将存储桶策略附加到 s3 存储桶时，Terraform 抛出存储桶区域错误

Question

我正在尝试使用 terraform 创建和附加 s3 存储桶策略并将其附加到 s3 存储桶。 Terraform 抛出以下错误： BucketRegionError 和 AccessDenied 错误。这是说我试图将策略附加到的存储桶不是指定的区域，即使它部署在该区域中。关于如何附加此政策的任何建议都会有所帮助。以下是错误以及我如何创建存储桶、存储桶策略以及我如何附加。谢谢！

resource "aws_s3_bucket" "dest_buckets" {


provider      = aws.dest
  for_each      = toset(var.s3_bucket_names)
  bucket        = "${each.value}-replica"
  acl           = "private"
  force_destroy = "true"

  versioning {
    enabled = true
  }
}

resource "aws_s3_bucket_policy" "dest_policy" {
  provider = aws.dest
  for_each = aws_s3_bucket.dest_buckets
  bucket   = each.key
  policy   = data.aws_iam_policy_document.dest_policy.json
}

data "aws_iam_policy_document" "dest_policy" {
  statement {
    actions = [
      "s3:GetBucketVersioning",
"s3:PutBucketVersioning",
    ]

    resources = [
      for bucket in aws_s3_bucket.dest_buckets : bucket.arn
    ]

    principals {
      type = "AWS"

      identifiers = [
        "arn:aws:iam::${data.aws_caller_identity.source.account_id}:role/${var.replication_role}"
      ]
    }
  }

  statement {
    actions = [
      "s3:ReplicateObject",
      "s3:ReplicateDelete",
    ]
resources = [
      for bucket in aws_s3_bucket.dest_buckets : "${bucket.arn}/*"
    ]
  }
}

错误：

    Error: Error putting S3 policy: AccessDenied: Access Denied
        status code: 403, request id: 7F17A032D84DE672, host id: EjX+cDYt57caooCIlGX9wPf5s8B2JlXqAZpG8mA5KZtuw/4varoutQfxlkC/9JstdMdjN8EYBtg=

  on main.tf line 36, in resource "aws_s3_bucket_policy" "dest_policy":
  36: resource "aws_s3_bucket_policy" "dest_policy" {



Error: Error putting S3 policy: BucketRegionError: incorrect region, the bucket is not in 'us-east-2' region at endpoint ''
        status code: 301, request id: , host id:

  on main.tf line 36, in resource "aws_s3_bucket_policy" "dest_policy":
  36: resource "aws_s3_bucket_policy" "dest_policy" {

创建存储桶没有问题，我只是在附加此策略时遇到问题。

更新： 下面是 aws.dest 的提供程序块、我定义的变量以及我的 .aws/config 文件。

  provider "aws" {
  alias   = "dest"
  profile = var.dest_profile
  region  = var.dest_region
}

variable "dest_region" {
default = "us-east-2"
}

variable "dest_profile" {
  default = "replica"
}

[profile replica]
region = us-east-2
output = json

Answer 1

我设法执行了您的配置并注意到了一些问题：

1. 在您的策略中，第二个语句中缺少 principals。

statement {
  actions = [
    "s3:ReplicateObject",
    "s3:ReplicateDelete",
  ]
  resources = [
    for bucket in aws_s3_bucket.dest_buckets : "${bucket.arn}/*"
  ]
}

1. 这个块正在正确创建存储桶（最后是-replica）：

  provider      = aws.dest
  for_each      = toset(var.s3_bucket_names)
  bucket        = "${each.value}-replica"
  acl           = "private"
  force_destroy = "true"

  versioning {
    enabled = true
  }
}

但是，通过激活调试，我注意到此资源 each.key 引用了不带 -replica 的存储桶名称，因此我收到了 404。

resource "aws_s3_bucket_policy" "dest_policy" {
  provider = aws.dest
  for_each = aws_s3_bucket.dest_buckets
  bucket   = each.key
  policy   = data.aws_iam_policy_document.dest_policy.json
}

将其更改为与其工作的存储桶创建相同的模式：

resource "aws_s3_bucket_policy" "dest_policy" {
  provider = aws.dest
  for_each = aws_s3_bucket.dest_buckets
  bucket   = "${each.key}-replica"
  policy   = data.aws_iam_policy_document.dest_policy.json
}

关于403，可能是创建此资源的用户没有权限。

如果这对你有帮助，请告诉我。

Answer 2

我相信您需要将provider = aws.dest 添加到您的data "aws_iam_policy_document" "dest_policy" 数据对象中。

provider 指令也适用于 data 对象。