Terraform-更新S3访问控制:有关用Grant替换acl的问题 [英] Terraform - Updating S3 Access Control: Question on replacing acl with grant
问题描述
我有一个S3存储桶,用作访问日志存储桶.
I have an S3 bucket which is used as Access logging bucket.
这是我当前的模块和资源TF代码:
Here is my current module and resource TF code for that:
module "access_logging_bucket" {
source = "../../resources/s3_bucket"
environment = "${var.environment}"
region = "${var.region}"
acl = "log-delivery-write"
encryption_key_alias = "alias/ab-data-key"
name = "access-logging"
name_tag = "Access logging bucket"
}
resource "aws_s3_bucket" "default" {
bucket = "ab-${var.environment}-${var.name}-${random_id.bucket_suffix.hex}"
acl = "${var.acl}"
depends_on = [data.template_file.dependencies]
tags = {
name = "${var.name_tag}"
. . .
}
lifecycle {
ignore_changes = [ "server_side_encryption_configuration" ]
}
}
变量 acl 的默认值为变量"acl",{默认值=私人";} .并且也如 Terraform S3存储桶属性参考中所述doc .
The default value of variable acl is variable "acl" { default = "private" } in my case. And also as stated in Terraform S3 bucket attribute reference doc.
为此存储桶将其设置为 log-delivery-write .
And for this bucket it is set to log-delivery-write.
我想更新它以添加以下 grants 并删除 acl ,因为它们彼此冲突:
I want to update it to add following grants and remove acl as they conflict with each other:
grant {
permissions = ["READ_ACP", "WRITE"]
type = "Group"
uri = "http://acs.amazonaws.com/groups/s3/LogDelivery"
}
grant {
id = data.aws_canonical_user_id.current.id
permissions = ["FULL_CONTROL"]
type = "CanonicalUser"
}
我的问题是:
- 正在删除
acl属性并添加上面提到的grants仍保持对存储桶的正确访问控制.也就是说,授予配置是否仍然可以很好地用作访问日志存储区. - 如果我从资源配置中删除了ACL,它将使它成为默认值
private.是正确的做法还是应该将其设置为null或其他?
- Is removing the
aclattribute and adding the above mentionedgrantsstill maintain the correct access control for the bucket. i.e. is that grant configuration still good to have this as an Access Logging bucket. - If I remove the acl from the resource config, it will make it
privatewhich is the default value. Is that the correct thing to do or should it be made null or something?
在检查 Log Delivery组的一些文档时发现,这使我认为我可以继续将 acl 替换为 grants 我提到:
On checking some documentation for Log Delivery group found this which leads me to think I can go ahead with replacing the acl with the grants I mentioned:
日志传送组–代表 http://acs.amazonaws.com/groups/s3/LogDelivery .对一个WRITE权限存储桶使该组能够写入服务器访问日志(请参阅Amazon S3服务器访问日志记录).使用ACL时,受赠者可以是一个AWS帐户或预定义的Amazon S3组之一.
Log Delivery group – Represented by http://acs.amazonaws.com/groups/s3/LogDelivery . WRITE permission on a bucket enables this group to write server access logs (see Amazon S3 server access logging) to the bucket. When using ACLs, a grantee can be an AWS account or one of the predefined Amazon S3 groups.
推荐答案
Based on the grant-log-delivery-permissions-general documentation, I went ahead and ran the terraform apply.
在第一次运行时,它正确设置了 Bucket owner 权限,但删除了 S3日志传递组.因此,我再次运行了 terraform计划,它显示了以下acl授予差异.我认为它最有可能首先更新了 acl 值,从而删除了 log传递组的拨款.
On first run it set the Bucket owner permission correctly but removed the S3 log delivery group. So, I ran the terraform plan again and it showed the following acl grant differences. I am thinking it's most likely that it first updated the acl value which removed the grant for log delivery group.
因此,我重新运行了 terraform apply ,它运行良好,并且还纠正了 log交付组.
Thus I re-ran the terraform apply and it worked fine and corrected the log delivery group as well.
# module.buckets.module.access_logging_bucket.aws_s3_bucket.default will be updated in-place
~ resource "aws_s3_bucket" "default" {
acl = "private"
bucket = "ml-mxs-stage-access-logging-9d8e94ff"
force_destroy = false
. . .
tags = {
"name" = "Access logging bucket"
. . .
}
+ grant {
+ permissions = [
+ "READ_ACP",
+ "WRITE",
]
+ type = "Group"
+ uri = "http://acs.amazonaws.com/groups/s3/LogDelivery"
}
+ grant {
+ id = "ID_VALUE"
+ permissions = [
+ "FULL_CONTROL",
]
+ type = "CanonicalUser"
}
. . .
}
Plan: 0 to add, 1 to change, 0 to destroy.
这篇关于Terraform-更新S3访问控制:有关用Grant替换acl的问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
