問題描述
將存儲桶策略附加到 s3 存儲桶時,Terraform 拋出存儲桶區域錯誤 (Terraform throwing bucket region error when attaching bucket policy to s3 bucket)
我正在嘗試使用 terraform 創建和附加 s3 存儲桶策略並將其附加到 s3 存儲桶。Terraform 拋出以下錯誤: BucketRegionError 和 AccessDenied 錯誤。這是說我試圖將策略附加到的存儲桶不是指定的區域,即使它部署在該區域中。關於如何附加此政策的任何建議都會有所幫助。以下是錯誤以及我如何創建存儲桶、存儲桶策略以及我如何附加。謝謝!
resource "aws_s3_bucket" "dest_buckets" {
provider = aws.dest
for_each = toset(var.s3_bucket_names)
bucket = "${each.value}‑replica"
acl = "private"
force_destroy = "true"
versioning {
enabled = true
}
}
resource "aws_s3_bucket_policy" "dest_policy" {
provider = aws.dest
for_each = aws_s3_bucket.dest_buckets
bucket = each.key
policy = data.aws_iam_policy_document.dest_policy.json
}
data "aws_iam_policy_document" "dest_policy" {
statement {
actions = [
"s3:GetBucketVersioning",
"s3:PutBucketVersioning",
]
resources = [
for bucket in aws_s3_bucket.dest_buckets : bucket.arn
]
principals {
type = "AWS"
identifiers = [
"arn:aws:iam::${data.aws_caller_identity.source.account_id}:role/${var.replication_role}"
]
}
}
statement {
actions = [
"s3:ReplicateObject",
"s3:ReplicateDelete",
]
resources = [
for bucket in aws_s3_bucket.dest_buckets : "${bucket.arn}/*"
]
}
}
錯誤:
Error: Error putting S3 policy: AccessDenied: Access Denied
status code: 403, request id: 7F17A032D84DE672, host id: EjX+cDYt57caooCIlGX9wPf5s8B2JlXqAZpG8mA5KZtuw/4varoutQfxlkC/9JstdMdjN8EYBtg=
on main.tf line 36, in resource "aws_s3_bucket_policy" "dest_policy":
36: resource "aws_s3_bucket_policy" "dest_policy" {
Error: Error putting S3 policy: BucketRegionError: incorrect region, the bucket is not in 'us‑east‑2' region at endpoint ''
status code: 301, request id: , host id:
on main.tf line 36, in resource "aws_s3_bucket_policy" "dest_policy":
36: resource "aws_s3_bucket_policy" "dest_policy" {
創建存儲桶沒有問題,我只是在附加此策略時遇到問題。
更新:以下是aws.dest 的提供程序塊、我定義的變量以及我的 .aws/config 文件。
provider "aws" {
alias = "dest"
profile = var.dest_profile
region = var.dest_region
}
variable "dest_region" {
default = "us‑east‑2"
}
variable "dest_profile" {
default = "replica"
}
[profile replica]
region = us‑east‑2
output = json
參考解法
方法 1:
I believe you need to add provider = aws.dest to your data "aws_iam_policy_document" "dest_policy" data object.
The provider directive also works with data objects.
方法 2:
I managed to execute your configuration and noticed some issues:
- In your policy, in the second statement the
principalsis missing. - This block is creating the bucket correctly (with
‑replicain the end):
</ol>
statement {
actions = [
"s3:ReplicateObject",
"s3:ReplicateDelete",
]
resources = [
for bucket in aws_s3_bucket.dest_buckets : "${bucket.arn}/*"
]
}
</ol>
provider = aws.dest
for_each = toset(var.s3_bucket_names)
bucket = "${each.value}‑replica"
acl = "private"
force_destroy = "true"
versioning {
enabled = true
}
}
</code></pre>
However, by activating the debug, I've noticed that for this resource each.key references the bucket name without ‑replica so that I was receiving a 404.
resource "aws_s3_bucket_policy" "dest_policy" {
provider = aws.dest
for_each = aws_s3_bucket.dest_buckets
bucket = each.key
policy = data.aws_iam_policy_document.dest_policy.json
}
Changing to it to the same pattern as the bucket creation it worked:
resource "aws_s3_bucket_policy" "dest_policy" {
provider = aws.dest
for_each = aws_s3_bucket.dest_buckets
bucket = "${each.key}‑replica"
policy = data.aws_iam_policy_document.dest_policy.json
}
Regarding the 403, it may be the lack of permissions for the user which is creating this resource.
Let me know if this helps you.
(by Dave Michaels、jasonwalsh、Ribeiro)
參考文件