问题描述
我的 s3 存储桶策略有问题,它似乎正确添加了策略,甚至在 AWS 中对其进行了验证,它显示了 policy.tpl 中设置的确切策略,但它一直说有更改
我尝试将操作和资源更改为我听说可能有帮助的数组.. 尝试从策略中删除“版本”,SID,每次运行时都说有更改
policy.tf
resource "aws_s3_bucket_policy" "bucket" {
bucket = aws_s3_bucket.bucket.id
policy = local.policy
}
locals.tf
locals {
template_dir = "${path.module}/templates"
template_vars = {
encrypt = var.s3_require_encryption_enabled
bucket_arn = aws_s3_bucket.bucket.arn
extra_statements = var.s3_bucket_policy
}
policy = templatefile("${local.template_dir}/policy.tpl",local.template_vars)
}
模板/policy.tpl
{
"Version": "2008-10-17","Statement": [
{
"Sid" : "","Effect" : "Deny","Principal" : "*","Action" : "s3:*","Resource" : "${bucket_arn}/*","Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
在 AWS 中
{
"Version": "2008-10-17","Statement": [
{
"Sid": "","Effect": "Deny","Principal": "*","Action": "s3:*","Resource": "arn:aws:s3:::test-bucket-us-east-1/*","Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
说
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
~ update in-place
terraform will perform the following actions:
#aws_s3_bucket_policy.bucket will be updated in-place
~ resource "aws_s3_bucket_policy" "bucket" {
bucket = "test-bucket-us-east-1"
id = "test-bucket-us-east-1"
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = "s3:*"
+ Condition = {
+ Bool = {
+ aws:SecureTransport = "false"
}
}
+ Effect = "Deny"
+ Principal = "*"
+ Resource = "arn:aws:s3:::test-bucket-us-east-1/*"
+ Sid = ""
},]
+ Version = "2008-10-17"
}
)
}
Plan: 0 to add,1 to change,0 to destroy.
解决方法
根据评论,底层存储桶策略存在问题。
内容-MD5 请求正文的 MD5 哈希值。
对于使用 AWS 命令行界面 (CLI) 或 AWS 开发工具包发出的请求,此字段会自动计算。)
因此资源 aws_s3_bucket_policy 正在尝试更新政策。