Fatal编程技术网
  • amazon-web-services/
  • Amazon web services Terraform,ElasticSearch:错误:InvalidTypeException:错误设置策略

Amazon web services Terraform,ElasticSearch:错误:InvalidTypeException:错误设置策略

amazon-web-services terraform

Amazon web services Terraform,ElasticSearch:错误:InvalidTypeException:错误设置策略,amazon-web-services,terraform,terraform-provider-aws,aws-elasticsearch,Amazon Web Services,Terraform,Terraform Provider Aws,Aws Elasticsearch,我想将以下访问策略附加到ElasticSearch: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "*" }, "Actio

我想将以下访问策略附加到ElasticSearch:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "${resource_arn}/*"
    }
  ]
}
我添加了行
iam\u role\u arns=[“*”]
,但我得到以下错误:

module.elasticsearch.aws\u elasticsearch\u domain\u policy.default[0]:正在创建…
错误:InvalidTypeException:设置策略时出错:

代码如下:

module "elasticsearch" {
  source                  = "git::https://github.com/cloudposse/terraform-aws-elasticsearch.git?ref=tags/0.24.1"
  security_groups                = [data.terraform_remote_state.vpc.outputs.default_security_group_id]
  vpc_id                         = data.terraform_remote_state.vpc.outputs.vpc_id
  zone_awareness_enabled         = var.zone_awareness_enabled
  subnet_ids                     = slice(data.terraform_remote_state.vpc.outputs.private_subnets, 0, 2)
  elasticsearch_version          = var.elasticsearch_version
  instance_type                  = var.instance_type
  instance_count                 = var.instance_count
  encrypt_at_rest_enabled        = var.encrypt_at_rest_enabled
  dedicated_master_enabled       = var.dedicated_master_enabled
  create_iam_service_linked_role = var.create_iam_service_linked_role
  kibana_subdomain_name          = var.kibana_subdomain_name
  ebs_volume_size                = var.ebs_volume_size
  dns_zone_id                    = var.dns_zone_id
  kibana_hostname_enabled        = var.kibana_hostname_enabled
  domain_hostname_enabled        = var.domain_hostname_enabled
  allowed_cidr_blocks            = ["0.0.0.0/0"]
  iam_role_arns                  = ["*"]
  advanced_options = {
    "rest.action.multi.allow_explicit_index" = "true"
  }
  context = module.this.context
}
您不能创建这样的开放访问策略,因为您的ES域位于VPC中。正如源代码注释中所解释的,开放访问策略仅适用于IP范围和非专有网络ES域

此声明适用于非专有网络ES,允许从白名单IP范围进行匿名访问,而无需签名请求

只是为了使用

  allowed_cidr_blocks            = ["0.0.0.0/0"]
  iam_role_arns                  = ["*"]
不应导致策略错误。事实上,它应该产生以下结果(我在我的ES域上进行了测试):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "*",
          "arn:aws:iam::xxxx:role/es-name"
        ]
      },
      "Resource": [
        "arn:aws:es:us-east-1:xxxxx:domain/es-name/*",
        "arn:aws:es:us-east-1:xxxx:domain/es-name"
      ]
    }
  ]
}