Terraform - 更新 S3 访问控制:关于用授权替换 acl 的问题
Terraform - Updating S3 Access Control: Question on replacing acl with grant
我有一个 S3 存储桶用作访问日志存储桶。
这是我当前的模块和资源 TF 代码:
module "access_logging_bucket" {
source = "../../resources/s3_bucket"
environment = "${var.environment}"
region = "${var.region}"
acl = "log-delivery-write"
encryption_key_alias = "alias/ab-data-key"
name = "access-logging"
name_tag = "Access logging bucket"
}
resource "aws_s3_bucket" "default" {
bucket = "ab-${var.environment}-${var.name}-${random_id.bucket_suffix.hex}"
acl = "${var.acl}"
depends_on = [data.template_file.dependencies]
tags = {
name = "${var.name_tag}"
. . .
}
lifecycle {
ignore_changes = [ "server_side_encryption_configuration" ]
}
}
在我的例子中,变量 acl 的默认值是 variable "acl" { default = "private" }。并且如 Terraform S3 bucket attribute reference doc.
中所述
对于此存储桶,它设置为 log-delivery-write。
我想更新它以添加以下 grants 并删除 acl,因为它们相互冲突:
grant {
permissions = ["READ_ACP", "WRITE"]
type = "Group"
uri = "http://acs.amazonaws.com/groups/s3/LogDelivery"
}
grant {
id = data.aws_canonical_user_id.current.id
permissions = ["FULL_CONTROL"]
type = "CanonicalUser"
}
我的问题是:
- 正在删除
acl 属性并添加上述 grants 仍然保持对存储桶的正确访问控制。也就是说,授权配置是否仍然适合将其作为访问日志记录桶。
- 如果我从资源配置中删除 acl,它将成为默认值
private。这是正确的做法还是应该将其设为 null 之类的?
在检查 Log Delivery group 的一些文档时发现这让我认为我可以继续用 grants[= 替换 acl 43=] 我提到:
Log Delivery group – Represented by
http://acs.amazonaws.com/groups/s3/LogDelivery . WRITE permission on a
bucket enables this group to write server access logs (see Amazon S3
server access logging) to the bucket. When using ACLs, a grantee can
be an AWS account or one of the predefined Amazon S3 groups.
根据 grant-log-delivery-permissions-general 文档,我继续 运行 terraform 应用。
首先 运行 它正确设置了 Bucket owner 权限,但删除了 S3 log delivery group。因此,我再次 运行 terraform plan,它显示了以下 acl g运行t 差异。我认为它最有可能首先更新 acl 值,该值删除了 log delivery group.
的 g运行t
因此我重新运行 terraform apply 它工作正常并更正了 日志传送组 。
# module.buckets.module.access_logging_bucket.aws_s3_bucket.default will be updated in-place
~ resource "aws_s3_bucket" "default" {
acl = "private"
bucket = "ml-mxs-stage-access-logging-9d8e94ff"
force_destroy = false
. . .
tags = {
"name" = "Access logging bucket"
. . .
}
+ grant {
+ permissions = [
+ "READ_ACP",
+ "WRITE",
]
+ type = "Group"
+ uri = "http://acs.amazonaws.com/groups/s3/LogDelivery"
}
+ grant {
+ id = "ID_VALUE"
+ permissions = [
+ "FULL_CONTROL",
]
+ type = "CanonicalUser"
}
. . .
}
Plan: 0 to add, 1 to change, 0 to destroy.
我有一个 S3 存储桶用作访问日志存储桶。
这是我当前的模块和资源 TF 代码:
module "access_logging_bucket" {
source = "../../resources/s3_bucket"
environment = "${var.environment}"
region = "${var.region}"
acl = "log-delivery-write"
encryption_key_alias = "alias/ab-data-key"
name = "access-logging"
name_tag = "Access logging bucket"
}
resource "aws_s3_bucket" "default" {
bucket = "ab-${var.environment}-${var.name}-${random_id.bucket_suffix.hex}"
acl = "${var.acl}"
depends_on = [data.template_file.dependencies]
tags = {
name = "${var.name_tag}"
. . .
}
lifecycle {
ignore_changes = [ "server_side_encryption_configuration" ]
}
}
在我的例子中,变量 acl 的默认值是 variable "acl" { default = "private" }。并且如 Terraform S3 bucket attribute reference doc.
对于此存储桶,它设置为 log-delivery-write。
我想更新它以添加以下 grants 并删除 acl,因为它们相互冲突:
grant {
permissions = ["READ_ACP", "WRITE"]
type = "Group"
uri = "http://acs.amazonaws.com/groups/s3/LogDelivery"
}
grant {
id = data.aws_canonical_user_id.current.id
permissions = ["FULL_CONTROL"]
type = "CanonicalUser"
}
我的问题是:
- 正在删除
acl属性并添加上述grants仍然保持对存储桶的正确访问控制。也就是说,授权配置是否仍然适合将其作为访问日志记录桶。 - 如果我从资源配置中删除 acl,它将成为默认值
private。这是正确的做法还是应该将其设为 null 之类的?
在检查 Log Delivery group 的一些文档时发现这让我认为我可以继续用 grants[= 替换 acl 43=] 我提到:
Log Delivery group – Represented by http://acs.amazonaws.com/groups/s3/LogDelivery . WRITE permission on a bucket enables this group to write server access logs (see Amazon S3 server access logging) to the bucket. When using ACLs, a grantee can be an AWS account or one of the predefined Amazon S3 groups.
根据 grant-log-delivery-permissions-general 文档,我继续 运行 terraform 应用。
首先 运行 它正确设置了 Bucket owner 权限,但删除了 S3 log delivery group。因此,我再次 运行 terraform plan,它显示了以下 acl g运行t 差异。我认为它最有可能首先更新 acl 值,该值删除了 log delivery group.
因此我重新运行 terraform apply 它工作正常并更正了 日志传送组 。
# module.buckets.module.access_logging_bucket.aws_s3_bucket.default will be updated in-place
~ resource "aws_s3_bucket" "default" {
acl = "private"
bucket = "ml-mxs-stage-access-logging-9d8e94ff"
force_destroy = false
. . .
tags = {
"name" = "Access logging bucket"
. . .
}
+ grant {
+ permissions = [
+ "READ_ACP",
+ "WRITE",
]
+ type = "Group"
+ uri = "http://acs.amazonaws.com/groups/s3/LogDelivery"
}
+ grant {
+ id = "ID_VALUE"
+ permissions = [
+ "FULL_CONTROL",
]
+ type = "CanonicalUser"
}
. . .
}
Plan: 0 to add, 1 to change, 0 to destroy.