Firehose не может допустить ошибку роли в Terraform - PullRequest
Новая
       45

Firehose не может допустить ошибку роли в Terraform

0 голосов
/ 01 апреля 2020

Я получаю эту ошибку, когда пытаюсь создать доставку Kinesis Firehose в Terraform: 

Error: error creating Kinesis Firehose Delivery Stream: InvalidArgumentException: Firehose is unable to assume role arn:aws:iam::173115710334:role/XXX_kinesis_role. Please check the role provided.

Соответствующий код Terraform выглядит следующим образом: 

resource "aws_iam_role" "kinesis_role" {
  name = "XXX_kinesis_role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "kinesis.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

resource "aws_kinesis_firehose_delivery_stream" "log_stream_firehose" {
  name        = "log_stream_firehose"
  destination = "extended_s3"

  kinesis_source_configuration {
    kinesis_stream_arn = aws_kinesis_stream.log_stream.arn
    role_arn           = aws_iam_role.kinesis_role.arn
  }

  extended_s3_configuration {
    role_arn        = aws_iam_role.firehose_role.arn
    bucket_arn      = aws_s3_bucket.messages_bucket.arn
    prefix          = "log_table/"
    buffer_size     = 64
    buffer_interval = 60

    data_format_conversion_configuration {
      input_format_configuration {
        deserializer {
          open_x_json_ser_de {}
        }
      }

      output_format_configuration {
        serializer {
          parquet_ser_de {}
        }
      }

      schema_configuration {
        database_name = "default"
        role_arn      = aws_iam_role.glue_role.arn
        table_name    = aws_glue_catalog_table.glue_log_table.name
      }
    }
  }
}

Я не смог понять в чем проблема. Что мне здесь не хватает?

ОБНОВЛЕНИЕ: Полный вывод Terraform: 

aws_iam_policy.ecoplant_policy: Creating...
aws_iam_role.glue_role: Creating...
aws_kinesis_stream.self_ping_stream: Creating...
aws_iam_role.firehose_role: Creating...
aws_kinesis_stream.sample_stream: Creating...
aws_kinesis_stream.main_stream: Creating...
aws_iam_role.kinesis_role: Creating...
aws_kinesis_stream.log_stream: Creating...
aws_kinesis_stream.status_stream: Creating...
aws_s3_bucket.messages_bucket: Creating...
aws_iam_role.kinesis_role: Creation complete after 1s [id=ecoplant_kinesis_role]
aws_iam_role.firehose_role: Creation complete after 1s [id=ecoplant_firehose_role]
aws_iam_role.glue_role: Creation complete after 1s [id=ecoplant_glue_role]
aws_iam_policy.ecoplant_policy: Creation complete after 2s [id=arn:aws:iam::173115710334:policy/ecoplant-policy]
aws_iam_role_policy_attachment.attachment: Creating...
aws_iam_role_policy_attachment.attachment: Creation complete after 2s [id=ecoplant_kinesis_role-20200401150055588200000001]
aws_kinesis_stream.self_ping_stream: Still creating... [10s elapsed]
aws_kinesis_stream.sample_stream: Still creating... [10s elapsed]
aws_kinesis_stream.main_stream: Still creating... [10s elapsed]
aws_kinesis_stream.log_stream: Still creating... [10s elapsed]
aws_kinesis_stream.status_stream: Still creating... [10s elapsed]
aws_s3_bucket.messages_bucket: Still creating... [10s elapsed]
aws_s3_bucket.messages_bucket: Creation complete after 16s [id=ecoplant-messages-test-bucket]
aws_glue_catalog_table.glue_status_table: Creating...
aws_glue_catalog_table.glue_sample_table: Creating...
aws_glue_catalog_table.glue_self_ping_table: Creating...
aws_glue_catalog_table.glue_log_table: Creating...
aws_glue_catalog_table.glue_self_ping_table: Creation complete after 2s [id=173115710334:default:self_ping_table]
aws_glue_catalog_table.glue_status_table: Creation complete after 2s [id=173115710334:default:status_table]
aws_glue_catalog_table.glue_sample_table: Creation complete after 2s [id=173115710334:default:sample_table]
aws_glue_catalog_table.glue_log_table: Creation complete after 2s [id=173115710334:default:log_table]
aws_kinesis_stream.self_ping_stream: Still creating... [20s elapsed]
aws_kinesis_stream.sample_stream: Still creating... [20s elapsed]
aws_kinesis_stream.main_stream: Still creating... [20s elapsed]
aws_kinesis_stream.log_stream: Still creating... [20s elapsed]
aws_kinesis_stream.status_stream: Still creating... [20s elapsed]
aws_kinesis_stream.self_ping_stream: Still creating... [30s elapsed]
aws_kinesis_stream.sample_stream: Still creating... [30s elapsed]
aws_kinesis_stream.main_stream: Still creating... [30s elapsed]
aws_kinesis_stream.log_stream: Still creating... [30s elapsed]
aws_kinesis_stream.status_stream: Still creating... [30s elapsed]
aws_kinesis_stream.self_ping_stream: Still creating... [40s elapsed]
aws_kinesis_stream.sample_stream: Still creating... [40s elapsed]
aws_kinesis_stream.main_stream: Still creating... [40s elapsed]
aws_kinesis_stream.log_stream: Still creating... [40s elapsed]
aws_kinesis_stream.status_stream: Still creating... [40s elapsed]
aws_kinesis_stream.log_stream: Creation complete after 47s [id=arn:aws:kinesis:us-east-2:173115710334:stream/log_stream]
aws_kinesis_firehose_delivery_stream.log_stream_firehose: Creating...
aws_kinesis_stream.main_stream: Creation complete after 47s [id=arn:aws:kinesis:us-east-2:173115710334:stream/ecoplant_messages]
aws_kinesis_stream.self_ping_stream: Creation complete after 48s [id=arn:aws:kinesis:us-east-2:173115710334:stream/self_ping_stream]
aws_kinesis_stream.status_stream: Creation complete after 48s [id=arn:aws:kinesis:us-east-2:173115710334:stream/status_stream]
aws_kinesis_stream.sample_stream: Creation complete after 48s [id=arn:aws:kinesis:us-east-2:173115710334:stream/sample_stream]
aws_kinesis_firehose_delivery_stream.log_stream_firehose: Still creating... [10s elapsed]
aws_kinesis_firehose_delivery_stream.log_stream_firehose: Still creating... [20s elapsed]
aws_kinesis_firehose_delivery_stream.log_stream_firehose: Still creating... [30s elapsed]
aws_kinesis_firehose_delivery_stream.log_stream_firehose: Still creating... [40s elapsed]
aws_kinesis_firehose_delivery_stream.log_stream_firehose: Still creating... [50s elapsed]
aws_kinesis_firehose_delivery_stream.log_stream_firehose: Still creating... [1m0s elapsed]

Error: error creating Kinesis Firehose Delivery Stream: InvalidArgumentException: Firehose is unable to assume role arn:aws:iam::173115710334:role/ecoplant_kinesis_role. Please check the role provided.

  on ecoplant_firehose.tf line 105, in resource "aws_kinesis_firehose_delivery_stream" "log_stream_firehose":
 105: resource "aws_kinesis_firehose_delivery_stream" "log_stream_firehose" {

1 Ответ

0 голосов
/ 02 апреля 2020

Похоже, вы указываете неправильный AWS сервис. 

data "aws_iam_policy_document" "allow_assume_firehose" {
  statement {
    sid    = "${replace("${title(var.PROJECT)}${title(var.ENV)}AllowAssumeFirehoseForS3", "/[-_.]/", "")}"
    principals {
      type = "Service"
      identifiers = [
        "firehose.amazonaws.com"     <--------------------- NOT kinesis but firehose
      ]
    }
    effect = "Allow"
    actions = [
      "sts:AssumeRole"
    ]
    condition {
      test = "StringEquals"
      variable = "sts:ExternalId"
      values = [
        "${data.aws_caller_identity.current.account_id}"
      ]
    }
  }
}
Добро пожаловать на сайт PullRequest, где вы можете задавать вопросы и получать ответы от других членов сообщества.

Похожие темы

...