当我尝试在Terraform中创建Kinesis Firehose交付时,我一直收到此错误:
Error: error creating Kinesis Firehose Delivery Stream: InvalidArgumentException: Firehose is unable to assume role arn:aws:iam::173115710334:role/XXX_kinesis_role. Please check the role provided.
相关的Terraform代码如下:
resource "aws_iam_role" "kinesis_role" {
name = "XXX_kinesis_role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "kinesis.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_kinesis_firehose_delivery_stream" "log_stream_firehose" {
name = "log_stream_firehose"
destination = "extended_s3"
kinesis_source_configuration {
kinesis_stream_arn = aws_kinesis_stream.log_stream.arn
role_arn = aws_iam_role.kinesis_role.arn
}
extended_s3_configuration {
role_arn = aws_iam_role.firehose_role.arn
bucket_arn = aws_s3_bucket.messages_bucket.arn
prefix = "log_table/"
buffer_size = 64
buffer_interval = 60
data_format_conversion_configuration {
input_format_configuration {
deserializer {
open_x_json_ser_de {}
}
}
output_format_configuration {
serializer {
parquet_ser_de {}
}
}
schema_configuration {
database_name = "default"
role_arn = aws_iam_role.glue_role.arn
table_name = aws_glue_catalog_table.glue_log_table.name
}
}
}
}
我不知道是什么问题。我在这里想念什么?
更新:Terraform的完整输出:
aws_iam_policy.ecoplant_policy: Creating...
aws_iam_role.glue_role: Creating...
aws_kinesis_stream.self_ping_stream: Creating...
aws_iam_role.firehose_role: Creating...
aws_kinesis_stream.sample_stream: Creating...
aws_kinesis_stream.main_stream: Creating...
aws_iam_role.kinesis_role: Creating...
aws_kinesis_stream.log_stream: Creating...
aws_kinesis_stream.status_stream: Creating...
aws_s3_bucket.messages_bucket: Creating...
aws_iam_role.kinesis_role: Creation complete after 1s [id=ecoplant_kinesis_role]
aws_iam_role.firehose_role: Creation complete after 1s [id=ecoplant_firehose_role]
aws_iam_role.glue_role: Creation complete after 1s [id=ecoplant_glue_role]
aws_iam_policy.ecoplant_policy: Creation complete after 2s [id=arn:aws:iam::173115710334:policy/ecoplant-policy]
aws_iam_role_policy_attachment.attachment: Creating...
aws_iam_role_policy_attachment.attachment: Creation complete after 2s [id=ecoplant_kinesis_role-20200401150055588200000001]
aws_kinesis_stream.self_ping_stream: Still creating... [10s elapsed]
aws_kinesis_stream.sample_stream: Still creating... [10s elapsed]
aws_kinesis_stream.main_stream: Still creating... [10s elapsed]
aws_kinesis_stream.log_stream: Still creating... [10s elapsed]
aws_kinesis_stream.status_stream: Still creating... [10s elapsed]
aws_s3_bucket.messages_bucket: Still creating... [10s elapsed]
aws_s3_bucket.messages_bucket: Creation complete after 16s [id=ecoplant-messages-test-bucket]
aws_glue_catalog_table.glue_status_table: Creating...
aws_glue_catalog_table.glue_sample_table: Creating...
aws_glue_catalog_table.glue_self_ping_table: Creating...
aws_glue_catalog_table.glue_log_table: Creating...
aws_glue_catalog_table.glue_self_ping_table: Creation complete after 2s [id=173115710334:default:self_ping_table]
aws_glue_catalog_table.glue_status_table: Creation complete after 2s [id=173115710334:default:status_table]
aws_glue_catalog_table.glue_sample_table: Creation complete after 2s [id=173115710334:default:sample_table]
aws_glue_catalog_table.glue_log_table: Creation complete after 2s [id=173115710334:default:log_table]
aws_kinesis_stream.self_ping_stream: Still creating... [20s elapsed]
aws_kinesis_stream.sample_stream: Still creating... [20s elapsed]
aws_kinesis_stream.main_stream: Still creating... [20s elapsed]
aws_kinesis_stream.log_stream: Still creating... [20s elapsed]
aws_kinesis_stream.status_stream: Still creating... [20s elapsed]
aws_kinesis_stream.self_ping_stream: Still creating... [30s elapsed]
aws_kinesis_stream.sample_stream: Still creating... [30s elapsed]
aws_kinesis_stream.main_stream: Still creating... [30s elapsed]
aws_kinesis_stream.log_stream: Still creating... [30s elapsed]
aws_kinesis_stream.status_stream: Still creating... [30s elapsed]
aws_kinesis_stream.self_ping_stream: Still creating... [40s elapsed]
aws_kinesis_stream.sample_stream: Still creating... [40s elapsed]
aws_kinesis_stream.main_stream: Still creating... [40s elapsed]
aws_kinesis_stream.log_stream: Still creating... [40s elapsed]
aws_kinesis_stream.status_stream: Still creating... [40s elapsed]
aws_kinesis_stream.log_stream: Creation complete after 47s [id=arn:aws:kinesis:us-east-2:173115710334:stream/log_stream]
aws_kinesis_firehose_delivery_stream.log_stream_firehose: Creating...
aws_kinesis_stream.main_stream: Creation complete after 47s [id=arn:aws:kinesis:us-east-2:173115710334:stream/ecoplant_messages]
aws_kinesis_stream.self_ping_stream: Creation complete after 48s [id=arn:aws:kinesis:us-east-2:173115710334:stream/self_ping_stream]
aws_kinesis_stream.status_stream: Creation complete after 48s [id=arn:aws:kinesis:us-east-2:173115710334:stream/status_stream]
aws_kinesis_stream.sample_stream: Creation complete after 48s [id=arn:aws:kinesis:us-east-2:173115710334:stream/sample_stream]
aws_kinesis_firehose_delivery_stream.log_stream_firehose: Still creating... [10s elapsed]
aws_kinesis_firehose_delivery_stream.log_stream_firehose: Still creating... [20s elapsed]
aws_kinesis_firehose_delivery_stream.log_stream_firehose: Still creating... [30s elapsed]
aws_kinesis_firehose_delivery_stream.log_stream_firehose: Still creating... [40s elapsed]
aws_kinesis_firehose_delivery_stream.log_stream_firehose: Still creating... [50s elapsed]
aws_kinesis_firehose_delivery_stream.log_stream_firehose: Still creating... [1m0s elapsed]
Error: error creating Kinesis Firehose Delivery Stream: InvalidArgumentException: Firehose is unable to assume role arn:aws:iam::173115710334:role/ecoplant_kinesis_role. Please check the role provided.
on ecoplant_firehose.tf line 105, in resource "aws_kinesis_firehose_delivery_stream" "log_stream_firehose":
105: resource "aws_kinesis_firehose_delivery_stream" "log_stream_firehose" {
data "aws_iam_policy_document" "allow_assume_firehose" {
statement {
sid = "${replace("${title(var.PROJECT)}${title(var.ENV)}AllowAssumeFirehoseForS3", "/[-_.]/", "")}"
principals {
type = "Service"
identifiers = [
"firehose.amazonaws.com" <--------------------- NOT kinesis but firehose
]
}
effect = "Allow"
actions = [
"sts:AssumeRole"
]
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [
"${data.aws_caller_identity.current.account_id}"
]
}
}
}