在我们的一个AWS S3桶上启用WORM后,terraform不再允许我对它部署任何更改,因为它已经存在.
对于上下文,我们在S3中有一个远程状态,但这不是受影响的桶,我们正在为我们的S3桶使用terra -aws-modules/S3 -bucket/aws模块。
我最初运行的命令是
terraform -chdir=infrastructure/wazuh_app/resources import -config=../resources -var-file=../config/stage/terraform.tfvars "module.wazuh_app.module.wazuh_log_archive.module.bucket.aws_s3_bucket.this[0]" [BUCKET NAME]
但是在运行时,我收到了错误:
error creating S3 Bucket ([BUCKET NAME]): BucketAlreadyOwnedByYou: Your previous request to create the named bucket succeeded and you already own it.
所以我将它从状态中删除,并尝试运行上面的命令和下面的命令重新导入它:
terraform -chdir=infrastructure/wazuh_app/resources state rm module.wazuh_app.module.wazuh_log_archive.module.bucket.aws_s3_bucket.this[0]
然而,在尝试再次应用更改后,我再次得到创建桶问题的错误。
如前所述,下面是在wazuh_log_archive级别使用的代码:module "bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.3.0"
bucket = "${var.name_prefix}-${var.log_bucket_name}"
acl = "private"
force_destroy = true
versioning = {
enabled = true
}
server_side_encryption_configuration = {
rule = {
bucket_key_enabled = true
apply_server_side_encryption_by_default = {
kms_master_key_id = module.kms_wazuh_archive_key.key_arn
sse_algorithm = "aws:kms"
}
}
}
lifecycle_rule = [
{
id = "[ID]"
enabled = true
expiration = {
days = var.s3_retention_period
}
}
]
}
resource "aws_s3_bucket_object_lock_configuration" "worm_configuration" {
bucket = module.bucket.s3_bucket_id
rule {
default_retention {
mode = "GOVERNANCE"
days = var.worm_retention
}
}
token = var.token_required ? data.aws_ssm_parameter.worm_token.value : null
}
data "aws_ssm_parameter" "worm_token" {
name = "/${var.name_prefix}-${var.log_bucket_name}/worm-token"
}
在父模块中,它是这样被调用的:
module "wazuh_log_archive" {
source = "[wazuh_log_archive SOURCE]"
log_bucket_name = var.log_bucket_name
name_prefix = var.name_prefix
namespace = var.namespace
retention_period = var.retention_period
s3_retention_period = var.s3_retention_period
worm_retention = var.worm_retention
token_required = var.token_required
depends_on = [
module.wazuh_shared_resources
]
}
module "wazuh_app" {
source = "[wazuh_app SOURCE]"
worm_retention = var.worm_retention
token_required = var.token_required
}
我很茫然。我知道我正在导入正确的桶,并且我知道我正在从状态中删除正确的桶,因为我已经通过terraform apply的输出和状态列表选项进行了验证。
有人知道它可能是什么吗?
问题不是导入问题。
在运行一些测试后,我发现每次我运行应用程序时,terraform都试图重新创建我的S3桶。这是没有意义的,因为在它的第一次部署和它的当前状态之间没有任何更改的地形源代码。
在查看了一段时间的地形输出并试图在代码库的不同级别更改地形后,我发现了这个问题…
# module.wazuh_app.module.wazuh_log_archive.module.bucket.aws_s3_bucket.this[0] must be replaced
+/- resource "aws_s3_bucket" "this" {
+ acceleration_status = (known after apply)
+ acl = (known after apply)
~ arn = "[BUCKET ARN]" -> (known after apply)
~ bucket_domain_name = "[BUCKET DOMAIN NAME]" -> (known after apply)
~ bucket_regional_domain_name = "[BUCKET REGIONAL DOMAIN NAME]" -> (known after apply)
+ force_destroy = true
~ hosted_zone_id = "[ID]" -> (known after apply)
~ id = "[BUCKET ID]" -> (known after apply)
~ object_lock_enabled = true -> false # forces replacement
+ policy = (known after apply)
~ region = "eu-west-1" -> (known after apply)
~ request_payer = "BucketOwner" -> (known after apply)
- tags = {} -> null
+ website_domain = (known after apply)
+ website_endpoint = (known after apply)
# (2 unchanged attributes hidden)
生成的大量地形日志意味着我在输出中遗漏了一小行,这行是:
~ object_lock_enabled = true -> false # forces replacement
aws_s3_bucket模块文档没有明确说明的是,一旦向桶添加了WORM令牌,就必须向模块添加一个额外的参数,以便它记住它在未来的部署中使用了WORM。但是,在将令牌关联到桶的部署中,此参数不是必需的。
这不仅没有提到,而且有点不合逻辑,因为bucket为它定义了object_lock_configuration,这是在初始重新部署时在已经存在的bucket上启用WORM的必要步骤。这种轻微的不一致是相当令人沮丧的。
总的结论是,我错过了terrform部署输出中的一行,并在几个小时的工作损失中付出了代价。