这个 Terraform 错误:
错误:放置 CloudWatch Logs 目标策略 (exp-mgt-connect-kinesis-destination):操作错误 CloudWatch Logs:PutDestinationPolicy,https 响应错误 StatusCode:400,RequestID:9ed8bf2f-715a-49eb-aee3-b928f7a3955a,InvalidParameterException:只有一个支持主块。 │ │ 使用 aws_cloudwatch_log_destination_policy.destination_policy, │ 在 main.tf 第 128 行,资源“aws_cloudwatch_log_destination_policy”“destination_policy”中: │ 128:资源“aws_cloudwatch_log_destination_policy”“destination_policy”
是应用此 Terraform 代码的结果:
resource "aws_kinesis_firehose_delivery_stream" "kinesis_firehose_stream" {
name = "exp-mgt-${var.s3_bucket_prefix}-delivery-stream"
destination = "extended_s3"
extended_s3_configuration {
role_arn = aws_iam_role.firehose_role.arn
bucket_arn = "arn:aws:s3:::${var.s3_bucket_name}"
buffering_size = 64
prefix = var.s3_bucket_prefix
}
}
resource "aws_iam_role" "cwl_to_firehose_role" {
name = "CWLtoKinesisFirehoseRole"
# Trusted entities
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
"Effect": "Allow",
"Principal": {
"Service": "logs.us-east-1.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
})
}
resource "aws_iam_role_policy" "inline_cloudwatch_policy" {
name = "Permissions-Policy-For-CWL"
role = aws_iam_role.cwl_to_firehose_role.id
policy = jsonencode({
Version: "2012-10-17",
Statement: [
{
Sid: "FirehoseAccess1",
Effect: "Allow",
Action: "firehose:ListDeliveryStreams",
Resource: "*"
},
{
Sid: "Passrole",
Effect: "Allow",
Action: "iam:PassRole",
Resource: aws_iam_role.cwl_to_firehose_role.arn
},
{
Sid: "FirehoseAccess2",
Effect: "Allow",
Action: [
"firehose:DescribeDeliveryStream",
"firehose:PutRecord",
"firehose:PutRecordBatch"
],
Resource: aws_kinesis_firehose_delivery_stream.kinesis_firehose_stream.arn
}
]
})
}
resource "aws_cloudwatch_log_destination" "exp_mgt_destination" {
name = "exp-mgt-${var.s3_bucket_prefix}-kinesis-destination"
role_arn = aws_iam_role.cwl_to_firehose_role.arn
target_arn = aws_kinesis_firehose_delivery_stream.kinesis_firehose_stream.arn
}
data "aws_iam_policy_document" "destination_policy" {
statement {
effect = "Allow"
actions = [
"logs:PutSubscriptionFilter",
]
resources = [
aws_cloudwatch_log_destination.exp_mgt_destination.arn,
]
}
}
resource "aws_cloudwatch_log_destination_policy" "destination_policy" {
destination_name = aws_cloudwatch_log_destination.exp_mgt_destination.name
access_policy = data.aws_iam_policy_document.destination_policy.json
}
是什么导致了这个
InvalidParameterException: Only one principal block is supported.
错误?
发生此错误是因为缺少
data.aws_iam_policy_document.destination_policy
的策略文档principal
,而aws_cloudwatch_log_destination_policy
资源类型需要定义主体。
看一下官方文档中的示例: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_destination_policy
data "aws_iam_policy_document" "test_destination_policy" {
statement {
effect = "Allow"
principals {
type = "AWS"
identifiers = [
"123456789012",
]
}
actions = [
"logs:PutSubscriptionFilter",
]
resources = [
aws_cloudwatch_log_destination.test_destination.arn,
]
}
}
resource "aws_cloudwatch_log_destination_policy" "test_destination_policy" {
destination_name = aws_cloudwatch_log_destination.test_destination.name
access_policy = data.aws_iam_policy_document.test_destination_policy.json
}
在示例中,策略包含单个主体标签,该标签指向AWS账户的ID。这意味着对 Cloudwatch 日志目标的访问将由账户的 IAM 角色/策略管理。