无法将 EFS 挂载到 Fargate 上的 ECS

Question

尝试将 EFS 挂载到 ECS Fargate，但在执行任务时遇到错误。它看起来好像是一个 IAM 问题，但交叉检查了所有角色并且无法识别问题。还检查了安全组。我允许 2049 端口并将 ecs 安全组附加到它。

“ResourceInitializationError: 未能调用 EFS utils 命令来设置 EFS 卷：stderr: b'mount.nfs4: 挂载 127.0.0.1:/' 时服务器拒绝访问：EFS utils 命令执行不成功；代码：32”

Terraform 0.12 和 Fargate 1.4.0

resource "aws_efs_file_system" efs {
  creation_token   = "${var.prefix}-${var.appName}-ecs"
  encrypted        = true
  kms_key_id       = data.aws_kms_key.efs_kms_key.arn
  performance_mode = var.performance_mode
  throughput_mode  = var.throughput_mode
  tags            = var.tags
}


resource "aws_efs_mount_target" efs_mount {

  count           = length(module.vpc_presets.subnet_ids)
  file_system_id  = aws_efs_file_system.efs.id
  subnet_id       = flatten(module.vpc_presets.subnet_ids)[count.index]
  security_groups = data.terraform_remote_state.remote_state_sg.outputs.efs_sg

}
resource "aws_efs_access_point" this  {
  file_system_id = aws_efs_file_system.efs.id
}

data "template_file" jenkins_container_def {
  template = file("${path.module}/templates/jenkins.json.tpl")

  vars = {
    name                = "${var.prefix}-${var.appName}-${var.env}"
    jenkins_controller_port = var.jenkins_port
    jnlp_port           = var.jnlp_port
    source_volume       = "${var.appName}-efs"
    jenkins_home        = "/var/jenkins_home"
    container_image     = var.image
    region              = var.deployment_region
    account_id          = var.account
    log_group           = data.terraform_remote_state.remote_state_ecs.outputs.logs_name
    memory              = var.jenkins_memory
    cpu                 = var.jenkins_cpu
  }
}


resource "aws_ecs_task_definition" jenkins_controller {
  family = var.appName
  task_role_arn            = data.terraform_remote_state.remote_state_iam.outputs.master_task_arn
  execution_role_arn       = data.terraform_remote_state.remote_state_iam.outputs.jenkins_execution_arn
  network_mode             = "awsvpc"
  requires_compatibilities = ["FARGATE"]
  cpu                      = var.jenkins_cpu
  memory                   = var.jenkins_memory
  container_definitions    = data.template_file.jenkins_container_def.rendered

  volume {
    name = "${var.appName}-efs"

    efs_volume_configuration {
      file_system_id     = data.terraform_remote_state.remote_state_efs.outputs.efs_fs_id
      transit_encryption = "ENABLED"

      authorization_config {
        access_point_id = flatten(data.terraform_remote_state.remote_state_efs.outputs.efs_access_point_id)[0]
        iam             = "ENABLED"
      }
    }
  }

  tags = var.tags
}

resource "aws_ecs_service" jenkins_controller {
  name = "${var.prefix}-${var.appName}-controller-service"

  task_definition  = aws_ecs_task_definition.jenkins_controller.arn
  cluster          = data.terraform_remote_state.remote_state_ecs.outputs.ecs_cluster_id
  desired_count    = 1
  launch_type      = "FARGATE"
  platform_version = "1.4.0"

  // Assuming we cannot have more than one instance at a time. Ever.
  deployment_maximum_percent         = 100
  deployment_minimum_healthy_percent = 0


  service_registries {
    registry_arn = aws_service_discovery_service.controller.arn
   }

  load_balancer {
    target_group_arn = data.terraform_remote_state.remote_state_alb.outputs.tg_arn
    container_name   = "${var.prefix}-${var.appName}"
    container_port   = 8080
  }

  network_configuration {
    subnets          = flatten([module.vpc_presets.subnet_ids])

    security_groups  = data.terraform_remote_state.remote_state_sg.outputs.ecs_sg
    assign_public_ip = false
  }
  tags           = var.tags
}

Answer 1

我遇到了一个相关的问题，因为该目录尚未创建，root_directory 中有一个属性允许创建具有适当权限的目录。

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_access_point#creation_info

在示例中我使用 root，但您可以设置另一个 gid。

resource "aws_efs_access_point" this  {
  file_system_id = aws_efs_file_system.efs.id
  root_directory {
    path = "/desired-directory"
    creation_info {
      owner_gid = 0
      owner_uid = 0
      permissions = "755"
    }
  }
}

Answer 2

这是一个 IAM 政策问题。更改政策后问题得到解决。