我正在尝试在terraform中运行s3复制,这将是跨区域的。
我的主要s3.tf的一部分是
resource "aws_kms_key" "s3_replica-us-west-2-key" {
description = "S3 master key replica us-west-2"
deletion_window_in_days = 30
enable_key_rotation = "true"
}
module "s3_replica" {
source = "git@github.com:xxx"
providers = {
aws = "aws.us-west-2"
}
name = "s3_replica"
logging_bucket_prefix = "s3_replica"
versioning = var.versioning
bucket_logging = var.bucket_logging
logging_bucket_name = var.logging_bucket_name
kms_key_id = aws_kms_key.s3_replica-us-west-2-key.key_id
sse_algorithm = var.sse_algorithm
}
module "s3" {
source = "git@github.com:xxxx"
name = "s3"
logging_bucket_prefix = "s3"
versioning = var.versioning
bucket_logging = var.bucket_logging
logging_bucket_name = var.logging_bucket_name
kms_key_id = aws_kms_key.s3.key_id
sse_algorithm = var.sse_algorithm
replication_configuration = {
role = aws_iam_role.s3_replication.arn
rules = [
{
prefix = ""
status = "Enabled"
destination = {
bucket = module.s3_replica.bucket_arn
replica_kms_key_id = aws_kms_alias.s3_replica-us-west-2-key.arn
storage_class = "STANDARD_IA"
}
}
]
source_selection_criteria = {
sse_kms_encrypted_objects = {
enabled = true
}
}
}
}
在我使用的模块中,我的复制配置块的一部分是:
dynamic "replication_configuration" {
for_each = length(keys(var.replication_configuration)) == 0 ? [] : [var.replication_configuration]
content {
role = replication_configuration.value.role
dynamic "rules" {
for_each = replication_configuration.value.rules
content {
id = lookup(replication_configuration.value.rules, "id", null)
priority = lookup(replication_configuration.value.rules, "priority", null)
prefix = lookup(replication_configuration.value.rules, "prefix", null)
status = lookup(replication_configuration.value.rules, "status", null)
dynamic "destination" {
for_each = length(keys(lookup(rules.value, "destination", {}))) == 0 ? [] : [lookup(rules.value, "destination", {})]
content {
bucket = lookup(destination.value, "bucket", null)
storage_class = lookup(destination.value, "storage_class", null)
replica_kms_key_id = lookup(destination.value, "replica_kms_key_id", null)
account_id = lookup(destination.value, "account_id", null)
}
}
dynamic "source_selection_criteria" {
for_each = length(keys(lookup(rules.value, "source_selection_criteria", {}))) == 0 ? [] : [lookup(rules.value, "source_selection_criteria", {})]
content {
dynamic "sse_kms_encrypted_objects" {
for_each = length(keys(lookup(source_selection_criteria.value, "sse_kms_encrypted_objects", {}))) == 0 ? [] : [lookup(source_selection_criteria.value, "sse_kms_encrypted_objects", {})]
content {
enabled = sse_kms_encrypted_objects.value.enabled
}
}
}
}
}
}
}
}
}
现在,当我运行terraform init。。。它是有效的。但当我运行地形计划时,它是有效的。
- 这是应用程序:
# module.s3.aws_s3_bucket.s3_bucket will be updated in-place
~ resource "aws_s3_bucket" "s3_bucket" {
acl = "bucket-owner-full-control"
arn = "arn:aws:s3:::xxx"
bucket = "xxxxx"
id = "xxxxx"
region = "us-east-1"
request_payer = "BucketOwner"
}
cors_rule {
allowed_headers = [
"*",
]
allowed_methods = [
"GET",
"PUT",
]
allowed_origins = [
"*",
]
expose_headers = [
"Accept-Ranges",
"Content-Range",
"Content-Encoding",
"Content-Length",
]
max_age_seconds = 0
}
logging {
target_bucket = "xxx-us-east-1-s3-logging"
target_prefix = "xx"
}
+ replication_configuration {
+ role = "arn:aws:iam::xxx:role/s3-bucket-replication"
+ rules {
+ status = "Enabled"
+ destination {
+ bucket = "arn:aws:s3:::xxx-replica-us-west-2"
+ replica_kms_key_id = "arn:aws:kms:us-west-2:xxxs3_replica_us_west_2_key"
+ storage_class = "STANDARD_IA"
}
}
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = "xxxx"
sse_algorithm = "aws:kms"
}
}
}
versioning {
enabled = true
mfa_delete = false
}
}
Plan: 0 to add, 1 to change, 0 to destroy.
但当我运行地形应用程序时,它会给我以下错误:
Error: Error putting S3 replication configuration: InvalidRequest: SseKmsEncryptedObjects must be specified if EncryptionConfiguration is present.
status code: 400
on .terraform/modules/s3/main.tf line 210, in resource "aws_s3_bucket" "s3_bucket":
210: resource "aws_s3_bucket" "s3_bucket" {
- 如何解决此问题?这是什么意思
我认为问题是在您的replication_configuration中,source_selection_criteria是在rules的外部定义的。因此,在您的dynamic "rules"中,没有source_selection_criteria选项。
你可能会尝试(仅举个例子,可能仍然需要一些调整(:
module "s3" {
source = "git@github.com:xxxx"
name = "s3"
logging_bucket_prefix = "s3"
versioning = var.versioning
bucket_logging = var.bucket_logging
logging_bucket_name = var.logging_bucket_name
kms_key_id = aws_kms_key.s3.key_id
sse_algorithm = var.sse_algorithm
replication_configuration = {
role = aws_iam_role.s3_replication.arn
rules = [
{
prefix = ""
status = "Enabled"
destination = {
bucket = module.s3_replica.bucket_arn
replica_kms_key_id = aws_kms_alias.s3_replica-us-west-2-key.arn
storage_class = "STANDARD_IA"
}
source_selection_criteria = {
sse_kms_encrypted_objects = {
enabled = true
}
}
}
]
}
}
我通过将s3.tf中的replication_configuration更改为:来修复此错误
replication_configuration = {
role = aws_iam_role.s3_replication.arn
rules = [
{
id = "all"
prefix = ""
status = "Enabled"
source_selection_criteria = {
sse_kms_encrypted_objects = {
enabled = true
}
}
destination = {
bucket = module.s3_replica2.bucket_arn
replica_kms_key_id = aws_kms_alias.s3_replica_us_west_2_key.arn
storage_class = "STANDARD_IA"
}
}
]
}
}