【发布时间】:2021-12-27 08:49:42
【问题描述】:
我正在尝试改造和导入现有的日志存储桶。 HCL 代码如下所示,是生产中的完整副本:
locals {
bucket_name = "log-bucket-${var.environment}-${var.region}"
}
module "bucket" {
source = "git@github.com:mycompany/s3-bucket-module?ref=1.0.5"
name = local.bucket_name
log_bucket = local.bucket_name
bucket_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "AllowSSLRequestsOnly",
"Effect" : "Deny",
"Principal" : "*",
"Action" : "s3:*",
"Resource" : [*],
"Condition" : {
"Bool" : {
"aws:SecureTransport" : "false"
}
}
}
]
})
grant = [
{
id = data.aws_canonical_user_id.current_user.id
type = "CanonicalUser"
permissions = ["FULL_CONTROL"]
},
{
type = "Group"
uri = "http://acs.amazonaws.com/groups/s3/LogDelivery"
permissions = ["READ_ACP", "WRITE"]
},
]
lifecycle_rules = [
{
id = "log"
enabled = true
prefix = "log/"
tags = {
"rule" = "log"
"autoclean" = "true"
}
transition = [
{
days = 30
storage_class = "STANDARD_IA"
},
{
days = 60
storage_class = "GLACIER"
}
]
expiration = {
days = 90
}
}
]
}
使用terraform import ... 导入存储桶并制定地形计划后,我得到以下更改:
# module.s3-bucket-module.module.bucket.aws_s3_bucket.bucket will be updated in-place
~ resource "aws_s3_bucket" "bucket" {
+ acl = "private"
+ force_destroy = false
id = "mycompany-log-bucket-myenvironment-myregion"
tags = {}
# (8 unchanged attributes hidden)
# (6 unchanged blocks hidden)
}
基于这个计划,terraform 想要执行两件事:
+ acl = "private"
+ force_destroy = false
但这些是默认值,我从未明确更改过。我想我想说的是,实际上它似乎并没有改变任何东西,而是明确地设置了默认值。
这让我很困惑,因为它是一个生产桶,所以我想在申请之前征求你的意见。为什么会出现那两个“变化”?
【问题讨论】:
-
嗨,我猜 Terraform github.com/hashicorp/terraform-provider-aws/issues/6193 有问题。我会尝试在我的 s3 存储桶资源中专门传递这些变量,然后再次导入它,看看它是否会改变它们。
-
“acl”属性与“grant”属性冲突。必须定义两者之一
-
仅供参考,明确设置
force_destroy = false并没有抑制 terraform 警告 -
这些是 API 的默认值,但不是 UI 的默认值。假设这个存储桶是在控制台中创建的,那么这就解释了为什么提供者试图进行这些更改。
-
@bembas 考虑阅读答案,您可能会感兴趣
标签: amazon-web-services amazon-s3 terraform acl terraform-provider-aws