我试图使从地形注册表的例子工作,但有一个现有的桶(s3XXXprod0)。我几天前已经申请了这个,但是在库存桶上仍然没有看到paquet文件。不确定我做错了什么,或者做什么来调试它。库存桶被创建,并且在应用config时没有出现错误消息:
provider "aws" {
profile = "default"
region = "us-east-2"
}
data "aws_s3_bucket" "s3XXXprod0" {
bucket = "mybucketXXX-prod0"
}
resource "aws_s3_bucket" "inventory" {
bucket = "mybucketXXX-prod0-inventory"
}
resource "aws_s3_bucket_inventory" "s3inventory" {
bucket = data.aws_s3_bucket.s3XXXprod0.id
name = "EntireBucketDaily"
included_object_versions = "All"
schedule {
frequency = "Daily"
}
destination {
bucket {
format = "Parquet"
bucket_arn = aws_s3_bucket.inventory.arn
}
}
}
编辑:几天后,没有看到拼花文件,消息上了
Amazon S3>桶比;mybucketXXX-prod0祝辞管理比;库存配置;最后导出为:
2022-07-19的库存导出失败,因为S3没有访问目标桶或KMS密钥的权限。请目标存储桶或KMS密钥的所有者授予必要的访问权限,然后重试
原始桶是在无服务器框架上创建的,这就是多供应商的美妙之处。因此,如果在Terraform中有这样做的方法,这是首选,尽管我不确定这里的最佳实践。我只需要知道在哪里创建这个策略-它是一个桶策略还是ACL?(或两者)。谢谢,m .
好的,我在github上找到了这篇文章。多亏了Bryant Biggs,我现在知道terrraform文档中缺少了这个政策。以下是我的看法:
resource "aws_s3_bucket_policy" "allow_access_policy" {
bucket = aws_s3_bucket.inventory.id
policy = data.aws_iam_policy_document.allow_access_policy.json
}
data "aws_iam_policy_document" "allow_access_policy" {
statement {
principals {
type = "Service"
identifiers = ["s3.amazonaws.com"]
}
actions = [
"s3:PutObject",
]
resources = [
aws_s3_bucket.inventory.arn,
"${aws_s3_bucket.inventory.arn}/*",
]
condition {
test = "StringEquals"
variable = "s3:x-amz-acl"
values = ["bucket-owner-full-control"]
}
condition {
test = "StringEquals"
variable = "aws:SourceAccount"
values = ["XXXXXXXX"]
}
condition {
test = "ArnLike"
variable = "aws:SourceArn"
values = ["${data.aws_s3_bucket.s3XXXprod0.arn}"]
}
}
}
今天应用,明天见。
编辑:它的工作原理!库存桶现在有拼花文件了。