问题描述
我正在使用 terraform 进行 Amazon S3 复制。我想启用规则“复制修改同步”,但我不认为它是在 terraform 中定义的。
现在我的代码看起来:
replication_configuration {
role = "${aws_iam_role.source_replication.arn}"
rules {
id = "${local.replication_name}"
status = "Enabled"
prefix = "${var.replicate_prefix}"
destination {
bucket = "${local.dest_bucket_arn}"
storage_class = "STANDARD"
access_control_translation = {
owner = "Destination"
}
account_id = "${data.aws_caller_identity.dest.account_id}"
}
source_selection_criteria {
replica_modifications {
Status = "Enabled"
}
}
}
}
Error: Unsupported block type
on s3_bucket.tf line 61,in resource "aws_s3_bucket" "bucket":
61: replica_modifications {
Blocks of type "replica_modifications" are not expected here.
我必须启用的规则在控制台中看起来像这样。
使用 terraform 中的 AWS CLI,我不确定如何在我正在调用的儿子文件中使用诸如目标 ${local.dest_bucket_arn} 和 ${aws_iam_role.source_replication.arn} 之类的变量。
resource "null_resource" "awsrepl" {
# ...
provisioner "local-exec" {
command = "aws s3api put-bucket-replication --replication-configuration templatefile://replication_source.json --bucket ${var.bucket_name}"
}
}
replication_source.json 看起来像:
{
"Rules": [
{
"Status": "Enabled","DeleteMarkerReplication": { "Status": "Enabled" },"SourceSelectionCriteria": {
"ReplicaModifications":{
"Status": "Enabled"
}
},"Destination": {
"Bucket": "${local.dest_bucket_arn}"
},"Priority": 1
}
],"Role": "${aws_iam_role.source_replication.arn}"
}
解决方法
你说得对。它尚不支持,但已经存在 GitHub 问题:
顺便说一下,Delete marker replication 也不支持。
您的选择是在部署存储桶后手动执行此操作,或使用 local-exec 运行 AWS CLI 执行此操作,或 aws_lambda_invocation。
,能够在 terraform 中使用 local-exec 和 tempmplate_file 来实现这一点:
data "template_file" "replication_dest" {
template = "${file("replication_dest.json")}"
vars = {
srcarn = "${aws_s3_bucket.bucket.arn}"
destrolearn = "${aws_iam_role.dest_replication.arn}"
kmskey = "${data.aws_caller_identity.current.account_id}"
keyalias = "${data.aws_kms_key.s3.key_id}"
srcregion = "${data.aws_region.active.name}"
}
}
resource "null_resource" "awsdestrepl" {
# ...
provisioner "local-exec" {
command = "aws s3api put-bucket-replication --bucket ${aws_s3_bucket.dest.bucket} --replication-configuration ${data.template_file.replication_dest.rendered}"
}
depends_on = [aws_s3_bucket.dest]
}
replication_dest.json 看起来像这样:
"{
\"Rules\": [
{
\"Status\": \"Enabled\",\"DeleteMarkerReplication\": { \"Status\": \"Enabled\" },\"Filter\": {\"Prefix\": \"\"},\"SourceSelectionCriteria\": {
\"ReplicaModifications\":{
\"Status\": \"Enabled\"
},\"SseKmsEncryptedObjects\":{
\"Status\": \"Enabled\"
}
},\"Destination\": {
\"Bucket\": \"${bucketarn}\",\"EncryptionConfiguration\": {
\"ReplicaKmsKeyID\": \"arn:aws:kms:${destregion}:${kmskey}:${keyalias}\"
}
},\"Priority\": 1
}
],\"Role\": \"${rolearn}\"
}"
你很高兴去。 :)