S3 存储桶 - Terraform:计划显示不存在的更改,默认值
S3 bucket - Terraform: Plan shows inexistent changes, on default values
我正在尝试改造和导入现有的日志存储桶。 HCL 代码如下所示,是生产中的完整副本:
locals {
bucket_name = "log-bucket-${var.environment}-${var.region}"
}
module "bucket" {
source = "git@github.com:mycompany/s3-bucket-module?ref=1.0.5"
name = local.bucket_name
log_bucket = local.bucket_name
bucket_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "AllowSSLRequestsOnly",
"Effect" : "Deny",
"Principal" : "*",
"Action" : "s3:*",
"Resource" : [*],
"Condition" : {
"Bool" : {
"aws:SecureTransport" : "false"
}
}
}
]
})
grant = [
{
id = data.aws_canonical_user_id.current_user.id
type = "CanonicalUser"
permissions = ["FULL_CONTROL"]
},
{
type = "Group"
uri = "http://acs.amazonaws.com/groups/s3/LogDelivery"
permissions = ["READ_ACP", "WRITE"]
},
]
lifecycle_rules = [
{
id = "log"
enabled = true
prefix = "log/"
tags = {
"rule" = "log"
"autoclean" = "true"
}
transition = [
{
days = 30
storage_class = "STANDARD_IA"
},
{
days = 60
storage_class = "GLACIER"
}
]
expiration = {
days = 90
}
}
]
}
在使用 terraform import ... 导入存储桶并制定 terraform 计划后,我得到以下更改:
# module.s3-bucket-module.module.bucket.aws_s3_bucket.bucket will be updated in-place
~ resource "aws_s3_bucket" "bucket" {
+ acl = "private"
+ force_destroy = false
id = "mycompany-log-bucket-myenvironment-myregion"
tags = {}
# (8 unchanged attributes hidden)
# (6 unchanged blocks hidden)
}
根据这个计划,terraform 想要执行两件事:
+ acl = "private"
+ force_destroy = false
但这些是默认值,我从未明确更改过。我想我想说的是实际上它似乎并没有改变任何东西,而是明确地设置了默认值。
这让我很困惑,因为它是一个生产桶,所以我想在申请之前征求您的意见。为什么会出现这两个“变化”?
这与评论中提到的 bug bembas 有关。
我创建了一个副本存储桶并导入了它。
第 1 步
应用计划前
~ resource "aws_s3_bucket" "bucket" {
+ acl = "private"
+ force_destroy = false
id = "mycompany-log-bucket-myenvironment-myregion"
tags = {}
# (8 unchanged attributes hidden)
# (6 unchanged blocks hidden)
}
我运行aws s3api get-bucket-acl --bucket mycompany-log-bucket-myenvironment-myregion
得到了这样的回应:
{
"Owner": {
"ID": "hidden"
},
"Grants": [
{
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/s3/LogDelivery"
},
"Permission": "READ_ACP"
},
{
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/s3/LogDelivery"
},
"Permission": "WRITE"
},
{
"Grantee": {
"ID": "hidden",
"Type": "CanonicalUser"
},
"Permission": "FULL_CONTROL"
}
]
}
第 2 步
应用计划后
{
"Owner": {
"ID": "hidden"
},
"Grants": [
{
"Grantee": {
"ID": "hidden",
"Type": "CanonicalUser"
},
"Permission": "FULL_CONTROL"
}
]
}
步骤 3
做了新的计划,资源又想换资源!
~ resource "aws_s3_bucket" "bucket" {
# (10 unchanged attributes hidden)
+ grant {
+ permissions = [
+ "READ_ACP",
+ "WRITE",
]
+ type = "Group"
+ uri = "http://acs.amazonaws.com/groups/s3/LogDelivery"
}
+ grant {
+ id = "hidden"
+ permissions = [
+ "FULL_CONTROL",
]
+ type = "CanonicalUser"
}
# (4 unchanged blocks hidden)
}
应用第二个计划后,一切恢复正常,terraform 不再请求更改。
No changes. Your infrastructure matches the configuration.
16/11/2021
我想有一个 open bug 和 terraform 看到更新以下属性:
+ acl = "private"
+ force_destroy = false
在特定的 tf 资源中,解决方法是应用更新(错误),然后重新申请 terraform state 是最新的。
我正在尝试改造和导入现有的日志存储桶。 HCL 代码如下所示,是生产中的完整副本:
locals {
bucket_name = "log-bucket-${var.environment}-${var.region}"
}
module "bucket" {
source = "git@github.com:mycompany/s3-bucket-module?ref=1.0.5"
name = local.bucket_name
log_bucket = local.bucket_name
bucket_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "AllowSSLRequestsOnly",
"Effect" : "Deny",
"Principal" : "*",
"Action" : "s3:*",
"Resource" : [*],
"Condition" : {
"Bool" : {
"aws:SecureTransport" : "false"
}
}
}
]
})
grant = [
{
id = data.aws_canonical_user_id.current_user.id
type = "CanonicalUser"
permissions = ["FULL_CONTROL"]
},
{
type = "Group"
uri = "http://acs.amazonaws.com/groups/s3/LogDelivery"
permissions = ["READ_ACP", "WRITE"]
},
]
lifecycle_rules = [
{
id = "log"
enabled = true
prefix = "log/"
tags = {
"rule" = "log"
"autoclean" = "true"
}
transition = [
{
days = 30
storage_class = "STANDARD_IA"
},
{
days = 60
storage_class = "GLACIER"
}
]
expiration = {
days = 90
}
}
]
}
在使用 terraform import ... 导入存储桶并制定 terraform 计划后,我得到以下更改:
# module.s3-bucket-module.module.bucket.aws_s3_bucket.bucket will be updated in-place
~ resource "aws_s3_bucket" "bucket" {
+ acl = "private"
+ force_destroy = false
id = "mycompany-log-bucket-myenvironment-myregion"
tags = {}
# (8 unchanged attributes hidden)
# (6 unchanged blocks hidden)
}
根据这个计划,terraform 想要执行两件事:
+ acl = "private"
+ force_destroy = false
但这些是默认值,我从未明确更改过。我想我想说的是实际上它似乎并没有改变任何东西,而是明确地设置了默认值。
这让我很困惑,因为它是一个生产桶,所以我想在申请之前征求您的意见。为什么会出现这两个“变化”?
这与评论中提到的 bug bembas 有关。
我创建了一个副本存储桶并导入了它。
第 1 步
应用计划前
~ resource "aws_s3_bucket" "bucket" {
+ acl = "private"
+ force_destroy = false
id = "mycompany-log-bucket-myenvironment-myregion"
tags = {}
# (8 unchanged attributes hidden)
# (6 unchanged blocks hidden)
}
我运行aws s3api get-bucket-acl --bucket mycompany-log-bucket-myenvironment-myregion
得到了这样的回应:
{
"Owner": {
"ID": "hidden"
},
"Grants": [
{
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/s3/LogDelivery"
},
"Permission": "READ_ACP"
},
{
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/s3/LogDelivery"
},
"Permission": "WRITE"
},
{
"Grantee": {
"ID": "hidden",
"Type": "CanonicalUser"
},
"Permission": "FULL_CONTROL"
}
]
}
第 2 步
应用计划后
{
"Owner": {
"ID": "hidden"
},
"Grants": [
{
"Grantee": {
"ID": "hidden",
"Type": "CanonicalUser"
},
"Permission": "FULL_CONTROL"
}
]
}
步骤 3
做了新的计划,资源又想换资源!
~ resource "aws_s3_bucket" "bucket" {
# (10 unchanged attributes hidden)
+ grant {
+ permissions = [
+ "READ_ACP",
+ "WRITE",
]
+ type = "Group"
+ uri = "http://acs.amazonaws.com/groups/s3/LogDelivery"
}
+ grant {
+ id = "hidden"
+ permissions = [
+ "FULL_CONTROL",
]
+ type = "CanonicalUser"
}
# (4 unchanged blocks hidden)
}
应用第二个计划后,一切恢复正常,terraform 不再请求更改。
No changes. Your infrastructure matches the configuration.
16/11/2021
我想有一个 open bug 和 terraform 看到更新以下属性:
+ acl = "private"
+ force_destroy = false
在特定的 tf 资源中,解决方法是应用更新(错误),然后重新申请 terraform state 是最新的。