Я использую Terraform для развертывания (и обновления) облачного фронта.Развертывание работает отлично, но ко второму развертыванию я создаю новый дистрибутив CF вместо обновления предыдущего.
Я использовал эту ссылку для создания файла terraform, но ничего не говорится об обновлении дистрибутива.
Я подозреваю, что создание нового дистрибутива вместо обновления предыдущего связано с origin_access_identity (OAI).Похоже, что он каждый раз создает новый OAI, который затем используется в качестве источника.
Редактировать: я жестко закодировал OAI, используя тот из предыдущего развертывания,
s3_origin_config {
# origin_access_identity = "${aws_cloudfront_origin_access_identity.oia.cloudfront_access_identity_path}"
origin_access_identity = "origin-access-identity/cloudfront/E3IILPWMC6EHO"
}
дляПосмотрим, будет ли это обновлять дистрибутив, но нет, он продолжает создавать его с нуля.
Есть предложения по преодолению этого?
Код Terraform:
# Input variables
variable "AWS_PERSONAL_ACCESS_KEY" {}
variable "AWS_PERSONAL_SECRET_KEY" {}
# Configure the provider
provider "aws" {
access_key = "${var.AWS_PERSONAL_ACCESS_KEY}"
secret_key = "${var.AWS_PERSONAL_SECRET_KEY}"
region = "us-east-1"
}
# add variable to remove circular dependencies
variable "bucket_name" {
type = "string"
default = "scf-website"
}
# Configure the IAM policy
# The bucket must be accessible ONLY to OIA, and not to users directly!
data "aws_iam_policy_document" "s3_policy" {
statement {
effect = "Allow"
actions = ["s3:GetObject"]
resources = [
"arn:aws:s3:::${var.bucket_name}/*"
]
principals {
type = "AWS"
identifiers = ["${aws_cloudfront_origin_access_identity.oia.iam_arn}"]
}
}
}
# Create a bucket
resource "aws_s3_bucket" "a_static_website" {
bucket = "${var.bucket_name}"
# acl = "public-read"
acl = "private"
policy = "${data.aws_iam_policy_document.s3_policy.json}"
website {
index_document = "index.html"
error_document = "error.html"
}
}
# Upload index.html
resource "aws_s3_bucket_object" "index_page" {
bucket = "${aws_s3_bucket.a_static_website.bucket}"
key = "index.html"
source = "index.html"
# this ACL should be reevaluated. Should the file still be public ???
# acl = "public-read"
acl = "private"
content_type = "text/html"
}
# Upload error.html
resource "aws_s3_bucket_object" "error_page" {
bucket = "${aws_s3_bucket.a_static_website.bucket}"
key = "error.html"
source = "error.html"
# this ACL should be reevaluated. Should the file still be public ???
# acl = "public-read"
acl = "private"
content_type = "text/html"
}
# Create Origin Access Identity
resource "aws_cloudfront_origin_access_identity" "oia" {
comment = "This resource has only one argument, comment, and it is optional."
}
# Configure the CloudFront distribution
resource "aws_cloudfront_distribution" "cfd" {
enabled = true
is_ipv6_enabled = true
default_root_object = "index.html"
origin {
domain_name = "${aws_s3_bucket.a_static_website.bucket_regional_domain_name}"
origin_id = "${aws_s3_bucket.a_static_website.id}"
s3_origin_config {
origin_access_identity = "${aws_cloudfront_origin_access_identity.oia.cloudfront_access_identity_path}"
}
}
# without this, aws returns their default error, instead of the one defined by us
custom_error_response {
error_code = 404
response_code = 200
response_page_path = "/error.html"
}
default_cache_behavior {
allowed_methods = ["HEAD", "GET"]
cached_methods = ["HEAD", "GET"]
target_origin_id = "${aws_s3_bucket.a_static_website.id}"
viewer_protocol_policy = "redirect-to-https"
forwarded_values {
query_string = false
headers = ["Origin"]
cookies {
forward = "none"
}
}
}
restrictions {
geo_restriction {
restriction_type = "whitelist"
locations = ["US", "CA", "GB", "DE"]
}
}
viewer_certificate {
cloudfront_default_certificate = true
}
}
План Terraform:
id: <computed>
json: <computed>
statement.#: "1"
statement.0.actions.#: "1"
statement.0.actions.2071725391: "s3:GetObject"
statement.0.effect: "Allow"
statement.0.principals.#: "1"
statement.0.principals.~3303760437.identifiers.#: <computed>
statement.0.principals.~3303760437.type: "AWS"
statement.0.resources.#: "1"
statement.0.resources.1943396215: "arn:aws:s3:::scf-website/*"
+ aws_cloudfront_distribution.cfd
id: <computed>
active_trusted_signers.%: <computed>
arn: <computed>
caller_reference: <computed>
custom_error_response.#: "1"
custom_error_response.2936347672.error_caching_min_ttl: ""
custom_error_response.2936347672.error_code: "404"
custom_error_response.2936347672.response_code: "200"
custom_error_response.2936347672.response_page_path: "/error.html"
default_cache_behavior.#: "1"
default_cache_behavior.~1523641885.allowed_methods.#: "2"
default_cache_behavior.~1523641885.allowed_methods.0: "HEAD"
default_cache_behavior.~1523641885.allowed_methods.1: "GET"
default_cache_behavior.~1523641885.cached_methods.#: "2"
default_cache_behavior.~1523641885.cached_methods.0: "HEAD"
default_cache_behavior.~1523641885.cached_methods.1: "GET"
default_cache_behavior.~1523641885.compress: "false"
default_cache_behavior.~1523641885.default_ttl: "86400"
default_cache_behavior.~1523641885.field_level_encryption_id: ""
default_cache_behavior.~1523641885.forwarded_values.#: "1"
default_cache_behavior.~1523641885.forwarded_values.563318458.cookies.#: "1"
default_cache_behavior.~1523641885.forwarded_values.563318458.cookies.2625240281.forward: "none"
default_cache_behavior.~1523641885.forwarded_values.563318458.cookies.2625240281.whitelisted_names.#: "0"
default_cache_behavior.~1523641885.forwarded_values.563318458.headers.#: "1"
default_cache_behavior.~1523641885.forwarded_values.563318458.headers.0: "Origin"
default_cache_behavior.~1523641885.forwarded_values.563318458.query_string: "false"
default_cache_behavior.~1523641885.forwarded_values.563318458.query_string_cache_keys.#: "0"
default_cache_behavior.~1523641885.lambda_function_association.#: "0"
default_cache_behavior.~1523641885.max_ttl: "31536000"
default_cache_behavior.~1523641885.min_ttl: "0"
default_cache_behavior.~1523641885.smooth_streaming: ""
default_cache_behavior.~1523641885.target_origin_id: "${aws_s3_bucket.a_static_website.id}"
default_cache_behavior.~1523641885.trusted_signers.#: "0"
default_cache_behavior.~1523641885.viewer_protocol_policy: "redirect-to-https"
default_root_object: "index.html"
domain_name: <computed>
enabled: "true"
etag: <computed>
hosted_zone_id: <computed>
http_version: "http2"
in_progress_validation_batches: <computed>
is_ipv6_enabled: "true"
last_modified_time: <computed>
origin.#: "1"
origin.~3433826240.custom_header.#: "0"
origin.~3433826240.custom_origin_config.#: "0"
origin.~3433826240.domain_name: "${aws_s3_bucket.a_static_website.bucket_regional_domain_name}"
origin.~3433826240.origin_id: "${aws_s3_bucket.a_static_website.id}"
origin.~3433826240.origin_path: ""
origin.~3433826240.s3_origin_config.#: "1"
origin.~3433826240.s3_origin_config.~2934106515.origin_access_identity: "${aws_cloudfront_origin_access_identity.oia.cloudfront_access_identity_path}"
price_class: "PriceClass_All"
restrictions.#: "1"
restrictions.811065190.geo_restriction.#: "1"
restrictions.811065190.geo_restriction.1303118592.locations.#: "4"
restrictions.811065190.geo_restriction.1303118592.locations.0: "US"
restrictions.811065190.geo_restriction.1303118592.locations.1: "CA"
restrictions.811065190.geo_restriction.1303118592.locations.2: "GB"
restrictions.811065190.geo_restriction.1303118592.locations.3: "DE"
restrictions.811065190.geo_restriction.1303118592.restriction_type: "whitelist"
retain_on_delete: "false"
status: <computed>
viewer_certificate.#: "1"
viewer_certificate.69840937.acm_certificate_arn: ""
viewer_certificate.69840937.cloudfront_default_certificate: "true"
viewer_certificate.69840937.iam_certificate_id: ""
viewer_certificate.69840937.minimum_protocol_version: "TLSv1"
viewer_certificate.69840937.ssl_support_method: ""
+ aws_cloudfront_origin_access_identity.oia
id: <computed>
caller_reference: <computed>
cloudfront_access_identity_path: <computed>
comment: "This resource hasonly one argument, comment, and it is optional."
etag: <computed>
iam_arn: <computed>
s3_canonical_user_id: <computed>
+ aws_s3_bucket.a_static_website
id: <computed>
acceleration_status: <computed>
acl: "private"
arn: <computed>
bucket: "scf-website"
bucket_domain_name: <computed>
bucket_regional_domain_name: <computed>
force_destroy: "false"
hosted_zone_id: <computed>
policy: "${data.aws_iam_policy_document.s3_policy.json}"
region: <computed>
request_payer: <computed>
versioning.#: <computed>
website.#: "1"
website.0.error_document: "error.html"
website.0.index_document: "index.html"
website_domain: <computed>
website_endpoint: <computed>
+ aws_s3_bucket_object.error_page
id: <computed>
acl: "private"
bucket: "scf-website"
content_type: "text/html"
etag: <computed>
key: "error.html"
server_side_encryption: <computed>
source: "error.html"
storage_class: <computed>
version_id: <computed>
+ aws_s3_bucket_object.index_page
id: <computed>
acl: "private"
bucket: "scf-website"
content_type: "text/html"
etag: <computed>
key: "index.html"
server_side_encryption: <computed>
source: "index.html"
storage_class: <computed>
version_id: <computed>
Plan: 5 to add, 0 to change, 0 to destroy.