时间戳

首页 > 解决方案 > CDK ElasticSearch:设置 AccessPolicies 属性会导致堆栈失败

aws-cdk - CDK ElasticSearch:设置 AccessPolicies 属性会导致堆栈失败

问题描述

❯ cdk --version
1.122.0 (build ae09c16)

我的定义如下所示:

new DomainProps
            {
                Version = ElasticsearchVersion.V7_10,
                DomainName = domainName,
                Vpc = Context.Network.VPC,
                VpcSubnets = new SubnetSelection[]
                {
                    new SubnetSelection() { Subnets = subnets.ToArray() }
                },
                ZoneAwareness = new ZoneAwarenessConfig { Enabled = true, AvailabilityZoneCount = subnets.Count },
                RemovalPolicy = RemovalPolicy.DESTROY,
                EnableVersionUpgrade = true,
                EnforceHttps = true,
                EncryptionAtRest = new EncryptionAtRestOptions
                {
                    Enabled = true,
                },                
                Capacity = new CapacityConfig
                {
                    DataNodeInstanceType = "t3.medium.elasticsearch",
                    DataNodes = 2                    
                },
                AccessPolicies = new PolicyStatement[]
                {
                    new PolicyStatement(new PolicyStatementProps
                    {
                        Effect = Effect.ALLOW,
                        Principals = new IPrincipal[] { new AnyPrincipal() },
                        Actions = new string[] { "es:*" },
                        Resources = new string[] { $"arn:aws:es:${context.Scope.Region}:${context.Scope.Account}:domain/{domainName}/*" }
                    })
                },
                SecurityGroups = new ISecurityGroup[]
                {
                    Context.Network.AddSecurityGroup(new SecurityGroupInfo
                    {
                        Name = "ESAccess",
                        Props = new SecurityGroupProps
                        {
                            SecurityGroupName = $"{Context.SegmentName} ElasticSearch Access",
                            Description = "Allow https access to ES from within the network",
                            AllowAllOutbound = true
                        },
                        IngressRules = new IngressRule[]
                        {
                            new IngressRule { From = 443, Description = "Allow HTTPS Access" }
                        }
                    })
                }
            }

当我运行它时,它给出:Received response status [FAILED] from custom resource。返回消息:未经授权的操作:Elasticsearch 必须获得授权才能描述子网

但是当我完全删除 AccessPolicies 属性时,它会正常完成。当然,我的客户得到“用户:匿名无权执行:es:ESHttpGet”,这是有道理的,因为没有设置访问策略。

我该怎么做才能安抚这只野兽?

标签: aws-cdk

解决方案

我也遇到过同样的问题。服务链接角色 (SLR) 中似乎存在错误。在今天 2021 年 9 月 16 日对其进行测试后,没有更多问题了。你也可以参考这个 GitHub问题

推荐阅读