在通过Terraform应用桶策略时遇到困难
在通过Terraform应用桶策略时遇到困难
提问于 2022-03-13 18:52:50
我曾经做过这样的工作,但我可能搞砸了什么,或者这是个错误。我想这可能是比赛条件,我试了几次depends_on,但还是没有运气。我似乎无法理解这一点,但我知道S3策略可能会对水桶和地形造成挑战。有人看到我做错了什么吗?
resource "aws_s3_bucket_policy" "ct-s3-bucket-policy" {
bucket = aws_s3_bucket.mylab-s3-bucket-ct.id
policy = "${data.aws_iam_policy_document.default.json}"
}
resource "aws_cloudtrail" "mylab-cloudtrail" {
name = "mylab-cloudtrail"
s3_bucket_name = aws_s3_bucket.mylab-s3-bucket-ct.id
s3_key_prefix = "CT"
include_global_service_events = true
event_selector {
read_write_type = "All"
include_management_events = true
data_resource {
type = "AWS::S3::Object"
values = ["arn:aws:s3:::"]
}
}
}
resource "aws_s3_bucket" "mylab-s3-bucket-ct" {
bucket = "mylab-s3-bucket-ct-1231764516123"
force_destroy = true
}
resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
bucket = aws_s3_bucket.mylab-s3-bucket-ct.id
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.s3-kms.arn
sse_algorithm = "aws:kms"
}
}
}
data "aws_iam_policy_document" "default" {
statement {
sid = "AWSCloudTrailAclCheck"
effect = "Allow"
principals {
type = "Service"
identifiers = ["cloudtrail.amazonaws.com"]
}
actions = [
"s3:GetBucketAcl",
]
resources = [
"arn:aws:s3:::${var.cloudtrailbucketname}",
]
}
statement {
sid = "AWSCloudTrailWrite"
effect = "Allow"
principals {
type = "Service"
identifiers = ["cloudtrail.amazonaws.com"]
}
actions = [
"s3:PutObject",
]
resources = [
"arn:aws:s3:::${var.cloudtrailbucketname}/*",
]
condition {
test = "StringEquals"
variable = "s3:x-amz-acl"
values = [
"bucket-owner-full-control",
]
}
}
}这是我在最后看到的错误。桶创建,但策略不附加。
╷
│ Error: Error putting S3 policy: MalformedPolicy: Policy has invalid resource
│ status code: 400, request id: HAK8J85M98TGTHQ4, host id: Qn2mqAJ+oKcFiCD52KfLG+10/binhRn2YUQX6MARTbW4MbV4n+P5neAXg8ikB7itINHOL07DV+I=
│
│ with aws_s3_bucket_policy.ct-s3-bucket-policy,
│ on main.tf line 126, in resource "aws_s3_bucket_policy" "ct-s3-bucket-policy":
│ 126: resource "aws_s3_bucket_policy" "ct-s3-bucket-policy" {
│
╵
╷
│ Error: Error creating CloudTrail: InsufficientS3BucketPolicyException: Incorrect S3 bucket policy is detected for bucket: mylab-s3-bucket-ct-1231764516123
│
│ with aws_cloudtrail.mylab-cloudtrail,
│ on main.tf line 131, in resource "aws_cloudtrail" "mylab-cloudtrail":
│ 131: resource "aws_cloudtrail" "mylab-cloudtrail" {
│编辑:为了清晰起见,这只发生在应用程序,计划工作很好。
回答 2
Stack Overflow用户
回答已采纳
发布于 2022-03-13 20:18:22
我相信您有一个桶策略与CloudTrail跟踪之间的依赖关系,如下所示:
resource "aws_cloudtrail" "mylab-cloudtrail" {
name = "mylab-cloudtrail"
s3_bucket_name = aws_s3_bucket.mylab-s3-bucket-ct.id
s3_key_prefix = "CT"
include_global_service_events = true
event_selector {
read_write_type = "All"
include_management_events = true
data_resource {
type = "AWS::S3::Object"
values = ["arn:aws:s3:::"]
}
}
depends_on = [
aws_s3_bucket_policy.ct-s3-bucket-policy
]
}如果您没有此依赖项,Terraform将尝试在将必要的策略附加到桶之前创建跟踪。
此外,您可能希望在策略中引用桶名,并避免使用var.cloudtrailbucketname
data "aws_iam_policy_document" "default" {
statement {
sid = "AWSCloudTrailAclCheck"
effect = "Allow"
principals {
type = "Service"
identifiers = ["cloudtrail.amazonaws.com"]
}
actions = [
"s3:GetBucketAcl",
]
resources = [
"arn:aws:s3:::${aws_s3_bucket.mylab-s3-bucket-ct.id}" # Get the bucket name
]
}
statement {
sid = "AWSCloudTrailWrite"
effect = "Allow"
principals {
type = "Service"
identifiers = ["cloudtrail.amazonaws.com"]
}
actions = [
"s3:PutObject",
]
resources = [
"arn:aws:s3:::${aws_s3_bucket.mylab-s3-bucket-ct.id}/*", # Get the bucket name
]
condition {
test = "StringEquals"
variable = "s3:x-amz-acl"
values = [
"bucket-owner-full-control",
]
}
}
}Stack Overflow用户
发布于 2022-03-13 20:27:48
原始资源调用
"arn:aws:s3:::${var.cloudtrailbucketname}/*",改到这个它就起作用了。我引用它而不是构建字符串。不管出于什么原因,JSON格式都是错误的。
resources = ["${aws_s3_bucket.mylab-s3-bucket-ct.arn}/*"]@Erin帮助我走向正确的方向
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/71459842
复制相关文章
相似问题
腾讯云开发者
