如何解决对 AWS Config Conformance Pack 的 Terraform 支持和修复
terraform aws 提供商最近添加了对 AWS Config Conformance Pack (here) 的支持,资源名称为 aws_config_conformance_pack
。使用其参数 template_body
或 template_s3_uri
添加一致性包 yaml 模板时,它工作正常。但是,当模板中包含补救措施并再次运行 terraform apply
时,它会引发错误。以下是跟踪级别日志的片段:
-----------------------------------------------------: timestamp=2021-03-18T19:09:54.280+0500
2021-03-18T19:09:54.281+0500 [INFO] plugin.terraform-provider-aws_v3.32.0_x5: 2021/03/18 19:09:54 [DEBUG] [aws-sdk-go] {"ConformancePackStatusDetails":[{"ConformancePackArn":"arn:aws:config:us-east-1:888507318922:conformance-pack/config-rules/conformance-pack-enosqtnho","ConformancePackId":"conformance-pack-enosqtnho","ConformancePackName":"config-rules","ConformancePackState":"CREATE_IN_PROGRESS","LastUpdateRequestedTime":1.616076485394E9}]}: timestamp=2021-03-18T19:09:54.280+0500
2021-03-18T19:09:54.281+0500 [INFO] plugin.terraform-provider-aws_v3.32.0_x5: 2021/03/18 19:09:54 [TRACE] Waiting 10s before next try: timestamp=2021-03-18T19:09:54.280+0500
2021/03/18 19:09:56 [TRACE] dag/walk: vertex "provider[\"registry.terraform.io/hashicorp/aws\"] (close)" is waiting for "aws_config_conformance_pack.config_rules"
2021/03/18 19:09:56 [TRACE] dag/walk: vertex "root" is waiting for "provider[\"registry.terraform.io/hashicorp/aws\"] (close)"
2021/03/18 19:09:56 [TRACE] dag/walk: vertex "Meta.count-boundary (EachMode fixup)" is waiting for "aws_config_conformance_pack.config_rules"
2021/03/18 19:10:01 [TRACE] dag/walk: vertex "Meta.count-boundary (EachMode fixup)" is waiting for "aws_config_conformance_pack.config_rules"
2021/03/18 19:10:01 [TRACE] dag/walk: vertex "provider[\"registry.terraform.io/hashicorp/aws\"] (close)" is waiting for "aws_config_conformance_pack.config_rules"
2021/03/18 19:10:01 [TRACE] dag/walk: vertex "root" is waiting for "provider[\"registry.terraform.io/hashicorp/aws\"] (close)"
2021-03-18T19:10:04.284+0500 [INFO] plugin.terraform-provider-aws_v3.32.0_x5: 2021/03/18 19:10:04 [DEBUG] [aws-sdk-go] DEBUG: Request config/DescribeConformancePackStatus Details:
---[ REQUEST POST-SIGN ]-----------------------------
POST / HTTP/1.1
Host: config.us-east-1.amazonaws.com
User-Agent: aws-sdk-go/1.37.24 (go1.16; linux; amd64) APN/1.0 HashiCorp/1.0 terraform/0.13.5 (+https://www.terraform.io) terraform-provider-aws/dev (+https://registry.terraform.io/providers/hashicorp/aws)
Content-Length: 41
Authorization: AWS4-HMAC-SHA256 Credential=AKIA45XZJYKFL3OPHJR7/20210318/us-east-1/config/aws4_request,SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-target,Signature=6736b332ec580a08ce5968621bc9a4d4c16239c96799723fbb0abf0c608bdac8
Content-Type: application/x-amz-json-1.1
X-Amz-Date: 20210318T141004Z
X-Amz-Target: StarlingDoveService.DescribeConformancePackStatus
Accept-Encoding: gzip
{"ConformancePackNames":["config-rules"]}
-----------------------------------------------------: timestamp=2021-03-18T19:10:04.284+0500
2021-03-18T19:10:05.392+0500 [INFO] plugin.terraform-provider-aws_v3.32.0_x5: 2021/03/18 19:10:05 [DEBUG] [aws-sdk-go] DEBUG: Response config/DescribeConformancePackStatus Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 200 OK
Connection: close
Content-Length: 478
Content-Type: application/x-amz-json-1.1
Date: Thu,18 Mar 2021 14:10:05 GMT
Strict-Transport-Security: max-age=86400
X-Amzn-Requestid: e525c4df-6dc0-47e0-abc8-7a123f0667be
-----------------------------------------------------: timestamp=2021-03-18T19:10:05.391+0500
2021-03-18T19:10:05.392+0500 [INFO] plugin.terraform-provider-aws_v3.32.0_x5: 2021/03/18 19:10:05 [DEBUG] [aws-sdk-go] {"ConformancePackStatusDetails":[{"ConformancePackArn":"arn:aws:config:us-east-1:888507318922:conformance-pack/config-rules/conformance-pack-enosqtnho","ConformancePackState":"CREATE_Failed","ConformancePackStatusReason":"An internal error has occurred in the service. Please try again at a later time.","LastUpdateCompletedTime":1.616076603702E9,"LastUpdateRequestedTime":1.616076485394E9}]}: timestamp=2021-03-18T19:10:05.392+0500
2021/03/18 19:10:05 [DEBUG] aws_config_conformance_pack.config_rules: apply errored,but we're indicating that via the Error pointer rather than returning it: error waiting for Config Conformance Pack (config-rules) to be created: An internal error has occurred in the service. Please try again at a later time.
2021/03/18 19:10:05 [TRACE] eval: *terraform.EvalMaybeTainted
2021/03/18 19:10:05 [TRACE] EvalMaybeTainted: aws_config_conformance_pack.config_rules encountered an error during creation,so it is Now marked as tainted
2021/03/18 19:10:05 [TRACE] eval: *terraform.EvalWriteState
2021/03/18 19:10:05 [TRACE] EvalWriteState: recording 3 dependencies for aws_config_conformance_pack.config_rules
2021/03/18 19:10:05 [TRACE] EvalWriteState: writing current state object for aws_config_conformance_pack.config_rules
2021/03/18 19:10:05 [TRACE] eval: *terraform.EvalApplyProvisioners
2021/03/18 19:10:05 [TRACE] EvalApplyProvisioners: aws_config_conformance_pack.config_rules is tainted,so skipping provisioning
2021/03/18 19:10:05 [TRACE] eval: *terraform.EvalMaybeTainted
2021/03/18 19:10:05 [TRACE] EvalMaybeTainted: aws_config_conformance_pack.config_rules was already tainted,so nothing to do
2021/03/18 19:10:05 [TRACE] eval: *terraform.EvalWriteState
2021/03/18 19:10:05 [TRACE] EvalWriteState: recording 3 dependencies for aws_config_conformance_pack.config_rules
2021/03/18 19:10:05 [TRACE] EvalWriteState: writing current state object for aws_config_conformance_pack.config_rules
2021/03/18 19:10:05 [TRACE] eval: *terraform.EvalIf
2021/03/18 19:10:05 [TRACE] eval: *terraform.EvalIf
2021/03/18 19:10:05 [TRACE] eval: *terraform.EvalWriteDiff
2021/03/18 19:10:05 [TRACE] eval: *terraform.EvalApplyPost
2021/03/18 19:10:05 [ERROR] eval: *terraform.EvalApplyPost,err: error waiting for Config Conformance Pack (config-rules) to be created: An internal error has occurred in the service. Please try again at a later time.
2021/03/18 19:10:05 [ERROR] eval: *terraform.EvalSequence,err: error waiting for Config Conformance Pack (config-rules) to be created: An internal error has occurred in the service. Please try again at a later time.
2021/03/18 19:10:05 [TRACE] [walkApply] Exiting eval tree: aws_config_conformance_pack.config_rules
2021/03/18 19:10:05 [TRACE] vertex "aws_config_conformance_pack.config_rules": visit complete
2021/03/18 19:10:05 [TRACE] dag/walk: upstream of "Meta.count-boundary (EachMode fixup)" errored,so skipping
2021/03/18 19:10:05 [TRACE] dag/walk: upstream of "provider[\"registry.terraform.io/hashicorp/aws\"] (close)" errored,so skipping
2021/03/18 19:10:05 [TRACE] dag/walk: upstream of "root" errored,so skipping
2021/03/18 19:10:05 [TRACE] statemgr.Filesystem: have already backed up original terraform.tfstate to terraform.tfstate.backup on a prevIoUs write
2021/03/18 19:10:05 [TRACE] statemgr.Filesystem: state has changed since last snapshot,so incrementing serial to 366
2021/03/18 19:10:05 [TRACE] statemgr.Filesystem: writing snapshot at terraform.tfstate
2021/03/18 19:10:05 [TRACE] statemgr.Filesystem: removing lock Metadata file .terraform.tfstate.lock.info
2021/03/18 19:10:05 [TRACE] statemgr.Filesystem: unlocking terraform.tfstate using fcntl flock
2021-03-18T19:10:05.417+0500 [WARN] plugin.stdio: received EOF,stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2021-03-18T19:10:05.428+0500 [DEBUG] plugin: plugin process exited: path=.terraform/plugins/registry.terraform.io/hashicorp/aws/3.32.0/linux_amd64/terraform-provider-aws_v3.32.0_x5 pid=78208
2021-03-18T19:10:05.428+0500 [DEBUG] plugin: plugin exited
这是示例模板:
Parameters:
allowedTcpPorts:
Default: "80,443"
Type: String
Resources:
S3BucketPublicReadProhibited:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: S3BucketPublicReadProhibited
Scope:
ComplianceResourceTypes:
- "AWS::S3::Bucket"
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
MaximumExecutionFrequency: Six_Hours
S3BucketPublicReadProhibitedRemediation:
DependsOn: S3BucketPublicReadProhibited
Type: 'AWS::Config::RemediationConfiguration'
Properties:
ConfigRuleName: S3BucketPublicReadProhibited
ResourceType: "AWS::S3::Bucket"
TargetId: "AWS-disableS3BucketPublicReadWrite"
targettype: "SSM_DOCUMENT"
TargetVersion: "1"
Parameters:
S3BucketName:
ResourceValue:
Value: "RESOURCE_ID"
ExecutionControls:
SsmControls:
ConcurrentExecutionRatePercentage: 10
ErrorPercentage: 10
Automatic: True
MaximumAutomaticAttempts: 10
RetryAttemptSeconds: 600
DefaultSecurityGroupClosed:
Properties:
ConfigRuleName: DefaultSecurityGroupClosed
Scope:
ComplianceResourceTypes:
- AWS::EC2::VPC
Source:
Owner: AWS
SourceIdentifier: VPC_DEFAULT_Security_GROUP_CLOSED
Type: AWS::Config::ConfigRule
DefaultSecurityGroupClosedRemediation:
DependsOn: DefaultSecurityGroupClosed
Type: AWS::Config::RemediationConfiguration
Properties:
ConfigRuleName: DefaultSecurityGroupClosed
ResourceType: AWS::EC2::SecurityGroup
TargetId: AWSConfigRemediation-RemoveVPCDefaultSecurityGroupRules
targettype: SSM_DOCUMENT
TargetVersion: 1
Parameters:
GroupId:
ResourceValue:
Value: "RESOURCE_ID"
AutomationAssumeRole:
StaticValue:
Values: ["arn:aws:iam::888507318922:role/aws-service-role/remediation.config.amazonaws.com/AWSServiceRoleForConfigRemediation"]
Automatic: True
MaximumAutomaticAttempts: 2
RetryAttemptSeconds: 60
VpcSgOpenOnlyToAuthorizedPorts:
Properties:
ConfigRuleName: VpcSgOpenOnlyToAuthorizedPorts
InputParameters:
authorizedTcpPorts:
Fn::If:
- allowedTcpPorts
- Ref: allowedTcpPorts
- Ref: AWS::Novalue
Scope:
ComplianceResourceTypes:
- AWS::EC2::SecurityGroup
Source:
Owner: AWS
SourceIdentifier: VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS
Type: AWS::Config::ConfigRule
Conditions:
allowedTcpPorts:
Fn::Not:
- Fn::Equals:
- ''
- Ref: allowedTcpPorts
当修复资源、S3BucketPublicReadProhibitedRemediation
和 DefaultSecurityGroupClosedRemediation
从模板中删除时,此模板工作正常。
目前使用的版本有:
- 地形:v0.13.5
- terraform-provider-aws:v3.32.0
我正在尝试遵循 AWS 和 terraform 中与此相关的所有文档。我似乎在这里做错了什么?任何帮助将不胜感激。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。