错误:错误放置S3存储桶( S3 -桶-主-xxxxxx)日志记录: CrossLocationLoggingProhibitted:交叉S3位置日志不允许
错误:错误放置S3存储桶( S3 -桶-主-xxxxxx)日志记录: CrossLocationLoggingProhibitted:交叉S3位置日志不允许
提问于 2022-07-12 13:51:57
我正在创建两个S3存储桶来保存日志,我希望SRR相同的区域复制。虽然我对S3服务不太熟悉,但我的代码起了作用,除了添加日志以使tfsec和checkov,兼容之外的最后一步。
s3.tf
resource "aws_iam_role" "iam_role_replication" {
name = "tf-iam-role-replication-12345"
assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
POLICY
}
resource "aws_iam_policy" "iam_policy_replication" {
name = "tf-iam-role-policy-replication-12345"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetReplicationConfiguration",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"${aws_s3_bucket.s3_bucket_master.arn}"
]
},
{
"Action": [
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTagging"
],
"Effect": "Allow",
"Resource": [
"${aws_s3_bucket.s3_bucket_master.arn}/*"
]
},
{
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags"
],
"Effect": "Allow",
"Resource": "${aws_s3_bucket.s3_bucket_slave.arn}/*"
}
]
}
POLICY
}
resource "aws_iam_role_policy_attachment" "replication" {
role = aws_iam_role.iam_role_replication.name
policy_arn = aws_iam_policy.iam_policy_replication.arn
}
resource "aws_s3_bucket" "s3_bucket_slave" {
bucket_prefix = "s3-bucket-slave-"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "s3_bucket_slave_sse_config" {
bucket = aws_s3_bucket.s3_bucket_slave.bucket
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.kms_key.arn
sse_algorithm = "aws:kms"
}
}
}
resource "aws_s3_bucket_versioning" "s3_bucket_slave_versioning" {
bucket = aws_s3_bucket.s3_bucket_slave.id
versioning_configuration {
status = "Enabled"
}
}
resource "aws_s3_bucket" "s3_bucket_master" {
provider = aws.apac
bucket_prefix = "s3-bucket-master-"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "s3_bucket_master_sse_config" {
bucket = aws_s3_bucket.s3_bucket_master.bucket
provider = aws.apac
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.kms_key.arn
sse_algorithm = "aws:kms"
}
}
}
resource "aws_s3_bucket_versioning" "s3_bucket_master_versioning" {
provider = aws.apac
bucket = aws_s3_bucket.s3_bucket_master.id
versioning_configuration {
status = "Enabled"
}
}
resource "aws_s3_bucket_replication_configuration" "s3_bucket_master_replication" {
provider = aws.apac
# Must have bucket versioning enabled first
depends_on = [aws_s3_bucket_versioning.s3_bucket_master_versioning]
role = aws_iam_role.iam_role_replication.arn
bucket = aws_s3_bucket.s3_bucket_master.id
rule {
id = "foobar"
delete_marker_replication {
status = "Disabled"
}
filter {
prefix = "foo"
}
status = "Enabled"
destination {
bucket = aws_s3_bucket.s3_bucket_slave.arn
storage_class = "STANDARD"
}
}
}
resource "aws_s3_bucket_acl" "s3_bucket_master_acl" {
bucket = aws_s3_bucket.s3_bucket_master.id
acl = "private"
provider = aws.apac
}
resource "aws_s3_bucket_acl" "s3_bucket_slave_acl" {
bucket = aws_s3_bucket.s3_bucket_slave.id
acl = "log-delivery-write"
}
resource "aws_s3_bucket_public_access_block" "s3_bucket_master_public_access" {
provider = alias.apac
bucket = aws_s3_bucket.s3_bucket_master.id
restrict_public_buckets = true
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
}
resource "aws_s3_bucket_public_access_block" "s3_bucket_slave_public_access" {
bucket = aws_s3_bucket.s3_bucket_slave.id
restrict_public_buckets = true
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
}
resource "aws_s3_bucket_logging" "example" {
provider = alias.apac
bucket = aws_s3_bucket.s3_bucket_master.id
target_bucket = aws_s3_bucket.s3_bucket_slave.id
target_prefix = "log/"
}provider.tf
terraform {
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.22.0"
}
null = {
source = "hashicorp/null"
version = "3.1.1"
}
alias = {
source = "hashicorp/aws"
version = "4.22.0"
}
}
}
provider "null" {
# Configuration options
}
# Configure AWS provider:
provider "aws" {
region = "ap-southeast-2"
}
provider "aws" {
alias = "apac"
region = "ap-southeast-1"
}kms.tf
resource "aws_kms_key" "kms_key" {
description = "This key is used to encrypt bucket objects"
deletion_window_in_days = 10
enable_key_rotation = true
}不幸的是,我的错误如下所示:
╷
│ Warning: Duplicate required provider
│
│ on provider.tf line 4, in terraform:
│ 4: aws = {
│ 5: source = "hashicorp/aws"
│ 6: version = "4.22.0"
│ 7: }
│
│ Provider hashicorp/aws with the local name "aws" was previously required as "alias". A provider can only be required once within required_providers.
│
│ (and one more similar warning elsewhere)
╵
╷
│ Error: error putting S3 bucket (s3-bucket-master-20220712130829925900000001) logging: CrossLocationLoggingProhibitted: Cross S3 location logging not allowed.
│ status code: 403, request id: 85528RE6KMQJDMJM, host id: 3cpcDdHT3Wl442f7L/x3VLCp26wCghaIPTwKKhnWLOmsTW4cSI9f5pFROHr7q4fDLQJMyfNBZIA=
│
│ with aws_s3_bucket_logging.example,
│ on s3.tf line 166, in resource "aws_s3_bucket_logging" "example":
│ 166: resource "aws_s3_bucket_logging" "example" {
│
╵我向更有经验的人寻求帮助的是
- 需要删除哪些部分代码才能使SRR生效?从而解决错误.
- 知道如何抑制别名的警告吗?
请注意,如果我远程处理该部分
alias = {
source = "hashicorp/aws"
version = "4.22.0"
}我得到了如下所示的** terraform init **的错误
│ Error: Failed to query available provider packages
│
│ Could not retrieve the list of available versions for provider hashicorp/alias: provider registry registry.terraform.io does not have a provider named
│ registry.terraform.io/hashicorp/alias
│
│ All modules should specify their required_providers so that external consumers will get the correct providers when using a module. To see which
│ modules are currently depending on hashicorp/alias, run the following command:
│ terraform providers
╵
terraform providers
Providers required by configuration:
.
├── provider[registry.terraform.io/hashicorp/aws] 4.22.0
├── provider[registry.terraform.io/hashicorp/null] 3.1.1
└── provider[registry.terraform.io/hashicorp/alias]
Providers required by state:
provider[registry.terraform.io/hashicorp/aws]回答 1
Stack Overflow用户
回答已采纳
发布于 2022-07-12 14:50:00
您不需要在aws块中定义两次required_providers,只需要定义一次就足够了:
terraform {
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.22.0"
}
null = {
source = "hashicorp/null"
version = "3.1.1"
}
}
}然后,您需要删除.terraform目录优先以重新运行terraform init,以确保有一个干净的板子。最后,确保您希望SRR而不是CRR使用别名或非别名提供程序,而不是两者都使用。
因此,您目前正在将其中一个桶定义为:
resource "aws_s3_bucket" "s3_bucket_slave" {
bucket_prefix = "s3-bucket-slave-"
}第二个是:
resource "aws_s3_bucket" "s3_bucket_master" {
provider = aws.apac # <---- note the aliased provider, hence a different region
bucket_prefix = "s3-bucket-master-"
}为了解决这个问题,要么将别名化的提供程序从第二个桶中删除,要么将其添加到第一个桶中。由于当前的配置在更多的地方使用aws.apac,如果区域不重要,我建议将别名化的提供程序添加到第一个桶中:
resource "aws_s3_bucket" "s3_bucket_slave" {
provider = aws.apac
bucket_prefix = "s3-bucket-slave-"
}页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/72953483
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号