为什么不存在AWS胶水资源策略“不存在”。实际上,当校长(角色)存在时出错
在Terraform中,我正在尝试创建胶水资源策略,该政策允许特定的IAM角色使用胶水资源。
相关的TF片段如下:
resource "aws_iam_role" "process_banking_data_sfn" {
name = "process_banking_data_sfn"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "states.amazonaws.com"
}
}
]
})
}
data "aws_iam_policy_document" "allow_glue_catalog_access" {
statement {
actions = [
"glue:GetTable",
]
resources = ["arn:aws:glue:${var.aws_region}:${var.aws_target_account_number}:*"]
principals {
identifiers = [
aws_iam_role.process_banking_data_sfn.arn
]
type = "AWS"
}
}
}
resource "aws_glue_resource_policy" "glue_resource_policy" {
policy = data.aws_iam_policy_document.allow_glue_catalog_access.json
}
Terraform应用,发生以下错误:
rror: error putting policy request: InvalidInputException: One of the principals in the policy does not exist.
│
│ with module.banking_analyses.aws_glue_resource_policy.glue_resource_policy,
│ on ../../modules/banking_analyses/glue_data_catalog.tf line 134, in resource "aws_glue_resource_policy" "glue_resource_policy
第二次运行Terraform Apply时,创建胶水资源策略就可以了。
我已经尝试过的事情:
- 用内联(< lt; eof)策略替换aws_iam_policy_document
- 添加
依赖>依赖>依赖 - >资源政策
这些失败。有趣的是,如果我停止尝试将IAM角色作为委托人的角色,而是使用帐户根的ARN,那么Terraform首次应用而没有抱怨(但是这完全对我的实际需求没有用;我只是隔离了证明它是IAM角色是错误消息的来源)。
如果在应用程序失败过程中刷新AWS UI,我可以看到在Applion过程中,在胶水资源策略的创建失败之前,很早就在Applion过程中很早就创建了“ process_banking_data_sfn”角色。
任何经验丰富的建议都将非常感谢。
编辑:
根据反思,我认为在Terraform过程中,我们似乎已经知道该角色的杂物很重要。显然是创建的。另外,我检查了日志,并且角色的唯一ID在两个应用程序中保持恒定(失败的一个和成功的运行),因此在我看来,AWS在后端时会生成错误主要的。这听起来很明显,但我认为线索是我们(Terraform)可以在AWS可以看到的角色。因此,我想知道这是否与角色的非区域性性质有关,而新角色的迅速传播到与验证验证胶水资源策略的堆栈部分相关。我想知道是否应该在US-EAST-1中使用单独的Providet进行此胶水资源创建,因此它与IAM更加“接近”。
In Terraform I am trying to create a Glue Resource Policy which allows a specific IAM Role to use the Glue resources.
Relevant TF snippets as below:
resource "aws_iam_role" "process_banking_data_sfn" {
name = "process_banking_data_sfn"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "states.amazonaws.com"
}
}
]
})
}
data "aws_iam_policy_document" "allow_glue_catalog_access" {
statement {
actions = [
"glue:GetTable",
]
resources = ["arn:aws:glue:${var.aws_region}:${var.aws_target_account_number}:*"]
principals {
identifiers = [
aws_iam_role.process_banking_data_sfn.arn
]
type = "AWS"
}
}
}
resource "aws_glue_resource_policy" "glue_resource_policy" {
policy = data.aws_iam_policy_document.allow_glue_catalog_access.json
}
On terraform apply, the following error occurs:
rror: error putting policy request: InvalidInputException: One of the principals in the policy does not exist.
│
│ with module.banking_analyses.aws_glue_resource_policy.glue_resource_policy,
│ on ../../modules/banking_analyses/glue_data_catalog.tf line 134, in resource "aws_glue_resource_policy" "glue_resource_policy
When terraform apply is run a second time, the Glue Resource Policy is created just fine.
Things I have already tried:
- Replacing the aws_iam_policy_document with an inline (<<EOF) policy
- Adding a
depends_on [aws_iam_role.process_banking_data_sfn]to the aws_iam_policy_document - Adding a delay / sleep of 10 seconds before creating the Glue Resource Policy
These fail. Interestingly if I stop trying to reference the IAM Role as the Principal and instead use the ARN of the account root, the Terraform applied first time without complaint (however this is totally useless for my actual needs; I was just isolating a proof that it is the IAM Role that is the source of the error message).
If I refresh the AWS UI during the failing apply process, I can see that the role "process_banking_data_sfn" is created very early in the apply process, long before the Glue Resource Policy creation fails.
Any experienced advice would be GREATLY appreciated.
Edit:
On reflection I think it’s significant that to the terraform process it appears that we know the ARN of the Role already. It’s clearly been created. Plus I checked the logs and the unique ID of the role remains constant across both apply runs (the failing one and the successful one) so it seems to me the error is generated by AWS when at the back end the process validates the existence of the Principal. This may sound obvious but I think the clue is in the fact that we (terraform) can see the role before AWS can. Therefore I’m wondering if it’s something to do with the non-regional nature of roles and that the new Role isn’t propagating quickly enough to the part of the stack which deals with validating the Glue Resource policy. I’m wondering if perhaps I should use a separate Providet in us-east-1 to do this Glue Resource creation, so it’s “closer” to IAM.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论