Terraform - AWS - CreateSecurityGroup - 参数 GroupName 无效。组名不能采用 sg-* 格式
Terraform - AWS - CreateSecurityGroup - parameter GroupName is invalid. Group names may not be in the format sg-*
我正在尝试使用 Terraform 创建一个 AWS EKS 集群,并且在一系列步骤中,我有一个步骤来创建一个安全组,但我遇到了一个无法解决的错误。
你们能帮我看看为什么会出现这个错误吗?
使用 terraform 版本 v0.13.1
请求和响应日志:
2020-09-03T17:10:09.598+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: Action=CreateSecurityGroup&GroupDescription=Managed+by+Te
rraform&GroupName=sg-worker_group_mgmt_two2020090311400XXXXXXXXXXXX&Version=2016-11-15&VpcId=vpc-XXXXXXXX
2020-09-03T17:10:09.598+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: -----------------------------------------------------
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: 2020/09/03 17:10:10 [DEBUG] [aws-sdk-go] DEBUG: Response
ec2/CreateSecurityGroup Details:
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: ---[ RESPONSE ]--------------------------------------
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: HTTP/1.1 400 Bad Request
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: Connection: close
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: Transfer-Encoding: chunked
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: Date: Thu, 03 Sep 2020 11:40:09 GMT
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: Server: AmazonEC2
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5:
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5:
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: -----------------------------------------------------
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: 2020/09/03 17:10:10 [DEBUG] [aws-sdk-go] <?xml version="1
.0" encoding="UTF-8"?>
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: <Response><Errors><Error><Code>InvalidParameterValue</Cod
e><Message>Value (sg-worker_group_mgmt_two2020090311400XXXXXXXXXXXX) for parameter GroupName is invalid. Group names may not be in the
format sg-*.</Message></Error></Errors><RequestID>5XXXX-0XXX-4c55-aXXa-b34f3XXXXX</RequestID></Response>
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: 2020/09/03 17:10:10 [DEBUG] [aws-sdk-go] DEBUG: Validate
Response ec2/CreateSecurityGroup failed, attempt 0/25, error InvalidParameterValue: Value (sg-worker_group_mgmt_two2020090311400XXXXXXXXXXXX) for parameter GroupName is invalid. Group names may not be in the format sg-*.
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: status code: 400, request id: 5XXXX-0XXX-4c55-aXXa-b34f3XXXXX
2020/09/03 17:10:10 [DEBUG] aws_security_group.worker_group_mgmt_two: apply errored, but we're indicating that via the Error pointer rather than returning it: Error creating Security Group: InvalidParameterValue: Value (sg-worker_group_mgmt_two2020090311400XXXXXXXXXXXX) for parameter GroupName is invalid. Group names may not be in the format sg-*.
status code: 400, request id: 5XXXX-0XXX-4c55-aXXa-b34f3XXXXX
地形代码:
resource "aws_security_group" "sg-worker_group_mgmt_one" {
name_prefix = "sg-worker_group_mgmt_one"
vpc_id = "${data.aws_vpc.vpc-dev-cluster.id}"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [
"xxx.xx.0.0/16",
]
}
}
resource "aws_security_group" "sg-worker_group_mgmt_two" {
name_prefix = "sg-worker_group_mgmt_two"
vpc_id = "${data.aws_vpc.vpc-dev-cluster.id}"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [
"xxx.xx.0.0/16",
]
}
}
resource "aws_security_group" "sg-all_worker_mgmt" {
name_prefix = "sg-all_worker_management"
vpc_id = "${data.aws_vpc.vpc-dev-cluster.id}"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [
"xxx.xx.xx.0/17",
"xxx.xx.0.0/16",
]
}
}
resource "aws_security_group" "sg-eks_cluster" {
name = "${var.cluster_sg_name}"
description = "Cluster communication with worker nodes"
vpc_id = "${data.aws_vpc.vpc-dev-cluster.id}"
tags = {
Name = "${var.cluster_sg_name}"
}
}
resource "aws_security_group_rule" "sg-cluster_inbound" {
description = "Allow worker nodes to communicate with the cluster API Server"
from_port = 443
protocol = "tcp"
security_group_id = "${aws_security_group.sg-eks_cluster.id}"
source_security_group_id = "${aws_security_group.sg-eks_nodes.id}"
to_port = 443
type = "ingress"
}
resource "aws_security_group_rule" "sg-cluster_outbound" {
description = "Allow cluster API Server to communicate with the worker nodes"
from_port = 1024
protocol = "tcp"
security_group_id = "${aws_security_group.sg-eks_cluster.id}"
source_security_group_id = "${aws_security_group.sg-eks_nodes.id}"
to_port = 65535
type = "egress"
}
resource "aws_security_group" "sg-eks_nodes" {
name = "${var.nodes_sg_name}"
description = "Security group for all nodes in the cluster"
vpc_id = "${data.aws_vpc.vpc-dev-cluster.id}"
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "${var.nodes_sg_name}"
"kubernetes.io/cluster/${var.eks_cluster_name}" = "owned"
}
}
resource "aws_security_group_rule" "nodes" {
description = "Allow nodes to communicate with each other"
from_port = 0
protocol = "-1"
security_group_id = "${aws_security_group.sg-eks_nodes.id}"
source_security_group_id = "${aws_security_group.sg-eks_nodes.id}"
to_port = 65535
type = "ingress"
}
resource "aws_security_group_rule" "nodes_inbound" {
description = "Allow worker Kubelets and pods to receive communication from the cluster control plane"
from_port = 1025
protocol = "tcp"
security_group_id = "${aws_security_group.sg-eks_nodes.id}"
source_security_group_id = "${aws_security_group.sg-eks_cluster.id}"
to_port = 65535
type = "ingress"
}
AWS documentation for CreateSecurityGroup 提到了对 name 的以下限制:
Constraints: Up to 255 characters in length. Cannot start with sg-.
通常 AWS 提供商会对此进行验证,因此它会显示在 plan 或 validate 命令中。不幸的是,它目前只有一个验证检查长度。
要修复您的错误,您需要更改安全组的名称以删除 sg- 前缀。
我已提出 https://github.com/terraform-providers/terraform-provider-aws/pull/15011 来修复此问题,以便将来可以在 运行 之前检测到 apply。
我正在尝试使用 Terraform 创建一个 AWS EKS 集群,并且在一系列步骤中,我有一个步骤来创建一个安全组,但我遇到了一个无法解决的错误。
你们能帮我看看为什么会出现这个错误吗?
使用 terraform 版本 v0.13.1
请求和响应日志:
2020-09-03T17:10:09.598+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: Action=CreateSecurityGroup&GroupDescription=Managed+by+Te
rraform&GroupName=sg-worker_group_mgmt_two2020090311400XXXXXXXXXXXX&Version=2016-11-15&VpcId=vpc-XXXXXXXX
2020-09-03T17:10:09.598+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: -----------------------------------------------------
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: 2020/09/03 17:10:10 [DEBUG] [aws-sdk-go] DEBUG: Response
ec2/CreateSecurityGroup Details:
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: ---[ RESPONSE ]--------------------------------------
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: HTTP/1.1 400 Bad Request
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: Connection: close
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: Transfer-Encoding: chunked
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: Date: Thu, 03 Sep 2020 11:40:09 GMT
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: Server: AmazonEC2
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5:
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5:
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: -----------------------------------------------------
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: 2020/09/03 17:10:10 [DEBUG] [aws-sdk-go] <?xml version="1
.0" encoding="UTF-8"?>
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: <Response><Errors><Error><Code>InvalidParameterValue</Cod
e><Message>Value (sg-worker_group_mgmt_two2020090311400XXXXXXXXXXXX) for parameter GroupName is invalid. Group names may not be in the
format sg-*.</Message></Error></Errors><RequestID>5XXXX-0XXX-4c55-aXXa-b34f3XXXXX</RequestID></Response>
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: 2020/09/03 17:10:10 [DEBUG] [aws-sdk-go] DEBUG: Validate
Response ec2/CreateSecurityGroup failed, attempt 0/25, error InvalidParameterValue: Value (sg-worker_group_mgmt_two2020090311400XXXXXXXXXXXX) for parameter GroupName is invalid. Group names may not be in the format sg-*.
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: status code: 400, request id: 5XXXX-0XXX-4c55-aXXa-b34f3XXXXX
2020/09/03 17:10:10 [DEBUG] aws_security_group.worker_group_mgmt_two: apply errored, but we're indicating that via the Error pointer rather than returning it: Error creating Security Group: InvalidParameterValue: Value (sg-worker_group_mgmt_two2020090311400XXXXXXXXXXXX) for parameter GroupName is invalid. Group names may not be in the format sg-*.
status code: 400, request id: 5XXXX-0XXX-4c55-aXXa-b34f3XXXXX
地形代码:
resource "aws_security_group" "sg-worker_group_mgmt_one" {
name_prefix = "sg-worker_group_mgmt_one"
vpc_id = "${data.aws_vpc.vpc-dev-cluster.id}"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [
"xxx.xx.0.0/16",
]
}
}
resource "aws_security_group" "sg-worker_group_mgmt_two" {
name_prefix = "sg-worker_group_mgmt_two"
vpc_id = "${data.aws_vpc.vpc-dev-cluster.id}"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [
"xxx.xx.0.0/16",
]
}
}
resource "aws_security_group" "sg-all_worker_mgmt" {
name_prefix = "sg-all_worker_management"
vpc_id = "${data.aws_vpc.vpc-dev-cluster.id}"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [
"xxx.xx.xx.0/17",
"xxx.xx.0.0/16",
]
}
}
resource "aws_security_group" "sg-eks_cluster" {
name = "${var.cluster_sg_name}"
description = "Cluster communication with worker nodes"
vpc_id = "${data.aws_vpc.vpc-dev-cluster.id}"
tags = {
Name = "${var.cluster_sg_name}"
}
}
resource "aws_security_group_rule" "sg-cluster_inbound" {
description = "Allow worker nodes to communicate with the cluster API Server"
from_port = 443
protocol = "tcp"
security_group_id = "${aws_security_group.sg-eks_cluster.id}"
source_security_group_id = "${aws_security_group.sg-eks_nodes.id}"
to_port = 443
type = "ingress"
}
resource "aws_security_group_rule" "sg-cluster_outbound" {
description = "Allow cluster API Server to communicate with the worker nodes"
from_port = 1024
protocol = "tcp"
security_group_id = "${aws_security_group.sg-eks_cluster.id}"
source_security_group_id = "${aws_security_group.sg-eks_nodes.id}"
to_port = 65535
type = "egress"
}
resource "aws_security_group" "sg-eks_nodes" {
name = "${var.nodes_sg_name}"
description = "Security group for all nodes in the cluster"
vpc_id = "${data.aws_vpc.vpc-dev-cluster.id}"
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "${var.nodes_sg_name}"
"kubernetes.io/cluster/${var.eks_cluster_name}" = "owned"
}
}
resource "aws_security_group_rule" "nodes" {
description = "Allow nodes to communicate with each other"
from_port = 0
protocol = "-1"
security_group_id = "${aws_security_group.sg-eks_nodes.id}"
source_security_group_id = "${aws_security_group.sg-eks_nodes.id}"
to_port = 65535
type = "ingress"
}
resource "aws_security_group_rule" "nodes_inbound" {
description = "Allow worker Kubelets and pods to receive communication from the cluster control plane"
from_port = 1025
protocol = "tcp"
security_group_id = "${aws_security_group.sg-eks_nodes.id}"
source_security_group_id = "${aws_security_group.sg-eks_cluster.id}"
to_port = 65535
type = "ingress"
}
AWS documentation for CreateSecurityGroup 提到了对 name 的以下限制:
Constraints: Up to 255 characters in length. Cannot start with sg-.
通常 AWS 提供商会对此进行验证,因此它会显示在 plan 或 validate 命令中。不幸的是,它目前只有一个验证检查长度。
要修复您的错误,您需要更改安全组的名称以删除 sg- 前缀。
我已提出 https://github.com/terraform-providers/terraform-provider-aws/pull/15011 来修复此问题,以便将来可以在 运行 之前检测到 apply。