S3 复制 Terraform 应用加密错误

【问题标题】:S3 Replication Terraform Apply Error For EncryptionS3 复制 Terraform 应用加密错误
【发布时间】:2021-06-14 00:52:59
【问题描述】:

我正在尝试在跨区域的 terraform 中运行 s3 复制。

我的主要 s3.tf 的一部分是

resource "aws_kms_key" "s3_replica-us-west-2-key" {
  description             = "S3 master key replica us-west-2"
  deletion_window_in_days = 30
  enable_key_rotation     = "true"
}

module "s3_replica" {
  source = "git@github.com:xxx"

  providers = {
    aws     = "aws.us-west-2"
  }

  name                  = "s3_replica"
  logging_bucket_prefix = "s3_replica"
  versioning            = var.versioning
  bucket_logging        = var.bucket_logging
  logging_bucket_name   = var.logging_bucket_name

  kms_key_id    = aws_kms_key.s3_replica-us-west-2-key.key_id
  sse_algorithm = var.sse_algorithm
}

module "s3" {
  source                = "git@github.com:xxxx"
  name                  = "s3"
  logging_bucket_prefix = "s3"
  versioning            = var.versioning
  bucket_logging        = var.bucket_logging
  logging_bucket_name   = var.logging_bucket_name

  kms_key_id    = aws_kms_key.s3.key_id
  sse_algorithm = var.sse_algorithm

 replication_configuration = {
    role = aws_iam_role.s3_replication.arn

      rules = [
        {
          prefix = ""
          status = "Enabled"

        destination = {
          bucket = module.s3_replica.bucket_arn
          replica_kms_key_id = aws_kms_alias.s3_replica-us-west-2-key.arn
          storage_class = "STANDARD_IA"
          }
        }
      ]  

      source_selection_criteria = {
          sse_kms_encrypted_objects = {
            enabled = true
          }
        }
  }
}

我使用的模块中我的复制配置块的一部分是:

dynamic "replication_configuration" {
    for_each = length(keys(var.replication_configuration)) == 0 ? [] : [var.replication_configuration]

    content {
      role = replication_configuration.value.role

      dynamic "rules" {
        for_each = replication_configuration.value.rules

        content {
          id       = lookup(replication_configuration.value.rules, "id", null)
          priority = lookup(replication_configuration.value.rules, "priority", null)
          prefix   = lookup(replication_configuration.value.rules, "prefix", null)
          status   = lookup(replication_configuration.value.rules, "status", null)

          dynamic "destination" {
            for_each = length(keys(lookup(rules.value, "destination", {}))) == 0 ? [] : [lookup(rules.value, "destination", {})]

            content {
              bucket             = lookup(destination.value, "bucket", null)
              storage_class      = lookup(destination.value, "storage_class", null)
              replica_kms_key_id = lookup(destination.value, "replica_kms_key_id", null)
              account_id         = lookup(destination.value, "account_id", null)
            }
          }

          dynamic "source_selection_criteria" {
            for_each = length(keys(lookup(rules.value, "source_selection_criteria", {}))) == 0 ? [] : [lookup(rules.value, "source_selection_criteria", {})]

            content {

              dynamic "sse_kms_encrypted_objects" {
                for_each = length(keys(lookup(source_selection_criteria.value, "sse_kms_encrypted_objects", {}))) == 0 ? [] : [lookup(source_selection_criteria.value, "sse_kms_encrypted_objects", {})]

                content {

                  enabled = sse_kms_encrypted_objects.value.enabled
                }
              }
            }
        }
      }
    }
    }
}
}

现在,当我运行 terraform init... 时,它可以工作了。 但是当我运行 terraform plan 时,它可以工作。

  • 这是申请:
# module.s3.aws_s3_bucket.s3_bucket will be updated in-place
  ~ resource "aws_s3_bucket" "s3_bucket" {
        acl                         = "bucket-owner-full-control"
        arn                         = "arn:aws:s3:::xxx"
        bucket                      = "xxxxx"
        id                          = "xxxxx"
        region                      = "us-east-1"
        request_payer               = "BucketOwner"
        }

        cors_rule {
            allowed_headers = [
                "*",
            ]
            allowed_methods = [
                "GET",
                "PUT",
            ]
            allowed_origins = [
                "*",
            ]
            expose_headers  = [
                "Accept-Ranges",
                "Content-Range",
                "Content-Encoding",
                "Content-Length",
            ]
            max_age_seconds = 0
        }

        logging {
            target_bucket = "xxx-us-east-1-s3-logging"
            target_prefix = "xx"
        }

      + replication_configuration {
          + role = "arn:aws:iam::xxx:role/s3-bucket-replication"

          + rules {
              + status = "Enabled"

              + destination {
                  + bucket             = "arn:aws:s3:::xxx-replica-us-west-2"
                  + replica_kms_key_id = "arn:aws:kms:us-west-2:xxxs3_replica_us_west_2_key"
                  + storage_class      = "STANDARD_IA"
                }
            }
        }

        server_side_encryption_configuration {
            rule {
                apply_server_side_encryption_by_default {
                    kms_master_key_id = "xxxx"
                    sse_algorithm     = "aws:kms"
                }
            }
        }

        versioning {
            enabled    = true
            mfa_delete = false
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

但是当我运行 terraform apply 时,它给了我以下错误:

Error: Error putting S3 replication configuration: InvalidRequest: SseKmsEncryptedObjects must be specified if EncryptionConfiguration is present.
        status code: 400

  on .terraform/modules/s3/main.tf line 210, in resource "aws_s3_bucket" "s3_bucket":
 210: resource "aws_s3_bucket" "s3_bucket" {
  • 我该如何解决这个问题?这是什么意思?

【问题讨论】:

    标签: amazon-web-services amazon-s3 syntax terraform terraform-provider-aws


    【解决方案1】:

    我认为问题在于,在您的replication_configuration 中,source_selection_criteria 是在rules外部定义的。因此,在您的dynamic "rules" 中,没有source_selection_criteria 选项。

    您可以尝试(仅作为示例,可能仍需要进行一些调整):

    module "s3" {
  source                = "git@github.com:xxxx"
  name                  = "s3"
  logging_bucket_prefix = "s3"
  versioning            = var.versioning
  bucket_logging        = var.bucket_logging
  logging_bucket_name   = var.logging_bucket_name

  kms_key_id    = aws_kms_key.s3.key_id
  sse_algorithm = var.sse_algorithm

 replication_configuration = {
    role = aws_iam_role.s3_replication.arn

      rules = [
        {
          prefix = ""
          status = "Enabled"

        destination = {
          bucket = module.s3_replica.bucket_arn
          replica_kms_key_id = aws_kms_alias.s3_replica-us-west-2-key.arn
          storage_class = "STANDARD_IA"
          }

          source_selection_criteria = {
            sse_kms_encrypted_objects = {
            enabled = true
          }
        }
     
       }    
     ] 

  }
}

    【讨论】:

    • @mgb 我看到您的解决方案与我的完全一样:-) 无论如何,如果问题已解决,请接受其中一个答案以将问题标记为已解决。
    【解决方案2】:

    我通过将 s3.tf 中的 replication_configuration 更改为:

    replication_configuration = {
    role = aws_iam_role.s3_replication.arn

    rules = [
      {
        id     = "all"
        prefix = ""
        status = "Enabled"

    source_selection_criteria = {
      sse_kms_encrypted_objects = {
        enabled = true
      }
    }

        destination = {
          bucket             = module.s3_replica2.bucket_arn
          replica_kms_key_id = aws_kms_alias.s3_replica_us_west_2_key.arn
          storage_class      = "STANDARD_IA"
        }
      }
    ]
  }
}

    【讨论】:

      猜你喜欢
      • 2021-06-06
      • 2021-06-12
      • 2018-06-06
      • 2019-08-09
      • 1970-01-01
      • 2021-04-25
      • 2017-12-13
      • 2020-09-05
      • 2023-01-05
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode