即使计数变量的值为零,AWS Elasticsearch 也不会删除
AWS Elasticsearch is not deleting even if count variable's values is zero
我正在创建 Elasticsearch,我正在使用值为 0 或 1 的计数变量。
我的代码:
resource "aws_elasticsearch_domain" "es" {
count = "${var.enable_pipeline_1 ? 1 : 0}"
domain_name = "${var.name_prefix}"
elasticsearch_version = "6.8"
cluster_config {
instance_type = "t2.small.elasticsearch"
}
vpc_options {
subnet_ids = [
"${aws_subnet.selected.id}",
]
security_group_ids = ["${aws_security_group.security_group.id}"]
}
advanced_options = {
"rest.action.multi.allow_explicit_index" = "true"
}
access_policies = <<CONFIG
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "es:*",
"Principal": "*",
"Effect": "Allow",
"Resource": "arn:aws:es:${var.aws_region}:${var.aws_account_id}:domain/${var.name_prefix}/*"
}
]
}
CONFIG
snapshot_options {
automated_snapshot_start_hour = 23
}
tags = {
Domain = "ES-${var.name_prefix}"
}
ebs_options {
ebs_enabled = true
volume_type = "standard"
volume_size = "${var.elasticserch_disk_size}"
}
log_publishing_options {
cloudwatch_log_group_arn = "${aws_cloudwatch_log_group.es_log_resource_policy.arn}"
log_type = "INDEX_SLOW_LOGS"
}
depends_on = [
"aws_iam_service_linked_role.es",
]
}
resource "aws_cloudwatch_log_group" "es_log_resource_policy" {
count = "${var.enable_pipeline_1 ? 1 : 0}"
name = "${var.name_prefix}_es_log_group"
}
resource "aws_cloudwatch_log_resource_policy" "es_log_resource_policy" {
count = "${var.enable_pipeline_1 ? 1 : 0}"
policy_name = "${var.name_prefix}_es_log_resource_policy"
policy_document = <<CONFIG
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "es.amazonaws.com"
},
"Action": [
"logs:PutLogEvents",
"logs:PutLogEventsBatch",
"logs:CreateLogStream"
],
"Resource": "arn:aws:logs:*"
}
]
}
CONFIG
}
resource "aws_iam_service_linked_role" "es" {
count = "${var.enable_pipeline_1 ? 1 : 0}"
aws_service_name = "es.amazonaws.com"
}
所以我现在有两个问题:
第一个问题:如果我将计数值设置为零,那么 elasticsearch 域应该删除(如果存在)但它没有删除。
第二个问题:所以我在 aws 控制台上手动删除了域,现在我想创建域但是错误提示:
aws_iam_service_linked_role.es: Error creating service-linked role with name es.amazonaws.com: InvalidInput: Service role name AWSServiceRoleForAmazonElasticsearchService has been taken in this account, please try a different suffix.
我不明白出了什么问题,请帮忙?
谢谢。
创建 AWS Elasticsearch 域时,AWS 会自动为您创建服务角色。它是必需的,以便 AWS 系统可以管理位于您账户中的 VPC 中的域。
要解决此问题,您需要按照 documentation 中所述手动删除服务角色。您还需要记住,每个 AWS 账户只能创建一次此角色,因此如果您想使用此确切代码创建另一个域,您需要删除 aws_iam_service_linked_role 资源,因为此角色已经存在于该账户中。当您使用 AWS 控制台旋转新域时,也会自动创建此角色。
我们通过将 aws_iam_service_linked_role 提取到每个帐户只部署一次的通用 config 目录中解决了这个问题。
我正在创建 Elasticsearch,我正在使用值为 0 或 1 的计数变量。
我的代码:
resource "aws_elasticsearch_domain" "es" {
count = "${var.enable_pipeline_1 ? 1 : 0}"
domain_name = "${var.name_prefix}"
elasticsearch_version = "6.8"
cluster_config {
instance_type = "t2.small.elasticsearch"
}
vpc_options {
subnet_ids = [
"${aws_subnet.selected.id}",
]
security_group_ids = ["${aws_security_group.security_group.id}"]
}
advanced_options = {
"rest.action.multi.allow_explicit_index" = "true"
}
access_policies = <<CONFIG
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "es:*",
"Principal": "*",
"Effect": "Allow",
"Resource": "arn:aws:es:${var.aws_region}:${var.aws_account_id}:domain/${var.name_prefix}/*"
}
]
}
CONFIG
snapshot_options {
automated_snapshot_start_hour = 23
}
tags = {
Domain = "ES-${var.name_prefix}"
}
ebs_options {
ebs_enabled = true
volume_type = "standard"
volume_size = "${var.elasticserch_disk_size}"
}
log_publishing_options {
cloudwatch_log_group_arn = "${aws_cloudwatch_log_group.es_log_resource_policy.arn}"
log_type = "INDEX_SLOW_LOGS"
}
depends_on = [
"aws_iam_service_linked_role.es",
]
}
resource "aws_cloudwatch_log_group" "es_log_resource_policy" {
count = "${var.enable_pipeline_1 ? 1 : 0}"
name = "${var.name_prefix}_es_log_group"
}
resource "aws_cloudwatch_log_resource_policy" "es_log_resource_policy" {
count = "${var.enable_pipeline_1 ? 1 : 0}"
policy_name = "${var.name_prefix}_es_log_resource_policy"
policy_document = <<CONFIG
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "es.amazonaws.com"
},
"Action": [
"logs:PutLogEvents",
"logs:PutLogEventsBatch",
"logs:CreateLogStream"
],
"Resource": "arn:aws:logs:*"
}
]
}
CONFIG
}
resource "aws_iam_service_linked_role" "es" {
count = "${var.enable_pipeline_1 ? 1 : 0}"
aws_service_name = "es.amazonaws.com"
}
所以我现在有两个问题:
第一个问题:如果我将计数值设置为零,那么 elasticsearch 域应该删除(如果存在)但它没有删除。
第二个问题:所以我在 aws 控制台上手动删除了域,现在我想创建域但是错误提示:
aws_iam_service_linked_role.es: Error creating service-linked role with name es.amazonaws.com: InvalidInput: Service role name AWSServiceRoleForAmazonElasticsearchService has been taken in this account, please try a different suffix.
我不明白出了什么问题,请帮忙?
谢谢。
创建 AWS Elasticsearch 域时,AWS 会自动为您创建服务角色。它是必需的,以便 AWS 系统可以管理位于您账户中的 VPC 中的域。
要解决此问题,您需要按照 documentation 中所述手动删除服务角色。您还需要记住,每个 AWS 账户只能创建一次此角色,因此如果您想使用此确切代码创建另一个域,您需要删除 aws_iam_service_linked_role 资源,因为此角色已经存在于该账户中。当您使用 AWS 控制台旋转新域时,也会自动创建此角色。
我们通过将 aws_iam_service_linked_role 提取到每个帐户只部署一次的通用 config 目录中解决了这个问题。