将存储桶策略附加到s3存储桶时,地形抛出存储桶区域错误

时间:2020-07-15 18:51:59

标签: amazon-web-services amazon-s3 terraform terraform-provider-aws

我正在尝试创建s3存储桶策略并将其附加到具有Terraform的s3存储桶。 Terraform引发以下错误:BucketRegionError和AccessDenied错误。就是说,我尝试将策略附加到的存储桶不是指定的区域,即使它已部署在该区域中也是如此。关于如何附加此政策的任何建议都将有所帮助。以下是错误以及我如何创建存储桶,存储桶策略以及如何附加。谢谢!

resource "aws_s3_bucket" "dest_buckets" {


provider      = aws.dest
  for_each      = toset(var.s3_bucket_names)
  bucket        = "${each.value}-replica"
  acl           = "private"
  force_destroy = "true"

  versioning {
    enabled = true
  }
}

resource "aws_s3_bucket_policy" "dest_policy" {
  provider = aws.dest
  for_each = aws_s3_bucket.dest_buckets
  bucket   = each.key
  policy   = data.aws_iam_policy_document.dest_policy.json
}

data "aws_iam_policy_document" "dest_policy" {
  statement {
    actions = [
      "s3:GetBucketVersioning",
"s3:PutBucketVersioning",
    ]

    resources = [
      for bucket in aws_s3_bucket.dest_buckets : bucket.arn
    ]

    principals {
      type = "AWS"

      identifiers = [
        "arn:aws:iam::${data.aws_caller_identity.source.account_id}:role/${var.replication_role}"
      ]
    }
  }

  statement {
    actions = [
      "s3:ReplicateObject",
      "s3:ReplicateDelete",
    ]
resources = [
      for bucket in aws_s3_bucket.dest_buckets : "${bucket.arn}/*"
    ]
  }
}

错误:

    Error: Error putting S3 policy: AccessDenied: Access Denied
        status code: 403, request id: 7F17A032D84DE672, host id: EjX+cDYt57caooCIlGX9wPf5s8B2JlXqAZpG8mA5KZtuw/4varoutQfxlkC/9JstdMdjN8EYBtg=

  on main.tf line 36, in resource "aws_s3_bucket_policy" "dest_policy":
  36: resource "aws_s3_bucket_policy" "dest_policy" {



Error: Error putting S3 policy: BucketRegionError: incorrect region, the bucket is not in 'us-east-2' region at endpoint ''
        status code: 301, request id: , host id:

  on main.tf line 36, in resource "aws_s3_bucket_policy" "dest_policy":
  36: resource "aws_s3_bucket_policy" "dest_policy" {

创建存储桶没有问题,我在附加此政策时遇到了问题。

更新: 下面是aws.dest的提供程序块,我定义的变量以及我的.aws / config文件。

  provider "aws" {
  alias   = "dest"
  profile = var.dest_profile
  region  = var.dest_region
}

variable "dest_region" {
default = "us-east-2"
}

variable "dest_profile" {
  default = "replica"
}

[profile replica]
region = us-east-2
output = json

2 个答案:

答案 0 :(得分:0)

我认为您需要向provider = aws.dest数据对象中添加data "aws_iam_policy_document" "dest_policy"

provider指令还可以与data对象一起使用。

答案 1 :(得分:0)

我设法执行了配置,并发现了一些问题:

  1. 在您的政策中,第二条语句中缺少principals
statement {
  actions = [
    "s3:ReplicateObject",
    "s3:ReplicateDelete",
  ]
  resources = [
    for bucket in aws_s3_bucket.dest_buckets : "${bucket.arn}/*"
  ]
}
  1. 此代码块正确创建了存储桶(最后是-replica
  provider      = aws.dest
  for_each      = toset(var.s3_bucket_names)
  bucket        = "${each.value}-replica"
  acl           = "private"
  force_destroy = "true"

  versioning {
    enabled = true
  }
}

但是,通过激活调试,我注意到对于该资源each.key引用的存储桶名称不包含-replica,因此我收到的是404。

resource "aws_s3_bucket_policy" "dest_policy" {
  provider = aws.dest
  for_each = aws_s3_bucket.dest_buckets
  bucket   = each.key
  policy   = data.aws_iam_policy_document.dest_policy.json
}

将其更改为与创建存储桶相同的模式:

resource "aws_s3_bucket_policy" "dest_policy" {
  provider = aws.dest
  for_each = aws_s3_bucket.dest_buckets
  bucket   = "${each.key}-replica"
  policy   = data.aws_iam_policy_document.dest_policy.json
}

关于403,可能是创建该资源的用户权限不足。

让我知道这是否对您有帮助。

相关问题
最新问题