时间戳

首页 > 解决方案 > Terraform,ElasticSearch:错误:InvalidTypeException:错误设置策略

amazon-web-services - Terraform,ElasticSearch:错误:InvalidTypeException:错误设置策略

问题描述

我想将以下访问策略附加到 ElasticSearch:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "${resource_arn}/*"
    }
  ]
}

我添加了 line iam_role_arns = ["*"],但出现以下错误:

module.elasticsearch.aws_elasticsearch_domain_policy.default[0]:正在创建...
错误:InvalidTypeException:错误设置策略:

这是代码:

module "elasticsearch" {
  source                  = "git::https://github.com/cloudposse/terraform-aws-elasticsearch.git?ref=tags/0.24.1"
  security_groups                = [data.terraform_remote_state.vpc.outputs.default_security_group_id]
  vpc_id                         = data.terraform_remote_state.vpc.outputs.vpc_id
  zone_awareness_enabled         = var.zone_awareness_enabled
  subnet_ids                     = slice(data.terraform_remote_state.vpc.outputs.private_subnets, 0, 2)
  elasticsearch_version          = var.elasticsearch_version
  instance_type                  = var.instance_type
  instance_count                 = var.instance_count
  encrypt_at_rest_enabled        = var.encrypt_at_rest_enabled
  dedicated_master_enabled       = var.dedicated_master_enabled
  create_iam_service_linked_role = var.create_iam_service_linked_role
  kibana_subdomain_name          = var.kibana_subdomain_name
  ebs_volume_size                = var.ebs_volume_size
  dns_zone_id                    = var.dns_zone_id
  kibana_hostname_enabled        = var.kibana_hostname_enabled
  domain_hostname_enabled        = var.domain_hostname_enabled
  allowed_cidr_blocks            = ["0.0.0.0/0"]
  iam_role_arns                  = ["*"]
  advanced_options = {
    "rest.action.multi.allow_explicit_index" = "true"
  }
  context = module.this.context
}

标签: amazon-web-servicesterraformterraform-provider-awsaws-elasticsearch

解决方案

由于您的 ES 域在 VPC 中,因此您无法创建这样的开放访问策略。正如terraform-aws-elasticsearch源代码注释中所解释的,开放访问策略仅适用于 IP 范围和非 VPC ES 域

此声明用于非 VPC ES 允许来自白名单 IP 范围的匿名访问而无需请求签名

只是为了完整性使用

  allowed_cidr_blocks            = ["0.0.0.0/0"]
  iam_role_arns                  = ["*"]

不应导致政策错误。事实上,它应该产生以下内容(我在我的 ES 域上测试过):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "*",
          "arn:aws:iam::xxxx:role/es-name"
        ]
      },
      "Resource": [
        "arn:aws:es:us-east-1:xxxxx:domain/es-name/*",
        "arn:aws:es:us-east-1:xxxx:domain/es-name"
      ]
    }
  ]
}

推荐阅读