Terraform, ElasticSearch: Error: InvalidTypeException: Error setting policy
Terraform, ElasticSearch: Error: InvalidTypeException: Error setting policy
我想将以下访问策略附加到 ElasticSearch:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "${resource_arn}/*"
}
]
}
我添加了第 iam_role_arns = ["*"] 行,但出现以下错误:
module.elasticsearch.aws_elasticsearch_domain_policy.default[0]: Creating...
Error: InvalidTypeException: Error setting policy:
代码如下:
module "elasticsearch" {
source = "git::https://github.com/cloudposse/terraform-aws-elasticsearch.git?ref=tags/0.24.1"
security_groups = [data.terraform_remote_state.vpc.outputs.default_security_group_id]
vpc_id = data.terraform_remote_state.vpc.outputs.vpc_id
zone_awareness_enabled = var.zone_awareness_enabled
subnet_ids = slice(data.terraform_remote_state.vpc.outputs.private_subnets, 0, 2)
elasticsearch_version = var.elasticsearch_version
instance_type = var.instance_type
instance_count = var.instance_count
encrypt_at_rest_enabled = var.encrypt_at_rest_enabled
dedicated_master_enabled = var.dedicated_master_enabled
create_iam_service_linked_role = var.create_iam_service_linked_role
kibana_subdomain_name = var.kibana_subdomain_name
ebs_volume_size = var.ebs_volume_size
dns_zone_id = var.dns_zone_id
kibana_hostname_enabled = var.kibana_hostname_enabled
domain_hostname_enabled = var.domain_hostname_enabled
allowed_cidr_blocks = ["0.0.0.0/0"]
iam_role_arns = ["*"]
advanced_options = {
"rest.action.multi.allow_explicit_index" = "true"
}
context = module.this.context
}
您的 ES 域在 VPC 中,因此您无法创建这样的开放访问策略。如 terraform-aws-elasticsearch 源代码注释中所述,开放访问策略仅适用于 IP 范围和 非 VPC ES 域:
This statement is for non VPC ES to allow anonymous access from whitelisted IP ranges without requests signing
为了完整起见,使用
allowed_cidr_blocks = ["0.0.0.0/0"]
iam_role_arns = ["*"]
不应导致政策错误。事实上,它应该产生以下结果(我在我的 ES 域上测试过):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"*",
"arn:aws:iam::xxxx:role/es-name"
]
},
"Resource": [
"arn:aws:es:us-east-1:xxxxx:domain/es-name/*",
"arn:aws:es:us-east-1:xxxx:domain/es-name"
]
}
]
}
您可能在将 json 策略文件传递给模块时执行 jasonencode,如果是,请尝试直接传递策略文件而不进行任何编码。
例如:文件(“policy.json”)
我想将以下访问策略附加到 ElasticSearch:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "${resource_arn}/*"
}
]
}
我添加了第 iam_role_arns = ["*"] 行,但出现以下错误:
module.elasticsearch.aws_elasticsearch_domain_policy.default[0]: Creating...
Error: InvalidTypeException: Error setting policy:
代码如下:
module "elasticsearch" {
source = "git::https://github.com/cloudposse/terraform-aws-elasticsearch.git?ref=tags/0.24.1"
security_groups = [data.terraform_remote_state.vpc.outputs.default_security_group_id]
vpc_id = data.terraform_remote_state.vpc.outputs.vpc_id
zone_awareness_enabled = var.zone_awareness_enabled
subnet_ids = slice(data.terraform_remote_state.vpc.outputs.private_subnets, 0, 2)
elasticsearch_version = var.elasticsearch_version
instance_type = var.instance_type
instance_count = var.instance_count
encrypt_at_rest_enabled = var.encrypt_at_rest_enabled
dedicated_master_enabled = var.dedicated_master_enabled
create_iam_service_linked_role = var.create_iam_service_linked_role
kibana_subdomain_name = var.kibana_subdomain_name
ebs_volume_size = var.ebs_volume_size
dns_zone_id = var.dns_zone_id
kibana_hostname_enabled = var.kibana_hostname_enabled
domain_hostname_enabled = var.domain_hostname_enabled
allowed_cidr_blocks = ["0.0.0.0/0"]
iam_role_arns = ["*"]
advanced_options = {
"rest.action.multi.allow_explicit_index" = "true"
}
context = module.this.context
}
您的 ES 域在 VPC 中,因此您无法创建这样的开放访问策略。如 terraform-aws-elasticsearch 源代码注释中所述,开放访问策略仅适用于 IP 范围和 非 VPC ES 域:
This statement is for non VPC ES to allow anonymous access from whitelisted IP ranges without requests signing
为了完整起见,使用
allowed_cidr_blocks = ["0.0.0.0/0"]
iam_role_arns = ["*"]
不应导致政策错误。事实上,它应该产生以下结果(我在我的 ES 域上测试过):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"*",
"arn:aws:iam::xxxx:role/es-name"
]
},
"Resource": [
"arn:aws:es:us-east-1:xxxxx:domain/es-name/*",
"arn:aws:es:us-east-1:xxxx:domain/es-name"
]
}
]
}
您可能在将 json 策略文件传递给模块时执行 jasonencode,如果是,请尝试直接传递策略文件而不进行任何编码。 例如:文件(“policy.json”)