我在AWS中有一个Elasticsearch域。我已经创建了一个基于IP的访问策略,并试图在那里提供我所有的VPN CIDR块,以便我可以让该VPN中的所有计算机访问Elasticsearch和Kibana并在Elasticsearch域上运行一些curl命令。
我从ipconfig尝试了IP地址->不起作用
我尝试通过Google(公共IP Adrees)的IP地址-> Works
我尝试了VPN CIDR阻止=>不起作用
"Condition": {
"IpAddress": {
"aws:SourceIp": "x.x.x.x/16"
}
}
答案 0 :(得分:0)
IP地址应为数组
"Condition": {
"IpAddress": {"aws:SourceIp": ["youip1/32"]}
}
我也想知道您是否错过了政策中的资源
"Resource": "arn:aws:es:us-west-2:${data.aws_caller_identity.user.account_id}:domain/test/*",
这是您可以尝试的工作示例
# Creating ElasticSearch Domain with Policy
resource "aws_elasticsearch_domain" "test-domain" {
domain_name = "testes"
elasticsearch_version = "6.7"
cluster_config {
instance_type = "t2.small.elasticsearch"
instance_count = 2
}
ebs_options {
ebs_enabled = true
volume_size = 10
volume_type = "standard"
}
snapshot_options {
automated_snapshot_start_hour = 23
}
access_policies = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "es:*",
"Principal": "*",
"Effect": "Allow",
"Resource": "arn:aws:es:${var.region}:${data.aws_caller_identity.user.account_id}:domain/testes/*",
"Condition": {
"IpAddress": {"aws:SourceIp": ["VPN_public_IP/32", "1.2.3.4/32"]}
}
}
]
}
POLICY
tags = {
Domain = "testes-tag"
}
}
还要再次检查VPN配置,它是否路由所有流量或特定流量,并在您从Google验证本地IP时验证VPN IP。连接到VPN并检查您的IP,然后在策略中添加该IP。