我正在使用terraform编写将私有托管区域共享到另一个AWS账户的脚本。
步骤1 :(在帐户A中)创建3个带有帐户A的VPC的私人托管区域
步骤2 :(在帐户A中)创建对帐户B'VPC,帐户C'VPC的授权
第3步:(在帐户B中,帐户C,使用承担角色)将VPC关联到帐户A的专用托管区域
但是,在第3步中,发生以下错误:
2 error(s) occurred:
* module.assciation_mtc.null_resource.associate_with_remote_zone[1]: Error running command 'aws route53 associate-vpc-with-hosted-zone --hosted-zone-id Z13ZRIFNAA9HJT --vpc VPCRegion=ap-southeast-1,VPCId=vpc-05dc595cd7378171d': exit status 255. Output:
An error occurred (NotAuthorizedException) when calling the AssociateVPCWithHostedZone operation: The VPC: vpc-05dc595cd7378171d has not authorized to associate with your hosted zone.
* module.assciation_mtc.null_resource.associate_with_remote_zone[0]: Error running command 'aws route53 associate-vpc-with-hosted-zone --hosted-zone-id Z2N32DMQZFGH6V --vpc VPCRegion=ap-southeast-1,VPCId=vpc-05dc595cd7378171d': exit status 255. Output:
An error occurred (NotAuthorizedException) when calling the AssociateVPCWithHostedZone operation: The VPC: vpc-05dc595cd7378171d has not authorized to associate with your hosted zone.
我尝试通过AWS CLI使用确切的命令,它可以工作。但是不知道为什么当脚本执行terraform操作时脚本会失败。
在帐户B,帐户C中尝试过命令:
aws route53 associate-vpc-with-hosted-zone --hosted-zone-id Z2N32DMQZFGH6V --vpc VPCRegion=ap-southeast-1,VPCId=vpc-05dc595cd7378171d
Terraform文件夹层次结构:
route53
create_zone
authorization_create
association
/route53/main.tf
//authorize each zone with all vpc
module "authorize_zone_ss" {
source = "./authorization_create"
providers {
aws = "aws.provider_ss"
}
zone_id = "${module.creat_zone.zone_ids[0]}"
zone_ids = ["${module.creat_zone.zone_ids}"]
vpc_ids = ["${var.vpc_ids}"]
}
//associate each vpc to all zone
module "assciation_mtc" {
source = "./association"
providers {
aws = "aws.provider_mtc"
}
zone_ids = ["${module.creat_zone.zone_ids}"]
vpc_id = "${var.vpc_ids[2]}"
}
/route53/authorization_create/main.tf
data "aws_region" "current" {}
//associate 1 private zone with all account's vpc
resource "null_resource" "create_remote_zone_auth" {
count = "${var.zone_number -1}"
triggers {
vpc_id = "${element(var.vpc_ids, count.index +1)}"
}
provisioner "local-exec" {
command = "aws route53 create-vpc-association-authorization --hosted-zone-id ${var.zone_id} --vpc VPCRegion=${data.aws_region.current.name},VPCId=${element(var.vpc_ids, count.index +1)}"
}
}
/route53/association/main.tf
data "aws_region" "current" {}
//associate this vpc to all route 53 private zone
resource "null_resource" "associate_with_remote_zone" {
count = "${var.vpc_number -1}"
triggers {
zone_id = "${element(var.zone_ids, count.index +1)}"
}
provisioner "local-exec" {
command = "aws route53 associate-vpc-with-hosted-zone --hosted-zone-id ${element(var.zone_ids,count.index)} --vpc VPCRegion=${data.aws_region.current.name},VPCId=${var.vpc_id}"
}
}
预期结果:
所有帐户的VPC(帐户A,B,C)均被授权与所有区域共享。 即。
帐户A区域1:与帐户A / B / C的VPC相关联
帐户A区域2:与帐户A / B / C的VPC相关联
帐户A区域3:与帐户A / B / C的VPC相关联
实际结果:
参考:
答案 0 :(得分:1)
在运行local-exec命令之前,您必须承担要使用的角色:
aws sts假设角色--role-arn'arn-of-role'--role-session-name'role_session_name'--duration-seconds 3600 --output json
然后导出值,以便TF将其用作环境变量的一部分:
export AWS_ACCESS_KEY_ID = $(echo“ $ {aws_creds}” | grep AccessKeyId | awk -F'“''{print $ 4}') 导出AWS_SECRET_ACCESS_KEY = $(回显“ $ {aws_creds}” | grep SecretAccessKey | awk -F'“''{print $ 4}') 导出AWS_SESSION_TOKEN = $(回显“ $ {aws_creds}” | grep SessionToken | awk -F'“''{print $ 4}') 导出AWS_SECURITY_TOKEN = $(echo“ $ {aws_creds}” | grep SessionToken | awk -F'“''{print $ 4}')
使用您环境的相关事件详细信息运行上述操作,然后再运行auth /关联
答案 1 :(得分:0)
我已经找到了问题。
Terraform不会在null_resources块中担任该角色,因此该命令正在使用原始terraform角色执行。
我仍在尝试解决方案。 有什么帮助吗?
答案 2 :(得分:0)
Terraform 已支持 route53_vpc_association_authorization 授权对等帐户中的 VPC 与本地 Route53 托管区域相关联。
本方案现在可以通过TF原生实现,无需使用CLI覆盖的null_resource