将存储桶策略附加到 s3 存储桶时,Terraform 抛出存储桶区域错误
Terraform throwing bucket region error when attaching bucket policy to s3 bucket
我正在尝试使用 Terraform 创建和附加 s3 存储桶策略并将其附加到 s3 存储桶。 Terraform 抛出以下错误:BucketRegionError 和 AccessDenied 错误。它说我试图将策略附加到的存储桶不是指定的区域,即使它部署在该区域中也是如此。关于如何附加此政策的任何建议都会有所帮助。以下是错误以及我如何创建存储桶、存储桶策略以及我如何附加。谢谢!
resource "aws_s3_bucket" "dest_buckets" {
provider = aws.dest
for_each = toset(var.s3_bucket_names)
bucket = "${each.value}-replica"
acl = "private"
force_destroy = "true"
versioning {
enabled = true
}
}
resource "aws_s3_bucket_policy" "dest_policy" {
provider = aws.dest
for_each = aws_s3_bucket.dest_buckets
bucket = each.key
policy = data.aws_iam_policy_document.dest_policy.json
}
data "aws_iam_policy_document" "dest_policy" {
statement {
actions = [
"s3:GetBucketVersioning",
"s3:PutBucketVersioning",
]
resources = [
for bucket in aws_s3_bucket.dest_buckets : bucket.arn
]
principals {
type = "AWS"
identifiers = [
"arn:aws:iam::${data.aws_caller_identity.source.account_id}:role/${var.replication_role}"
]
}
}
statement {
actions = [
"s3:ReplicateObject",
"s3:ReplicateDelete",
]
resources = [
for bucket in aws_s3_bucket.dest_buckets : "${bucket.arn}/*"
]
}
}
错误:
Error: Error putting S3 policy: AccessDenied: Access Denied
status code: 403, request id: 7F17A032D84DE672, host id: EjX+cDYt57caooCIlGX9wPf5s8B2JlXqAZpG8mA5KZtuw/4varoutQfxlkC/9JstdMdjN8EYBtg=
on main.tf line 36, in resource "aws_s3_bucket_policy" "dest_policy":
36: resource "aws_s3_bucket_policy" "dest_policy" {
Error: Error putting S3 policy: BucketRegionError: incorrect region, the bucket is not in 'us-east-2' region at endpoint ''
status code: 301, request id: , host id:
on main.tf line 36, in resource "aws_s3_bucket_policy" "dest_policy":
36: resource "aws_s3_bucket_policy" "dest_policy" {
存储桶创建没有问题,我只是在附加此策略时遇到问题。
更新:
下面是 aws.dest 的提供程序块、我定义的变量以及我的 .aws/config 文件。
provider "aws" {
alias = "dest"
profile = var.dest_profile
region = var.dest_region
}
variable "dest_region" {
default = "us-east-2"
}
variable "dest_profile" {
default = "replica"
}
[profile replica]
region = us-east-2
output = json
我认为您需要将 provider = aws.dest 添加到 data "aws_iam_policy_document" "dest_policy" 数据对象。
provider 指令也适用于 data 个对象。
我设法执行了您的配置并注意到了一些问题:
- 在您的保单中,第二个陈述中缺少
principals。
statement {
actions = [
"s3:ReplicateObject",
"s3:ReplicateDelete",
]
resources = [
for bucket in aws_s3_bucket.dest_buckets : "${bucket.arn}/*"
]
}
- 此块正在正确创建存储桶(最后是
-replica):
provider = aws.dest
for_each = toset(var.s3_bucket_names)
bucket = "${each.value}-replica"
acl = "private"
force_destroy = "true"
versioning {
enabled = true
}
}
但是,通过激活调试,我注意到对于此资源 each.key 引用了没有 -replica 的存储桶名称,因此我收到了 404。
resource "aws_s3_bucket_policy" "dest_policy" {
provider = aws.dest
for_each = aws_s3_bucket.dest_buckets
bucket = each.key
policy = data.aws_iam_policy_document.dest_policy.json
}
将其更改为与创建存储桶时相同的模式:
resource "aws_s3_bucket_policy" "dest_policy" {
provider = aws.dest
for_each = aws_s3_bucket.dest_buckets
bucket = "${each.key}-replica"
policy = data.aws_iam_policy_document.dest_policy.json
}
关于403,可能是创建该资源的用户权限不足
如果这对你有帮助,请告诉我。
我正在尝试使用 Terraform 创建和附加 s3 存储桶策略并将其附加到 s3 存储桶。 Terraform 抛出以下错误:BucketRegionError 和 AccessDenied 错误。它说我试图将策略附加到的存储桶不是指定的区域,即使它部署在该区域中也是如此。关于如何附加此政策的任何建议都会有所帮助。以下是错误以及我如何创建存储桶、存储桶策略以及我如何附加。谢谢!
resource "aws_s3_bucket" "dest_buckets" {
provider = aws.dest
for_each = toset(var.s3_bucket_names)
bucket = "${each.value}-replica"
acl = "private"
force_destroy = "true"
versioning {
enabled = true
}
}
resource "aws_s3_bucket_policy" "dest_policy" {
provider = aws.dest
for_each = aws_s3_bucket.dest_buckets
bucket = each.key
policy = data.aws_iam_policy_document.dest_policy.json
}
data "aws_iam_policy_document" "dest_policy" {
statement {
actions = [
"s3:GetBucketVersioning",
"s3:PutBucketVersioning",
]
resources = [
for bucket in aws_s3_bucket.dest_buckets : bucket.arn
]
principals {
type = "AWS"
identifiers = [
"arn:aws:iam::${data.aws_caller_identity.source.account_id}:role/${var.replication_role}"
]
}
}
statement {
actions = [
"s3:ReplicateObject",
"s3:ReplicateDelete",
]
resources = [
for bucket in aws_s3_bucket.dest_buckets : "${bucket.arn}/*"
]
}
}
错误:
Error: Error putting S3 policy: AccessDenied: Access Denied
status code: 403, request id: 7F17A032D84DE672, host id: EjX+cDYt57caooCIlGX9wPf5s8B2JlXqAZpG8mA5KZtuw/4varoutQfxlkC/9JstdMdjN8EYBtg=
on main.tf line 36, in resource "aws_s3_bucket_policy" "dest_policy":
36: resource "aws_s3_bucket_policy" "dest_policy" {
Error: Error putting S3 policy: BucketRegionError: incorrect region, the bucket is not in 'us-east-2' region at endpoint ''
status code: 301, request id: , host id:
on main.tf line 36, in resource "aws_s3_bucket_policy" "dest_policy":
36: resource "aws_s3_bucket_policy" "dest_policy" {
存储桶创建没有问题,我只是在附加此策略时遇到问题。
更新: 下面是 aws.dest 的提供程序块、我定义的变量以及我的 .aws/config 文件。
provider "aws" {
alias = "dest"
profile = var.dest_profile
region = var.dest_region
}
variable "dest_region" {
default = "us-east-2"
}
variable "dest_profile" {
default = "replica"
}
[profile replica]
region = us-east-2
output = json
我认为您需要将 provider = aws.dest 添加到 data "aws_iam_policy_document" "dest_policy" 数据对象。
provider 指令也适用于 data 个对象。
我设法执行了您的配置并注意到了一些问题:
- 在您的保单中,第二个陈述中缺少
principals。
statement {
actions = [
"s3:ReplicateObject",
"s3:ReplicateDelete",
]
resources = [
for bucket in aws_s3_bucket.dest_buckets : "${bucket.arn}/*"
]
}
- 此块正在正确创建存储桶(最后是
-replica):
provider = aws.dest
for_each = toset(var.s3_bucket_names)
bucket = "${each.value}-replica"
acl = "private"
force_destroy = "true"
versioning {
enabled = true
}
}
但是,通过激活调试,我注意到对于此资源 each.key 引用了没有 -replica 的存储桶名称,因此我收到了 404。
resource "aws_s3_bucket_policy" "dest_policy" {
provider = aws.dest
for_each = aws_s3_bucket.dest_buckets
bucket = each.key
policy = data.aws_iam_policy_document.dest_policy.json
}
将其更改为与创建存储桶时相同的模式:
resource "aws_s3_bucket_policy" "dest_policy" {
provider = aws.dest
for_each = aws_s3_bucket.dest_buckets
bucket = "${each.key}-replica"
policy = data.aws_iam_policy_document.dest_policy.json
}
关于403,可能是创建该资源的用户权限不足
如果这对你有帮助,请告诉我。