0

Terraform aws 提供商最近添加了对 AWS Config Conformance Pack(此处)的支持,资源名称为aws_config_conformance_pack。在使用其参数template_bodytemplate_s3_uri. 虽然,当模板中包含补救措施并terraform apply再次运行时,它会引发错误。这是来自跟踪级别日志的片段:

-----------------------------------------------------: timestamp=2021-03-18T19:09:54.280+0500
2021-03-18T19:09:54.281+0500 [INFO]  plugin.terraform-provider-aws_v3.32.0_x5: 2021/03/18 19:09:54 [DEBUG] [aws-sdk-go] {"ConformancePackStatusDetails":[{"ConformancePackArn":"arn:aws:config:us-east-1:888507318922:conformance-pack/config-rules/conformance-pack-enosqtnho","ConformancePackId":"conformance-pack-enosqtnho","ConformancePackName":"config-rules","ConformancePackState":"CREATE_IN_PROGRESS","LastUpdateRequestedTime":1.616076485394E9}]}: timestamp=2021-03-18T19:09:54.280+0500
2021-03-18T19:09:54.281+0500 [INFO]  plugin.terraform-provider-aws_v3.32.0_x5: 2021/03/18 19:09:54 [TRACE] Waiting 10s before next try: timestamp=2021-03-18T19:09:54.280+0500
2021/03/18 19:09:56 [TRACE] dag/walk: vertex "provider[\"registry.terraform.io/hashicorp/aws\"] (close)" is waiting for "aws_config_conformance_pack.config_rules"
2021/03/18 19:09:56 [TRACE] dag/walk: vertex "root" is waiting for "provider[\"registry.terraform.io/hashicorp/aws\"] (close)"
2021/03/18 19:09:56 [TRACE] dag/walk: vertex "meta.count-boundary (EachMode fixup)" is waiting for "aws_config_conformance_pack.config_rules"
2021/03/18 19:10:01 [TRACE] dag/walk: vertex "meta.count-boundary (EachMode fixup)" is waiting for "aws_config_conformance_pack.config_rules"
2021/03/18 19:10:01 [TRACE] dag/walk: vertex "provider[\"registry.terraform.io/hashicorp/aws\"] (close)" is waiting for "aws_config_conformance_pack.config_rules"
2021/03/18 19:10:01 [TRACE] dag/walk: vertex "root" is waiting for "provider[\"registry.terraform.io/hashicorp/aws\"] (close)"
2021-03-18T19:10:04.284+0500 [INFO]  plugin.terraform-provider-aws_v3.32.0_x5: 2021/03/18 19:10:04 [DEBUG] [aws-sdk-go] DEBUG: Request config/DescribeConformancePackStatus Details:
---[ REQUEST POST-SIGN ]-----------------------------
POST / HTTP/1.1
Host: config.us-east-1.amazonaws.com
User-Agent: aws-sdk-go/1.37.24 (go1.16; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.13.5 (+https://www.terraform.io) terraform-provider-aws/dev (+https://registry.terraform.io/providers/hashicorp/aws)
Content-Length: 41
Authorization: AWS4-HMAC-SHA256 Credential=AKIA45XZJYKFL3OPHJR7/20210318/us-east-1/config/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-target, Signature=6736b332ec580a08ce5968621bc9a4d4c16239c96799723fbb0abf0c608bdac8
Content-Type: application/x-amz-json-1.1
X-Amz-Date: 20210318T141004Z
X-Amz-Target: StarlingDoveService.DescribeConformancePackStatus
Accept-Encoding: gzip

{"ConformancePackNames":["config-rules"]}
-----------------------------------------------------: timestamp=2021-03-18T19:10:04.284+0500
2021-03-18T19:10:05.392+0500 [INFO]  plugin.terraform-provider-aws_v3.32.0_x5: 2021/03/18 19:10:05 [DEBUG] [aws-sdk-go] DEBUG: Response config/DescribeConformancePackStatus Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 200 OK
Connection: close
Content-Length: 478
Content-Type: application/x-amz-json-1.1
Date: Thu, 18 Mar 2021 14:10:05 GMT
Strict-Transport-Security: max-age=86400
X-Amzn-Requestid: e525c4df-6dc0-47e0-abc8-7a123f0667be


-----------------------------------------------------: timestamp=2021-03-18T19:10:05.391+0500
2021-03-18T19:10:05.392+0500 [INFO]  plugin.terraform-provider-aws_v3.32.0_x5: 2021/03/18 19:10:05 [DEBUG] [aws-sdk-go] {"ConformancePackStatusDetails":[{"ConformancePackArn":"arn:aws:config:us-east-1:888507318922:conformance-pack/config-rules/conformance-pack-enosqtnho","ConformancePackId":"conformance-pack-enosqtnho","ConformancePackName":"config-rules","ConformancePackState":"CREATE_FAILED","ConformancePackStatusReason":"An internal error has occurred in the service. Please try again at a later time.","LastUpdateCompletedTime":1.616076603702E9,"LastUpdateRequestedTime":1.616076485394E9}]}: timestamp=2021-03-18T19:10:05.392+0500
2021/03/18 19:10:05 [DEBUG] aws_config_conformance_pack.config_rules: apply errored, but we're indicating that via the Error pointer rather than returning it: error waiting for Config Conformance Pack (config-rules) to be created: An internal error has occurred in the service. Please try again at a later time.
2021/03/18 19:10:05 [TRACE] eval: *terraform.EvalMaybeTainted
2021/03/18 19:10:05 [TRACE] EvalMaybeTainted: aws_config_conformance_pack.config_rules encountered an error during creation, so it is now marked as tainted
2021/03/18 19:10:05 [TRACE] eval: *terraform.EvalWriteState
2021/03/18 19:10:05 [TRACE] EvalWriteState: recording 3 dependencies for aws_config_conformance_pack.config_rules
2021/03/18 19:10:05 [TRACE] EvalWriteState: writing current state object for aws_config_conformance_pack.config_rules
2021/03/18 19:10:05 [TRACE] eval: *terraform.EvalApplyProvisioners
2021/03/18 19:10:05 [TRACE] EvalApplyProvisioners: aws_config_conformance_pack.config_rules is tainted, so skipping provisioning
2021/03/18 19:10:05 [TRACE] eval: *terraform.EvalMaybeTainted
2021/03/18 19:10:05 [TRACE] EvalMaybeTainted: aws_config_conformance_pack.config_rules was already tainted, so nothing to do
2021/03/18 19:10:05 [TRACE] eval: *terraform.EvalWriteState
2021/03/18 19:10:05 [TRACE] EvalWriteState: recording 3 dependencies for aws_config_conformance_pack.config_rules
2021/03/18 19:10:05 [TRACE] EvalWriteState: writing current state object for aws_config_conformance_pack.config_rules
2021/03/18 19:10:05 [TRACE] eval: *terraform.EvalIf
2021/03/18 19:10:05 [TRACE] eval: *terraform.EvalIf
2021/03/18 19:10:05 [TRACE] eval: *terraform.EvalWriteDiff
2021/03/18 19:10:05 [TRACE] eval: *terraform.EvalApplyPost
2021/03/18 19:10:05 [ERROR] eval: *terraform.EvalApplyPost, err: error waiting for Config Conformance Pack (config-rules) to be created: An internal error has occurred in the service. Please try again at a later time.
2021/03/18 19:10:05 [ERROR] eval: *terraform.EvalSequence, err: error waiting for Config Conformance Pack (config-rules) to be created: An internal error has occurred in the service. Please try again at a later time.
2021/03/18 19:10:05 [TRACE] [walkApply] Exiting eval tree: aws_config_conformance_pack.config_rules
2021/03/18 19:10:05 [TRACE] vertex "aws_config_conformance_pack.config_rules": visit complete
2021/03/18 19:10:05 [TRACE] dag/walk: upstream of "meta.count-boundary (EachMode fixup)" errored, so skipping
2021/03/18 19:10:05 [TRACE] dag/walk: upstream of "provider[\"registry.terraform.io/hashicorp/aws\"] (close)" errored, so skipping
2021/03/18 19:10:05 [TRACE] dag/walk: upstream of "root" errored, so skipping
2021/03/18 19:10:05 [TRACE] statemgr.Filesystem: have already backed up original terraform.tfstate to terraform.tfstate.backup on a previous write
2021/03/18 19:10:05 [TRACE] statemgr.Filesystem: state has changed since last snapshot, so incrementing serial to 366
2021/03/18 19:10:05 [TRACE] statemgr.Filesystem: writing snapshot at terraform.tfstate
2021/03/18 19:10:05 [TRACE] statemgr.Filesystem: removing lock metadata file .terraform.tfstate.lock.info
2021/03/18 19:10:05 [TRACE] statemgr.Filesystem: unlocking terraform.tfstate using fcntl flock
2021-03-18T19:10:05.417+0500 [WARN]  plugin.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2021-03-18T19:10:05.428+0500 [DEBUG] plugin: plugin process exited: path=.terraform/plugins/registry.terraform.io/hashicorp/aws/3.32.0/linux_amd64/terraform-provider-aws_v3.32.0_x5 pid=78208
2021-03-18T19:10:05.428+0500 [DEBUG] plugin: plugin exited

这是示例模板:

Parameters:
  allowedTcpPorts:
    Default: "80, 443"
    Type: String


Resources:
  S3BucketPublicReadProhibited:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: S3BucketPublicReadProhibited
      Scope:
        ComplianceResourceTypes:
        - "AWS::S3::Bucket"
      Source:
        Owner: AWS
        SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
      MaximumExecutionFrequency: Six_Hours
  S3BucketPublicReadProhibitedRemediation:
    DependsOn: S3BucketPublicReadProhibited
    Type: 'AWS::Config::RemediationConfiguration'
    Properties:
      ConfigRuleName: S3BucketPublicReadProhibited
      ResourceType: "AWS::S3::Bucket"
      TargetId: "AWS-DisableS3BucketPublicReadWrite"
      TargetType: "SSM_DOCUMENT"
      TargetVersion: "1"
      Parameters:
        S3BucketName:
          ResourceValue:
            Value: "RESOURCE_ID"
      ExecutionControls:
        SsmControls:
          ConcurrentExecutionRatePercentage: 10
          ErrorPercentage: 10
      Automatic: True
      MaximumAutomaticAttempts: 10
      RetryAttemptSeconds: 600

  DefaultSecurityGroupClosed:
    Properties:
      ConfigRuleName: DefaultSecurityGroupClosed
      Scope:
        ComplianceResourceTypes:
        - AWS::EC2::VPC
      Source:
        Owner: AWS
        SourceIdentifier: VPC_DEFAULT_SECURITY_GROUP_CLOSED
    Type: AWS::Config::ConfigRule
  DefaultSecurityGroupClosedRemediation:
    DependsOn: DefaultSecurityGroupClosed
    Type: AWS::Config::RemediationConfiguration
    Properties:
      ConfigRuleName: DefaultSecurityGroupClosed
      ResourceType: AWS::EC2::SecurityGroup
      TargetId: AWSConfigRemediation-RemoveVPCDefaultSecurityGroupRules
      TargetType: SSM_DOCUMENT
      TargetVersion: 1
      Parameters:
        GroupId:
          ResourceValue:
            Value: "RESOURCE_ID"
        AutomationAssumeRole:
          StaticValue:
            Values: ["arn:aws:iam::888507318922:role/aws-service-role/remediation.config.amazonaws.com/AWSServiceRoleForConfigRemediation"]
      Automatic: True
      MaximumAutomaticAttempts: 2
      RetryAttemptSeconds: 60

  VpcSgOpenOnlyToAuthorizedPorts:
    Properties:
      ConfigRuleName: VpcSgOpenOnlyToAuthorizedPorts
      InputParameters:
        authorizedTcpPorts:
          Fn::If:
          - allowedTcpPorts
          - Ref: allowedTcpPorts
          - Ref: AWS::NoValue
      Scope:
        ComplianceResourceTypes:
        - AWS::EC2::SecurityGroup
      Source:
        Owner: AWS
        SourceIdentifier: VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS
    Type: AWS::Config::ConfigRule


Conditions:
  allowedTcpPorts:
    Fn::Not:
    - Fn::Equals:
      - ''
      - Ref: allowedTcpPorts

此模板在修复资源时工作正常,S3BucketPublicReadProhibitedRemediationDefaultSecurityGroupClosedRemediation从模板中删除。

目前使用的版本有:

  • 地形:v0.13.5
  • terraform-provider-aws:v3.32.0

我正在尝试遵循 AWS 和 Terraform 中与此相关的所有文档。我在这里似乎做错了什么吗?任何帮助将不胜感激。

4

0 回答 0