调试 Terraform AWS Application Load Balancer 验证错误的最佳方法是什么? [英] What is the best way to debug Terraform AWS Application Load Balancer validation error?
问题描述
我正在尝试使用 Terraform 在 AWS 上预置演示 Web 服务,但遇到以下错误.
I am trying to provision a demo web service on AWS with Terraform, and am encountering the following error.
Error: Error applying plan:
2 error(s) occurred:
* module.prod.module.web.module.web.aws_alb_listener.frontend: 1 error(s) occurred:
* aws_alb_listener.frontend: Error creating LB Listener: ValidationError: 'arn:aws:elasticloadbalancing:us-west-2:114416042199:loadbalancer/app/demo-svc-prod-alb/2a5f486a7b9d265a' is not a valid target group ARN
status code: 400, request id: e3819755-799c-11e8-ac82-43dfdd4e44d1
* module.prod.module.web.module.web.aws_autoscaling_group.backend: 1 error(s) occurred:
* aws_autoscaling_group.backend: Error creating AutoScaling Group: ValidationError: Provided Load Balancers may not be valid. Please ensure they exist and try again.
status code: 400, request id: e37efee9-799c-11e8-955a-c50a9e447dfa
我不明白为什么 ARN 无效,因为它属于 Terraform 创建的资源.ARN 引用 elasticloadbalancing 似乎有些可疑.使用 AWS 应用程序负载均衡器和 ASG 时是否需要注意任何问题?使用经典 ELB 时,我没有看到这个问题.有什么方法可以从 Terraform 中获取更多有用的信息?
What I don't understand is why the ARN is invalid, as it belongs to a resource created by Terraform. It seems perhaps suspicious that the ARN refers to elasticloadbalancing. Are there any gotchas to be aware of when working with an AWS application load balancer and an ASG? When using a classic ELB I didn't see this problem. Is there any way to get more useful information out of Terraform?
引发错误的相关资源是:
The relevant resources that throw the errors are:
resource "aws_alb_listener" "frontend" {
load_balancer_arn = "${aws_alb.frontend.arn}"
port = "${local.https_port}"
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01"
default_action {
target_group_arn = "${aws_alb.frontend.arn}"
type = "forward"
}
}
和
resource "aws_autoscaling_group" "backend" {
name = "${local.cluster_name}-asg"
launch_configuration = "${aws_launch_configuration.backend.id}"
availability_zones = ["${data.aws_availability_zones.all.names}"]
load_balancers = ["${aws_alb.frontend.name}"]
health_check_type = "ELB"
min_size = "${var.min_size}"
max_size = "${var.max_size}"
// This resource type uses different tags specification format.
// A list comp over the locals tags map would sure come in handy to keep
// things DRY.
tags = [
{
key = "System"
value = "${var.tags["System"]}"
propagate_at_launch = true
},
{
key = "Environment"
value = "${local.tags["Environment"]}"
propagate_at_launch = true
},
{
key = "Owner"
value = "${local.tags["Owner"]}"
propagate_at_launch = true
},
{
key = "Description"
value = "${local.tags["Description"]}"
propagate_at_launch = true
}
]
}
完整代码可在 https://github.com/mojochao/terraform-aws-web-stack/commit/a4bfe5d6362fddfb2934dc9a89344c304e59cef7.
推荐答案
你在这两种情况下都引用了错误的资源.
You're referring to the wrong resources in both cases.
第一个错误你的监听器被定义为:
With the first error your listener is defined as:
resource "aws_alb_listener" "frontend" {
load_balancer_arn = "${aws_alb.frontend.arn}"
port = "${local.https_port}"
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01"
default_action {
target_group_arn = "${aws_alb.frontend.arn}"
type = "forward"
}
}
请注意,default_action需要一个 target_group_arn,因此您需要将其指向您的目标组,而不是负载均衡器本身.
Note that the default_action takes a target_group_arn so you need to point it to your target group, not the load balancer itself.
所以你应该使用:
resource "aws_alb_listener" "frontend" {
load_balancer_arn = "${aws_alb.frontend.arn}"
port = "${local.https_port}"
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01"
default_action {
target_group_arn = "${aws_alb_target_group.frontend.arn}"
type = "forward"
}
}
因为您只定义了一个侦听器规则,您还可以删除 aws_alb_listener_rule resource 因为无论如何它都在做与监听器上的默认操作相同的事情.如果您希望不同的流量(按主机或按路径)流向不同的目标组,您只需单独定义规则.
Because you only have a single listener rule defined you can also remove the aws_alb_listener_rule resource because it's doing the same thing as the default action on the listener anyway. You would only define rules separately if you wanted different traffic (either by host or by path) to go to different target groups.
您的第二个错误来自尝试通过 使用 load_balancers 参数.作为 aws_autoscaling_group 资源文档 提到你应该使用 target_group_arns 改为:
Your second error comes from trying to attach the autoscaling group to an ELB classic by using the load_balancers parameter. As the aws_autoscaling_group resource docs mention you should use target_group_arns instead:
resource "aws_autoscaling_group" "backend" {
name = "${local.cluster_name}-asg"
launch_configuration = "${aws_launch_configuration.backend.id}"
availability_zones = ["${data.aws_availability_zones.all.names}"]
target_group_arns = ["${aws_alb_target_group.frontend.arn}"]
health_check_type = "ELB"
min_size = "${var.min_size}"
max_size = "${var.max_size}"
// This resource type uses different tags specification format.
// A list comp over the locals tags map would sure come in handy to keep
// things DRY.
tags = [
{
key = "System"
value = "${var.tags["System"]}"
propagate_at_launch = true
},
{
key = "Environment"
value = "${local.tags["Environment"]}"
propagate_at_launch = true
},
{
key = "Owner"
value = "${local.tags["Owner"]}"
propagate_at_launch = true
},
{
key = "Description"
value = "${local.tags["Description"]}"
propagate_at_launch = true
}
]
}
这将自动将自动缩放组附加到 ALB 目标组,因此您还可以摆脱 aws_autoscaling_attachment resource 做同样的事情.如果您分别定义了 ALB 目标组和自动缩放组并且需要在它们之间进行链接,则通常只会使用 aws_autoscaling_attachment 资源.
This will automatically attach the autoscaling group to the ALB target group so you can also get rid of the aws_autoscaling_attachment resource which is doing the same thing. You would only normally use the aws_autoscaling_attachment resource if you defined your ALB target group and your autoscaling group separately and needed to link across them.
这篇关于调试 Terraform AWS Application Load Balancer 验证错误的最佳方法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
