具有多个主题的 Terraform s3 存储桶通知答案

【问题标题】：Terraform s3 bucket notification having multiple topics具有多个主题的 Terraform s3 存储桶通知
【发布时间】：2017-12-12 23:38:45
【问题描述】：

我正在尝试为 aws_s3_bucket_notification 编写一个灵活/动态的资源，它可能具有指定 s3 存储桶的可变主题。对于一个桶，我可能只有 2 个前缀和 2 个主题，而对于其他 4 或 5 个等等......我正在考虑使用一个映射函数，它将存储每个前缀类型的“前缀”和“SNS ARN”为事件将是相同的。我需要创建一个 s3_bucket_notification，其中包含所有主题，而无需手动编写每个主题。有什么建议吗？

例子

resource "aws_s3_bucket_notification" "bucket_notification" {
  bucket = "${aws_s3_bucket.bucket.id}"

  topic {
    topic_arn     = "$map.value" ###prototype
    events        = ["s3:ObjectCreated:*"]
    filter_suffix = "$map.key" ###prototype
  }
}

【问题讨论】：

使用原始循环之类的东西

标签： amazon-s3 terraform

【解决方案1】：

如果我的理解是正确的，代码应该是这样的：

variable "sns_top" {
  type = "map"

  default = {
    dev  = "topic1"
    uat  = "topic2"
    prod = "topic3"
  }
}

variable "bucket_name" {
  default = "my-tf-test-bucket-dfsfddsf"
}

data "aws_caller_identity" "current" {}

resource "aws_sns_topic" "sns_topic" {
  count = "${length(keys(var.sns_top))}"
  name  = "sns-topic-${element(values(var.sns_top),count.index)}"
}

resource "aws_sns_topic_policy" "custom" {
  count = "${length(keys(var.sns_top))}"
  arn   = "${element(aws_sns_topic.sns_topic.*.arn, count.index)}"

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement":[{
    "Sid": "default",
    "Effect": "Allow",
    "Principal": {"AWS":"*"},
    "Action": [
      "SNS:GetTopicAttributes",
      "SNS:SetTopicAttributes",
      "SNS:AddPermission",
      "SNS:RemovePermission",
      "SNS:DeleteTopic"
    ],
    "Resource": "${element(aws_sns_topic.sns_topic.*.arn, count.index)}"
  }]
}
POLICY

  depends_on = ["aws_sns_topic.sns_topic"]
}

resource "aws_s3_bucket" "bucket" {
  bucket = "${var.bucket_name}"
}

data "aws_iam_policy_document" "default" {
  statement {
    effect = "Allow"

    actions = [
      "s3:PutObject",
    ]

    resources = [
      "${aws_s3_bucket.bucket.arn}/*",
    ]

    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
    }
  }
}

resource "aws_s3_bucket_policy" "default" {
  bucket = "${aws_s3_bucket.bucket.id}"
  policy = "${data.aws_iam_policy_document.default.json}"
}

resource "aws_s3_bucket_notification" "bucket_notification" {
  count  = "${length(keys(var.sns_top))}"
  bucket = "${aws_s3_bucket.bucket.id}"

  topic {
    topic_arn     = "${element(aws_sns_topic.sns_topic.*.arn, count.index)}"
    events        = ["s3:ObjectCreated:*"]
    filter_suffix = "${element(keys(var.sns_top),count.index)}"
  }
}

代码遇到以下链接中解释的错误，但您应该可以将其用于进一步编码，例如如何将count.index 与地图一起使用。

* aws_s3_bucket_notification.bucket_notification.0: Error putting S3 notification configuration: InvalidArgument: Unable to validate the following destination configurations

参考：

How do I avoid the error "Unable to validate the following destination configurations" when using S3 event notifications in CloudFormation?

【讨论】：

非常感谢@BMW。我会看看你的建议。我不确定我们是否可以使用以下 count = "${length(keys(var.sns_top))}" bucket = "${aws_s3_bucket.bucket.id}" topic { topic_arn = "${element(aws_sns_topic. sns_topic.*.arn, count.index)}" events = ["s3:ObjectCreated:*"] filter_suffix = "${element(keys(var.sns_top),count.index)}" }
你可以。只有在这种特殊情况下，由于错误 Unable to validate the following destination configurations，您需要静态命名您的 S3 存储桶。我试过了，还是不行。但是count.index的代码和map使用是对的。
我需要做的就是拥有同一个 s3 存储桶的多个通知，而无需手动键入资源定义中的所有通知，而是使用映射传递它们。我也在考虑这个。 github.com/hashicorp/terraform/issues/6934。好像有限制。
我无法解决这个错误。有什么线索可以解决这个问题吗？
我尝试过并放弃了。如果您有 AWS 的企业或开发人员帐户（不是免费的），可以提出请求并直接向 AWS 支持寻求帮助。这个错误需要他们直接指示。