Terraform aws 提供商最近添加了对 AWS Config Conformance Pack(此处)的支持,资源名称为aws_config_conformance_pack。在使用其参数template_body或template_s3_uri. 虽然,当模板中包含补救措施并terraform apply再次运行时,它会引发错误。这是来自跟踪级别日志的片段:
-----------------------------------------------------: timestamp=2021-03-18T19:09:54.280+0500
2021-03-18T19:09:54.281+0500 [INFO] plugin.terraform-provider-aws_v3.32.0_x5: 2021/03/18 19:09:54 [DEBUG] [aws-sdk-go] {"ConformancePackStatusDetails":[{"ConformancePackArn":"arn:aws:config:us-east-1:888507318922:conformance-pack/config-rules/conformance-pack-enosqtnho","ConformancePackId":"conformance-pack-enosqtnho","ConformancePackName":"config-rules","ConformancePackState":"CREATE_IN_PROGRESS","LastUpdateRequestedTime":1.616076485394E9}]}: timestamp=2021-03-18T19:09:54.280+0500
2021-03-18T19:09:54.281+0500 [INFO] plugin.terraform-provider-aws_v3.32.0_x5: 2021/03/18 19:09:54 [TRACE] Waiting 10s before next try: timestamp=2021-03-18T19:09:54.280+0500
2021/03/18 19:09:56 [TRACE] dag/walk: vertex "provider[\"registry.terraform.io/hashicorp/aws\"] (close)" is waiting for "aws_config_conformance_pack.config_rules"
2021/03/18 19:09:56 [TRACE] dag/walk: vertex "root" is waiting for "provider[\"registry.terraform.io/hashicorp/aws\"] (close)"
2021/03/18 19:09:56 [TRACE] dag/walk: vertex "meta.count-boundary (EachMode fixup)" is waiting for "aws_config_conformance_pack.config_rules"
2021/03/18 19:10:01 [TRACE] dag/walk: vertex "meta.count-boundary (EachMode fixup)" is waiting for "aws_config_conformance_pack.config_rules"
2021/03/18 19:10:01 [TRACE] dag/walk: vertex "provider[\"registry.terraform.io/hashicorp/aws\"] (close)" is waiting for "aws_config_conformance_pack.config_rules"
2021/03/18 19:10:01 [TRACE] dag/walk: vertex "root" is waiting for "provider[\"registry.terraform.io/hashicorp/aws\"] (close)"
2021-03-18T19:10:04.284+0500 [INFO] plugin.terraform-provider-aws_v3.32.0_x5: 2021/03/18 19:10:04 [DEBUG] [aws-sdk-go] DEBUG: Request config/DescribeConformancePackStatus Details:
---[ REQUEST POST-SIGN ]-----------------------------
POST / HTTP/1.1
Host: config.us-east-1.amazonaws.com
User-Agent: aws-sdk-go/1.37.24 (go1.16; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.13.5 (+https://www.terraform.io) terraform-provider-aws/dev (+https://registry.terraform.io/providers/hashicorp/aws)
Content-Length: 41
Authorization: AWS4-HMAC-SHA256 Credential=AKIA45XZJYKFL3OPHJR7/20210318/us-east-1/config/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-target, Signature=6736b332ec580a08ce5968621bc9a4d4c16239c96799723fbb0abf0c608bdac8
Content-Type: application/x-amz-json-1.1
X-Amz-Date: 20210318T141004Z
X-Amz-Target: StarlingDoveService.DescribeConformancePackStatus
Accept-Encoding: gzip
{"ConformancePackNames":["config-rules"]}
-----------------------------------------------------: timestamp=2021-03-18T19:10:04.284+0500
2021-03-18T19:10:05.392+0500 [INFO] plugin.terraform-provider-aws_v3.32.0_x5: 2021/03/18 19:10:05 [DEBUG] [aws-sdk-go] DEBUG: Response config/DescribeConformancePackStatus Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 200 OK
Connection: close
Content-Length: 478
Content-Type: application/x-amz-json-1.1
Date: Thu, 18 Mar 2021 14:10:05 GMT
Strict-Transport-Security: max-age=86400
X-Amzn-Requestid: e525c4df-6dc0-47e0-abc8-7a123f0667be
-----------------------------------------------------: timestamp=2021-03-18T19:10:05.391+0500
2021-03-18T19:10:05.392+0500 [INFO] plugin.terraform-provider-aws_v3.32.0_x5: 2021/03/18 19:10:05 [DEBUG] [aws-sdk-go] {"ConformancePackStatusDetails":[{"ConformancePackArn":"arn:aws:config:us-east-1:888507318922:conformance-pack/config-rules/conformance-pack-enosqtnho","ConformancePackId":"conformance-pack-enosqtnho","ConformancePackName":"config-rules","ConformancePackState":"CREATE_FAILED","ConformancePackStatusReason":"An internal error has occurred in the service. Please try again at a later time.","LastUpdateCompletedTime":1.616076603702E9,"LastUpdateRequestedTime":1.616076485394E9}]}: timestamp=2021-03-18T19:10:05.392+0500
2021/03/18 19:10:05 [DEBUG] aws_config_conformance_pack.config_rules: apply errored, but we're indicating that via the Error pointer rather than returning it: error waiting for Config Conformance Pack (config-rules) to be created: An internal error has occurred in the service. Please try again at a later time.
2021/03/18 19:10:05 [TRACE] eval: *terraform.EvalMaybeTainted
2021/03/18 19:10:05 [TRACE] EvalMaybeTainted: aws_config_conformance_pack.config_rules encountered an error during creation, so it is now marked as tainted
2021/03/18 19:10:05 [TRACE] eval: *terraform.EvalWriteState
2021/03/18 19:10:05 [TRACE] EvalWriteState: recording 3 dependencies for aws_config_conformance_pack.config_rules
2021/03/18 19:10:05 [TRACE] EvalWriteState: writing current state object for aws_config_conformance_pack.config_rules
2021/03/18 19:10:05 [TRACE] eval: *terraform.EvalApplyProvisioners
2021/03/18 19:10:05 [TRACE] EvalApplyProvisioners: aws_config_conformance_pack.config_rules is tainted, so skipping provisioning
2021/03/18 19:10:05 [TRACE] eval: *terraform.EvalMaybeTainted
2021/03/18 19:10:05 [TRACE] EvalMaybeTainted: aws_config_conformance_pack.config_rules was already tainted, so nothing to do
2021/03/18 19:10:05 [TRACE] eval: *terraform.EvalWriteState
2021/03/18 19:10:05 [TRACE] EvalWriteState: recording 3 dependencies for aws_config_conformance_pack.config_rules
2021/03/18 19:10:05 [TRACE] EvalWriteState: writing current state object for aws_config_conformance_pack.config_rules
2021/03/18 19:10:05 [TRACE] eval: *terraform.EvalIf
2021/03/18 19:10:05 [TRACE] eval: *terraform.EvalIf
2021/03/18 19:10:05 [TRACE] eval: *terraform.EvalWriteDiff
2021/03/18 19:10:05 [TRACE] eval: *terraform.EvalApplyPost
2021/03/18 19:10:05 [ERROR] eval: *terraform.EvalApplyPost, err: error waiting for Config Conformance Pack (config-rules) to be created: An internal error has occurred in the service. Please try again at a later time.
2021/03/18 19:10:05 [ERROR] eval: *terraform.EvalSequence, err: error waiting for Config Conformance Pack (config-rules) to be created: An internal error has occurred in the service. Please try again at a later time.
2021/03/18 19:10:05 [TRACE] [walkApply] Exiting eval tree: aws_config_conformance_pack.config_rules
2021/03/18 19:10:05 [TRACE] vertex "aws_config_conformance_pack.config_rules": visit complete
2021/03/18 19:10:05 [TRACE] dag/walk: upstream of "meta.count-boundary (EachMode fixup)" errored, so skipping
2021/03/18 19:10:05 [TRACE] dag/walk: upstream of "provider[\"registry.terraform.io/hashicorp/aws\"] (close)" errored, so skipping
2021/03/18 19:10:05 [TRACE] dag/walk: upstream of "root" errored, so skipping
2021/03/18 19:10:05 [TRACE] statemgr.Filesystem: have already backed up original terraform.tfstate to terraform.tfstate.backup on a previous write
2021/03/18 19:10:05 [TRACE] statemgr.Filesystem: state has changed since last snapshot, so incrementing serial to 366
2021/03/18 19:10:05 [TRACE] statemgr.Filesystem: writing snapshot at terraform.tfstate
2021/03/18 19:10:05 [TRACE] statemgr.Filesystem: removing lock metadata file .terraform.tfstate.lock.info
2021/03/18 19:10:05 [TRACE] statemgr.Filesystem: unlocking terraform.tfstate using fcntl flock
2021-03-18T19:10:05.417+0500 [WARN] plugin.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2021-03-18T19:10:05.428+0500 [DEBUG] plugin: plugin process exited: path=.terraform/plugins/registry.terraform.io/hashicorp/aws/3.32.0/linux_amd64/terraform-provider-aws_v3.32.0_x5 pid=78208
2021-03-18T19:10:05.428+0500 [DEBUG] plugin: plugin exited
这是示例模板:
Parameters:
allowedTcpPorts:
Default: "80, 443"
Type: String
Resources:
S3BucketPublicReadProhibited:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: S3BucketPublicReadProhibited
Scope:
ComplianceResourceTypes:
- "AWS::S3::Bucket"
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
MaximumExecutionFrequency: Six_Hours
S3BucketPublicReadProhibitedRemediation:
DependsOn: S3BucketPublicReadProhibited
Type: 'AWS::Config::RemediationConfiguration'
Properties:
ConfigRuleName: S3BucketPublicReadProhibited
ResourceType: "AWS::S3::Bucket"
TargetId: "AWS-DisableS3BucketPublicReadWrite"
TargetType: "SSM_DOCUMENT"
TargetVersion: "1"
Parameters:
S3BucketName:
ResourceValue:
Value: "RESOURCE_ID"
ExecutionControls:
SsmControls:
ConcurrentExecutionRatePercentage: 10
ErrorPercentage: 10
Automatic: True
MaximumAutomaticAttempts: 10
RetryAttemptSeconds: 600
DefaultSecurityGroupClosed:
Properties:
ConfigRuleName: DefaultSecurityGroupClosed
Scope:
ComplianceResourceTypes:
- AWS::EC2::VPC
Source:
Owner: AWS
SourceIdentifier: VPC_DEFAULT_SECURITY_GROUP_CLOSED
Type: AWS::Config::ConfigRule
DefaultSecurityGroupClosedRemediation:
DependsOn: DefaultSecurityGroupClosed
Type: AWS::Config::RemediationConfiguration
Properties:
ConfigRuleName: DefaultSecurityGroupClosed
ResourceType: AWS::EC2::SecurityGroup
TargetId: AWSConfigRemediation-RemoveVPCDefaultSecurityGroupRules
TargetType: SSM_DOCUMENT
TargetVersion: 1
Parameters:
GroupId:
ResourceValue:
Value: "RESOURCE_ID"
AutomationAssumeRole:
StaticValue:
Values: ["arn:aws:iam::888507318922:role/aws-service-role/remediation.config.amazonaws.com/AWSServiceRoleForConfigRemediation"]
Automatic: True
MaximumAutomaticAttempts: 2
RetryAttemptSeconds: 60
VpcSgOpenOnlyToAuthorizedPorts:
Properties:
ConfigRuleName: VpcSgOpenOnlyToAuthorizedPorts
InputParameters:
authorizedTcpPorts:
Fn::If:
- allowedTcpPorts
- Ref: allowedTcpPorts
- Ref: AWS::NoValue
Scope:
ComplianceResourceTypes:
- AWS::EC2::SecurityGroup
Source:
Owner: AWS
SourceIdentifier: VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS
Type: AWS::Config::ConfigRule
Conditions:
allowedTcpPorts:
Fn::Not:
- Fn::Equals:
- ''
- Ref: allowedTcpPorts
此模板在修复资源时工作正常,S3BucketPublicReadProhibitedRemediation并DefaultSecurityGroupClosedRemediation从模板中删除。
目前使用的版本有:
- 地形:v0.13.5
- terraform-provider-aws:v3.32.0
我正在尝试遵循 AWS 和 Terraform 中与此相关的所有文档。我在这里似乎做错了什么吗?任何帮助将不胜感激。