Terraform 地形aws\u流量\u日志未添加IAM角色ARN_Terraform_Amazon Vpc

Terraform 地形aws\u流量\u日志未添加IAM角色ARN

terraform

Terraform 地形aws\u流量\u日志未添加IAM角色ARN,terraform,amazon-vpc,Terraform,Amazon Vpc,每次运行terraform apply时，都需要更改aws\u flow\u log资源的每个实例 # module.us-west-2.aws_flow_log.flow_log[1] must be replaced -/+ resource "aws_flow_log" "flow_log" { ... + iam_role_arn = "arn:aws:iam::xxx:role/vpc-f

每次运行

terraform apply

时，都需要更改

aws\u flow\u log

资源的每个实例

# module.us-west-2.aws_flow_log.flow_log[1] must be replaced
-/+ resource "aws_flow_log" "flow_log" {
      ...
      + iam_role_arn             = "arn:aws:iam::xxx:role/vpc-flow-log-role" # forces replacement
      ...

当我在AWS控制台中访问vpc时，我看到IAM角色ARN不存在。

还有其他人遇到过这个问题吗？本例中的日志目标是s3存储桶，而不是

cloudwatch\u log\u组

。所以，这是无关紧要的：。

我解决了我的问题。如果

log\u destination

设置为s3 bucket，则无需指定

iam\u角色\u arn

您只需从资源中删除参数，如下所示：

resource aws_flow_log flow_log{
    log_destination = var.log_destination
    log_destination_type = var.log_destination_type
    traffic_type = var.traffic_type
    vpc_id = var.aws_vpc_id
    depends_on = [ var.log_destination ]
}

而不是

resource aws_flow_log flow_log{
    iam_role_arn = aws_iam_role.vpc_flow_log.arn
    log_destination = var.log_destination
    log_destination_type = var.log_destination_type
    traffic_type = var.traffic_type
    vpc_id = var.aws_vpc_id
    depends_on = [ var.log_destination ]
}

在这种情况下，

var.log\u destination\u type

是“s3”