经过漫长的昨天,我的 Pulumi node.js 程序遇到了问题,无法删除与几个 AWS 资源绑定的简单堆栈。我尝试了各种不同的方法来初始化销毁,但不断收到 Terraform AWS Provider 错误。
过去,当我遇到无法销毁堆栈资源的问题时,我使用 Pulumi Web 应用程序中的设置/选项页面中的以下步骤来重新创建配置文件。
来自 pulumi 应用程序:
**恢复配置
删除此堆栈或此堆栈的资源需要您在同一目录中有一个 Pulumi.yaml 文件。
如果您无法再访问 Pulumi 程序的源代码,您可以使用以下命令重新创建配置文件:**
# Pulumi.yaml
echo "name: inlineNode" > Pulumi.yaml
echo "runtime: nodejs" >> Pulumi.yaml
# Pulumi.dev.yaml
pulumi stack select projectmikey/inlineNode/dev
pulumi config refresh
运行后,我通常可以按照这两个命令来销毁堆栈资源,然后将其从 pulumi 中删除...
pulumi destroy -s projectmikey/inlineNode/dev
然后
pulumi stack rm projectmikey/inlineNode/dev
但是这次我从 Terraform 收到以下错误....呃....
Previewing destroy (dev)
View in Browser (Ctrl+O): https://app.pulumi.com/projectmikey/inlineNode/dev/previews/<request-id>
Type Name Plan
- pulumi:pulumi:Stack inlineNode-dev delete
- ├─ aws:s3:BucketObject index delete
- ├─ aws:s3:BucketPolicy bucketPolicy delete
- └─ aws:s3:Bucket s3-website-bucket delete
Outputs:
- websiteUrl: "s3-website-bucket-abcdef.s3-website-us-west-1.amazonaws.com"
Resources:
- 4 to delete
Do you want to perform this destroy? yes
etrieving via all available methods. See https://www.terraform.io/docs/providers/aws/index.html#skip_requesting_account_id for workaround and implications. Errors: 2 errors occurred:
* error calling sts:GetCallerIdentity: InvalidClientTokenId: The security token included in the request is invalid.
status code: 403, request id: <request-id>
* failed getting account information via iam:ListRoles: InvalidClientTokenId: The security token included in the request is invalid.
status code: 403, request id: <request-id>
Resources:
Duration: 2s
来自 Pulumi 网络应用程序
Changes:
Type Name Status Info
pulumi:pulumi:Stack inlineNode-dev
~ ├─ aws:s3:Bucket s3-website-bucket **refreshing failed**
~ ├─ aws:s3:BucketObject index **refreshing failed**
~ └─ aws:s3:BucketPolicy bucketPolicy **refreshing failed**
Diagnostics:
pulumi:pulumi:Stack (projectmikey/inlineNode/dev)
error: update failed
aws:s3:Bucket (s3-website-bucket)
error: 1 error occurred:
* error configuring Terraform AWS Provider: AWS account ID not previously found and failed retrieving via all available methods. See https://www.terraform.io/docs/providers/aws/index.html#skip_requesting_account_id for workaround and implications. Errors: 2 errors occurred:
* error calling sts:GetCallerIdentity: InvalidClientTokenId: The security token included in the request is invalid.
status code: 403, request id: <request-id>
* failed getting account information via iam:ListRoles: InvalidClientTokenId: The security token included in the request is invalid.
status code: 403, request id: <request-id>
来自 terraform 链接
skip_requesting_account_id - (Optional) Whether to skip requesting the account ID. Useful for AWS API implementations that do not have the IAM, STS API, or metadata API. When set to true and not determined previously, returns an empty account ID when manually constructing ARN attributes with the following:
所以我尝试过跑步
pulumi config set aws:skipRequestingAccountId true
我也尝试过设置我的 aws accountId。
但是没有任何方法可以破坏这个堆栈。该错误表明安全令牌无效,但是我以前从未使用过安全令牌,我只是使用 aws 访问密钥 id、aws 秘密访问密钥和 aws 区域变量。
在阅读另一篇文章的建议后,我尝试创建一个 aws 会话令牌,然后取消设置我的 aws 凭据,然后使用令牌再次导出它们...
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_REGION
unset AWS_SESSION_TOKEN
然后
aws configure
aws sts get-session-token
然后重新输入我的凭据...
export AWS_ACCESS_KEY_ID='xxx' &&
export AWS_SECRET_ACCESS_KEY='xxx' &&
export AWS_REGION='xxx' &&
export AWS_SESSION_TOKEN='xxx'
但还是没有运气......
另一个奇怪的部分是,在这一切之后,我可以使用不同的名称创建堆栈的第二次迭代,然后在没有任何问题的情况下销毁它,所以我假设我的 AWS 凭证工作正常......
我对这件事出了什么问题感到困惑,任何帮助将不胜感激,
提前致谢
从问题和评论中我了解到:
stack.setConfig("aws:xxx",...)
您的问题可能是 Pulumi 继续使用最初在堆栈配置中指定的 AWS 凭证来删除现有资源,但由于某种原因,这些“旧”凭证不再起作用。即使设置
AWS_*
环境变量也不起作用,因为配置中的凭据将在运行时优先。
一些可能的解决方案:
pulumi config set "aws:accessKey" xxx
pulumi config set "aws:secretKey" xxx
pulumi destroy
pulumi stack export > state.json
accessKey
和 secretKey
关键字查找您所在州的凭据,并将其替换为正确的关键字pulumi stack import -f < state.json