无法使用 terraform 创建 elasticSearch 域
Cannot create elasticSearch Domain using terraform
我正在尝试使用 terraform 创建 elasticsearch 集群。
使用 terraform 0.11.13
有人能指出为什么我无法创建日志组吗?什么是资源访问策略?它与我正在创建的数据“aws_iam_policy_document”相同吗?
注意:我使用的是 elasticsearch_version = "7.9"
代码:
resource "aws_cloudwatch_log_group" "search_test_log_group" {
name = "/aws/aes/domains/test-es7/index-logs"
}
resource "aws_elasticsearch_domain" "amp_search_test_es7" {
domain_name = "es7"
elasticsearch_version = "7.9"
.....
log_publishing_options {
cloudwatch_log_group_arn = "${aws_cloudwatch_log_group.search_test_log_group.arn}"
log_type = "INDEX_SLOW_LOGS"
enabled = true
}
access_policies = "${data.aws_iam_policy_document.elasticsearch_policy.json}"
}
data "aws_iam_policy_document" "elasticsearch_policy" {
version = "2012-10-17"
statement {
effect = "Allow"
principals {
identifiers = ["*"]
type = "AWS"
}
actions = ["es:*"]
resources = ["arn:aws:es:us-east-1:xxx:domain/test_es7/*"]
}
statement {
effect = "Allow"
principals {
identifiers = ["es.amazonaws.com"]
type = "Service"
}
actions = [
"logs:PutLogEvents",
"logs:PutLogEventsBatch",
"logs:CreateLogStream",
]
resources = ["arn:aws:logs:*"]
}
}
我遇到了这个错误
aws_elasticsearch_domain.test_es7: Error creating ElasticSearch domain: ValidationException: The Resource Access Policy specified for the CloudWatch Logs log group /aws/aes/domains/test-es7/index-logs does not grant sufficient permissions for Amazon Elasticsearch Service to create a log stream. Please check the Resource Access Policy.
要使 ElasticSearch (ES) 能够写入 CloudWatch (CW) Logs,您必须在 CW 日志上提供 resource-based 策略。
这是使用您的代码中缺少的 aws_cloudwatch_log_resource_policy 实现的。
事实上,TF 文档有一个现成的示例,说明如何为 ES 执行此操作,因此您应该能够复制并粘贴它。
ES access policies 与 CW 日志策略不同,因为它们决定谁可以在您的 ES 域上做什么。因此,您必须调整代码的那部分以满足您的要求。
我正在尝试使用 terraform 创建 elasticsearch 集群。
使用 terraform 0.11.13
有人能指出为什么我无法创建日志组吗?什么是资源访问策略?它与我正在创建的数据“aws_iam_policy_document”相同吗?
注意:我使用的是 elasticsearch_version = "7.9"
代码:
resource "aws_cloudwatch_log_group" "search_test_log_group" {
name = "/aws/aes/domains/test-es7/index-logs"
}
resource "aws_elasticsearch_domain" "amp_search_test_es7" {
domain_name = "es7"
elasticsearch_version = "7.9"
.....
log_publishing_options {
cloudwatch_log_group_arn = "${aws_cloudwatch_log_group.search_test_log_group.arn}"
log_type = "INDEX_SLOW_LOGS"
enabled = true
}
access_policies = "${data.aws_iam_policy_document.elasticsearch_policy.json}"
}
data "aws_iam_policy_document" "elasticsearch_policy" {
version = "2012-10-17"
statement {
effect = "Allow"
principals {
identifiers = ["*"]
type = "AWS"
}
actions = ["es:*"]
resources = ["arn:aws:es:us-east-1:xxx:domain/test_es7/*"]
}
statement {
effect = "Allow"
principals {
identifiers = ["es.amazonaws.com"]
type = "Service"
}
actions = [
"logs:PutLogEvents",
"logs:PutLogEventsBatch",
"logs:CreateLogStream",
]
resources = ["arn:aws:logs:*"]
}
}
我遇到了这个错误
aws_elasticsearch_domain.test_es7: Error creating ElasticSearch domain: ValidationException: The Resource Access Policy specified for the CloudWatch Logs log group /aws/aes/domains/test-es7/index-logs does not grant sufficient permissions for Amazon Elasticsearch Service to create a log stream. Please check the Resource Access Policy.
要使 ElasticSearch (ES) 能够写入 CloudWatch (CW) Logs,您必须在 CW 日志上提供 resource-based 策略。
这是使用您的代码中缺少的 aws_cloudwatch_log_resource_policy 实现的。
事实上,TF 文档有一个现成的示例,说明如何为 ES 执行此操作,因此您应该能够复制并粘贴它。
ES access policies 与 CW 日志策略不同,因为它们决定谁可以在您的 ES 域上做什么。因此,您必须调整代码的那部分以满足您的要求。