trh*_*h88 7 terraform terraform-provider-aws
我需要将策略添加到我之前在 Terraform 文件中创建的存储桶。
但是,这个错误与
创建 S3 存储桶时出错:BucketAlreadyOwnedByYou:您之前创建指定存储桶的请求已成功,并且您已拥有该存储桶。
如何修改 .tf 文件来创建存储桶,然后更新它?
resource "aws_s3_bucket" "bucket" {
bucket = "my-new-bucket-123"
acl = "public-read"
region = "eu-west-1"
website {
index_document = "index.html"
}
}
data "aws_iam_policy_document" "s3_bucket_policy_document" {
statement {
actions = ["s3:GetObject"]
resources = ["${aws_s3_bucket.bucket.arn}/*"]
principals {
type = "AWS"
identifiers = ["*"]
}
}
}
resource "aws_s3_bucket" "s3_bucket_policy" {
bucket = "${aws_s3_bucket.bucket.bucket}"
policy = "${data.aws_iam_policy_document.s3_bucket_policy_document.json}"
}
您应该使用该aws_s3_bucket_policy资源将存储桶策略添加到现有 S3 存储桶:
resource "aws_s3_bucket" "b" {
bucket = "my_tf_test_bucket"
}
resource "aws_s3_bucket_policy" "b" {
bucket = "${aws_s3_bucket.b.id}"
policy = <<POLICY
{
"Version": "2012-10-17",
"Id": "MYBUCKETPOLICY",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::my_tf_test_bucket/*",
"Condition": {
"IpAddress": {"aws:SourceIp": "8.8.8.8/32"}
}
}
]
}
POLICY
}
但如果您同时执行此操作,那么可能值得将其内联到原始aws_s3_bucket资源中,如下所示:
locals {
bucket_name = "my-new-bucket-123"
}
resource "aws_s3_bucket" "bucket" {
bucket = "${local.bucket_name}"
acl = "public-read"
policy = "${data.aws_iam_policy_document.s3_bucket_policy_document.json}"
region = "eu-west-1"
website {
index_document = "index.html"
}
}
data "aws_iam_policy_document" "s3_bucket_policy_document" {
statement {
actions = ["s3:GetObject"]
resources = ["arn:aws:s3:::${local.bucket_name}/*"]
principals {
type = "AWS"
identifiers = ["*"]
}
}
}
这会在存储桶策略中手动构建 S3 ARN,以避免尝试引用资源输出时出现潜在的循环arn错误aws_s3_bucket。
如果您创建了没有策略的存储桶(通过应用没有策略资源的 Terraform),则policy向aws_s3_bucket资源添加参数将导致 Terraform 检测偏差,并且计划将显示存储桶的更新,添加策略。
可能值得注意的是,资源中使用的预设 ACLacl与aws_s3_bucket您的策略重叠,并且是不必要的。您可以使用策略或预设 ACL 来允许所有人读取您的 S3 存储桶,但 ACLpublic-read还允许匿名列出您的存储桶内容,就像老式 Apache 目录列表一样,这不是大多数人想要的。
| 归档时间: |
|
| 查看次数: |
8471 次 |
| 最近记录: |