terraform 后端 s3 存储桶创建返回 403 w/Terraform 0.11.1 [英] terraform backend s3 bucket creation returns 403 w/ Terraform 0.11.1

问题描述

如何创建有权放置 terraform.tfstate 文件的 S3 存储桶?如何将 tfstate 放入存储桶?这样做的正确方法是什么?

How do I create an S3 bucket that has access to put a terraform.tfstate file? How do I get the tfstate into the bucket? What is the proper way to do this?

作为序言，我花了 6 个多小时试图弄清楚这一点.我看到了 类似帖子，其中有一个由 MFA 引起的问题.那不是我的问题.

To preface, I have spent over 6 hours trying to figure this out. I saw the similar post with a problem caused by MFA. That's not my issue.

我使用相同的代码来创建 EC2 实例、VPC 和其他资源就好了.

I'm using the same code to create EC2 instances, VPC and other resources just fine.

---[ REQUEST POST-SIGN ]-----------------------------
GET /?prefix=env%3A%2F HTTP/1.1
Host: tfstate-neonaluminum.s3.us-east-2.amazonaws.com
User-Agent: aws-sdk-go/1.10.36 (go1.9.2; darwin; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.11.1
Authorization: AWS4-HMAC-SHA256 Credential=<CUT>/20171215/us-east-2/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=<CUT>
X-Amz-Content-Sha256: <CUT>
X-Amz-Date: 20171215T103755Z
Accept-Encoding: gzip

-----------------------------------------------------
2017/12/15 04:37:55 [DEBUG] [aws-sdk-go] DEBUG: Response s3/ListObjects Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 403 Forbidden
Connection: close
Transfer-Encoding: chunked
Content-Type: application/xml
Date: Fri, 15 Dec 2017 10:37:55 GMT
Server: AmazonS3
X-Amz-Bucket-Region: us-east-2
X-Amz-Id-2: UwWJlCAtabKny2Ncam+D7/s9Rozjw43ozsVNdtZgQqPSXoSvZbO3JnuPz3B9cmLcgYea6x8xPqQ=
X-Amz-Request-Id: 470C02B96A60090B

这是 .tf 代码:

provider "aws" {
    access_key = "${var.aws_access_key}"
    secret_key = "${var.aws_secret_key}"
    region  = "${var.region}"
}

terraform {
   backend "s3" {
    bucket = "tfstate-neonaluminum"
       key = "terraform.tfstate"
    region = "us-east-2"
  }
}
resource "aws_s3_bucket" "terraform_state_bucket" {
  bucket = "tfstate-neonaluminum"
  acl = "private"
  tags {
    management = "terraform"
  }
}

希望我没有遗漏任何必要的细节 - 刚开始在 stackoverflow 上提问.

Hope I didn't leave out any necessary details - new to asking questions on stackoverflow.

推荐答案

不幸的是，这是使用 S3 作为 Terraform 后端的一个警告；您需要手动创建存储桶.有时——一个常见的模式是一个组织将有多个 AWS 账户(出于各种原因——不仅仅是 Terraform 状态)——这可能是一个可能的选择，在该账户中创建你的 S3 存储桶，这样你就可以保留所有由 Terraform 定义的其他帐户的基础架构 - 但就我个人而言，我只是在自己的帐户中手动创建.

Unfortunately that's the one caveat for using S3 as your backend to Terraform; you'll need to create the bucket manually. At times - a common pattern is that an organization will have multiple AWS accounts (For a variety of reasons - not just Terraform state) - this could be a possible option, to throw create your S3 bucket in that account, that way you can keep all of your other account's infrastructure defined by Terraform - but personally, I just create it by hand in my own account.

您可以做的一件事是使用 terraform import 事后导入存储桶，如果您想使用 Terraform 管理它，当然还有先有鸡还是先有蛋的问题.或者 - 在创建存储桶时最初使用本地状态，然后再定义它；但是无论哪种方式，您都无法通过资源对象动态引用存储桶.

One thing you can do, is import the bucket after the fact with terraform import if you wanted to manage it with Terraform, just of course there's the chicken and the egg problem still. Or - use a local state initially while creating the bucket, and then define it later; however either way you would not be able to dynamically reference the bucket via the resource object.

但是不行 - 您不能同时使用 Terraform 创建存储桶，同时将其设置为您的状态.

But no - you cannot simultaneously create the bucket with Terraform while also setting it to your state.

这篇关于terraform 后端 s3 存储桶创建返回 403 w/Terraform 0.11.1的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！