❯ cdk --version
1.122.0 (build ae09c16)
我的定义是这样的:
new DomainProps
{
Version = ElasticsearchVersion.V7_10,
DomainName = domainName,
Vpc = Context.Network.VPC,
VpcSubnets = new SubnetSelection[]
{
new SubnetSelection() { Subnets = subnets.ToArray() }
},
ZoneAwareness = new ZoneAwarenessConfig { Enabled = true, AvailabilityZoneCount = subnets.Count },
RemovalPolicy = RemovalPolicy.DESTROY,
EnableVersionUpgrade = true,
EnforceHttps = true,
EncryptionAtRest = new EncryptionAtRestOptions
{
Enabled = true,
},
Capacity = new CapacityConfig
{
DataNodeInstanceType = "t3.medium.elasticsearch",
DataNodes = 2
},
AccessPolicies = new PolicyStatement[]
{
new PolicyStatement(new PolicyStatementProps
{
Effect = Effect.ALLOW,
Principals = new IPrincipal[] { new AnyPrincipal() },
Actions = new string[] { "es:*" },
Resources = new string[] { $"arn:aws:es:${context.Scope.Region}:${context.Scope.Account}:domain/{domainName}/*" }
})
},
SecurityGroups = new ISecurityGroup[]
{
Context.Network.AddSecurityGroup(new SecurityGroupInfo
{
Name = "ESAccess",
Props = new SecurityGroupProps
{
SecurityGroupName = $"{Context.SegmentName} ElasticSearch Access",
Description = "Allow https access to ES from within the network",
AllowAllOutbound = true
},
IngressRules = new IngressRule[]
{
new IngressRule { From = 443, Description = "Allow HTTPS Access" }
}
})
}
}
当我运行它给出:从自定义资源收到响应状态[FAILED]。返回消息:Unauthorized Operation: Elasticsearch必须被授权来描述子网
但是当我完全删除accessppolicies属性时,它会正常完成。当然,我的客户端得到"User: anonymous未被授权执行:es: eshttpget";这是合理的,因为没有设置访问策略。
我该怎么做才能安抚这只野兽?
我也遇到过同样的问题。似乎在服务链接角色(SLR)中有一个bug。在今天的测试中,20121-09-16没有更多的问题。你也可以参考这个GitHub issue