创建ElasticSearch域时出错:ValidationException:身份验证错误

时间:2020-01-07 21:53:10

标签: elasticsearch terraform aws-acm

我最近在使用Terraform创建ES域时遇到此错误。我定义ES域的方式没有任何变化。但是,我确实开始在ALB层上使用SSL(AWS ACM证书),但这应该不会对此产生影响。任何想法可能会抱怨什么?

resource "aws_elasticsearch_domain" "es" {
  domain_name = "${var.es_domain}"
  elasticsearch_version = "6.3"

  cluster_config {
      instance_type = "r4.large.elasticsearch"
      instance_count = 2
      zone_awareness_enabled = true
  }

  vpc_options {
      subnet_ids = "${var.private_subnet_ids}"
      security_group_ids = [
          "${aws_security_group.es_sg.id}"
      ]
  }

  ebs_options {
      ebs_enabled = true
      volume_size = 10
  }

  access_policies = <<CONFIG
{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Action": "es:*",
          "Principal": "*",
          "Effect": "Allow",
          "Resource": "arn:aws:es:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:domain/${var.es_domain}/*"
      }
  ]
}
  CONFIG

  snapshot_options {
      automated_snapshot_start_hour = 23
  }

  tags = {
      Domain = "${var.es_domain}"
  }

  depends_on = [
    "aws_iam_service_linked_role.es",
  ]
}

resource "aws_iam_service_linked_role" "es" {
  aws_service_name = "es.amazonaws.com"
}

编辑:奇怪的是,当我使用ACM证书删除并重新使用ALB侦听器的HTTP(端口80)时,就配置了ES域。

不知道该怎么做,但显然ACM证书正在干扰ES域的创建。或者我在ACM创建中做错了什么。这是我的使用方法-

resource "aws_acm_certificate" "ssl_cert" {
  domain_name       = "api.xxxx.io"
  validation_method = "DNS"

  tags = {
    Environment = "development"
  }

  lifecycle {
    create_before_destroy = true
  }

}

resource "aws_alb_listener" "alb_listener" {
  load_balancer_arn = "${aws_alb.alb.id}"
  port              = "443" 
  protocol          = "HTTPS" 
  ssl_policy        = "ELBSecurityPolicy-2016-08"
  certificate_arn = "${aws_acm_certificate.ssl_cert.arn}"

  default_action {
    target_group_arn = "${aws_alb_target_group.default.id}"
    type             = "forward"
  }
}

据我在控制台中看到的那样,AWS很快就对证书进行了验证和颁发。正如所看到的,每个说法都与ES域无关。

1 个答案:

答案 0 :(得分:1)

有时会发生这样的情况,即即使使用depends_on,在启用服务链接角色之前创建ES域时也是如此。

也许您可以尝试使用本地执行配置器来等待。

resource "aws_iam_service_linked_role" "es" {
  aws_service_name = "es.amazonaws.com"
  provisioner "local-exec" {
    command = "sleep 10"
  }
}
相关问题
最新问题