问题描述
我正在尝试使用terraform创建一个AWS EKS集群,并且按照步骤顺序,我有一个步骤来创建一个安全组,在该安全组中遇到无法解决的错误。
你们能看看吗,帮我理解为什么会发生此错误。
使用terraform版本v0.13.1
请求和响应日志:
2020-09-03T17:10:09.598+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: Action=CreateSecurityGroup&GroupDescription=Managed+by+Te
rraform&GroupName=sg-worker_group_mgmt_two2020090311400XXXXXXXXXXXX&Version=2016-11-15&VpcId=vpc-XXXXXXXX
2020-09-03T17:10:09.598+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: -----------------------------------------------------
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: 2020/09/03 17:10:10 [DEBUG] [aws-sdk-go] DEBUG: Response
ec2/CreateSecurityGroup Details:
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: ---[ RESPONSE ]--------------------------------------
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: HTTP/1.1 400 Bad Request
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: Connection: close
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: transfer-encoding: chunked
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: Date: Thu,03 Sep 2020 11:40:09 GMT
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: Server: AmazonEC2
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5:
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5:
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: -----------------------------------------------------
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: 2020/09/03 17:10:10 [DEBUG] [aws-sdk-go] <?xml version="1
.0" encoding="UTF-8"?>
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: <Response><Errors><Error><Code>InvalidParameterValue</Cod
e><Message>Value (sg-worker_group_mgmt_two2020090311400XXXXXXXXXXXX) for parameter GroupName is invalid. Group names may not be in the
format sg-*.</Message></Error></Errors><RequestID>5XXXX-0XXX-4c55-aXXa-b34f3XXXXX</RequestID></Response>
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: 2020/09/03 17:10:10 [DEBUG] [aws-sdk-go] DEBUG: Validate
Response ec2/CreateSecurityGroup Failed,attempt 0/25,error InvalidParameterValue: Value (sg-worker_group_mgmt_two2020090311400XXXXXXXXXXXX) for parameter GroupName is invalid. Group names may not be in the format sg-*.
2020-09-03T17:10:10.360+0530 [DEBUG] plugin.terraform-provider-aws_v3.4.0_x5: status code: 400,request id: 5XXXX-0XXX-4c55-aXXa-b34f3XXXXX
2020/09/03 17:10:10 [DEBUG] aws_security_group.worker_group_mgmt_two: apply errored,but we're indicating that via the Error pointer rather than returning it: Error creating Security Group: InvalidParameterValue: Value (sg-worker_group_mgmt_two2020090311400XXXXXXXXXXXX) for parameter GroupName is invalid. Group names may not be in the format sg-*.
status code: 400,request id: 5XXXX-0XXX-4c55-aXXa-b34f3XXXXX
resource "aws_security_group" "sg-worker_group_mgmt_one" {
name_prefix = "sg-worker_group_mgmt_one"
vpc_id = "${data.aws_vpc.vpc-dev-cluster.id}"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [
"xxx.xx.0.0/16",]
}
}
resource "aws_security_group" "sg-worker_group_mgmt_two" {
name_prefix = "sg-worker_group_mgmt_two"
vpc_id = "${data.aws_vpc.vpc-dev-cluster.id}"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [
"xxx.xx.0.0/16",]
}
}
resource "aws_security_group" "sg-all_worker_mgmt" {
name_prefix = "sg-all_worker_management"
vpc_id = "${data.aws_vpc.vpc-dev-cluster.id}"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [
"xxx.xx.xx.0/17","xxx.xx.0.0/16",]
}
}
resource "aws_security_group" "sg-eks_cluster" {
name = "${var.cluster_sg_name}"
description = "Cluster communication with worker nodes"
vpc_id = "${data.aws_vpc.vpc-dev-cluster.id}"
tags = {
Name = "${var.cluster_sg_name}"
}
}
resource "aws_security_group_rule" "sg-cluster_inbound" {
description = "Allow worker nodes to communicate with the cluster API Server"
from_port = 443
protocol = "tcp"
security_group_id = "${aws_security_group.sg-eks_cluster.id}"
source_security_group_id = "${aws_security_group.sg-eks_nodes.id}"
to_port = 443
type = "ingress"
}
resource "aws_security_group_rule" "sg-cluster_outbound" {
description = "Allow cluster API Server to communicate with the worker nodes"
from_port = 1024
protocol = "tcp"
security_group_id = "${aws_security_group.sg-eks_cluster.id}"
source_security_group_id = "${aws_security_group.sg-eks_nodes.id}"
to_port = 65535
type = "egress"
}
resource "aws_security_group" "sg-eks_nodes" {
name = "${var.nodes_sg_name}"
description = "Security group for all nodes in the cluster"
vpc_id = "${data.aws_vpc.vpc-dev-cluster.id}"
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "${var.nodes_sg_name}"
"kubernetes.io/cluster/${var.eks_cluster_name}" = "owned"
}
}
resource "aws_security_group_rule" "nodes" {
description = "Allow nodes to communicate with each other"
from_port = 0
protocol = "-1"
security_group_id = "${aws_security_group.sg-eks_nodes.id}"
source_security_group_id = "${aws_security_group.sg-eks_nodes.id}"
to_port = 65535
type = "ingress"
}
resource "aws_security_group_rule" "nodes_inbound" {
description = "Allow worker Kubelets and pods to receive communication from the cluster control plane"
from_port = 1025
protocol = "tcp"
security_group_id = "${aws_security_group.sg-eks_nodes.id}"
source_security_group_id = "${aws_security_group.sg-eks_cluster.id}"
to_port = 65535
type = "ingress"
}
解决方法
AWS documentation for CreateSecurityGroup提到了name的以下限制:
约束:最多255个字符。无法以sg-开头。
通常,AWS提供者将对此进行验证,因此它将从plan或validate命令中显示。不幸的是,它目前仅能验证长度。
要纠正错误,您需要更改安全组的名称以删除sg-前缀。
我提出了https://github.com/terraform-providers/terraform-provider-aws/pull/15011来解决此问题,以便将来在运行apply之前可以检测到它。