloudfront distribution origin - how to update s3 bucket policy
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.