使用 terraform 为 Elastic Beanstalk 启用托管更新
Posted
技术标签:
【中文标题】使用 terraform 为 Elastic Beanstalk 启用托管更新【英文标题】:Enabling Managed Updates for Elastic Beanstalk with terraform 【发布时间】:2022-01-13 08:39:50 【问题描述】:我正在尝试使用 terraform 启用托管更新,但出现以下错误
Error: ConfigurationValidationException: Configuration validation exception: Invalid option specification (Namespace: 'aws:elasticbeanstalk:managedactions', OptionName: 'ManagedActionsEnabled'): You can't enable managed platform updates when your environment uses the service-linked role 'AWSServiceRoleForElasticBeanstalk'. Select a service role that has the 'AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy' managed policy.
地形代码:
resource "aws_elastic_beanstalk_environment" "eb_env"
setting
namespace = "aws:elasticbeanstalk:managedactions"
name = "ManagedActionsEnabled"
value = "True"
setting
namespace = "aws:elasticbeanstalk:managedactions"
name = "ServiceRoleForManagedUpdates"
value = aws_iam_role.beanstalk_service.arn
setting
namespace = "aws:elasticbeanstalk:managedactions"
name = "PreferredStartTime"
value = "Sat:04:00"
setting
namespace = "aws:elasticbeanstalk:managedactions:platformupdate"
name = "UpdateLevel"
value = "patch"
resource "aws_iam_instance_profile" "beanstalk_service"
name = "beanstalk-service-user"
role = "$aws_iam_role.beanstalk_service.name"
resource "aws_iam_instance_profile" "beanstalk_ec2"
name = "beanstalk-ec2-user"
role = "$aws_iam_role.beanstalk_ec2.name"
resource "aws_iam_role" "beanstalk_service"
name = "beanstalk-service"
assume_role_policy = <<EOF
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Principal":
"Service": "elasticbeanstalk.amazonaws.com"
,
"Action": "sts:AssumeRole",
"Condition":
"StringEquals":
"sts:ExternalId": "elasticbeanstalk"
]
EOF
resource "aws_iam_role" "beanstalk_ec2"
name = "aws-elasticbeanstalk-ec2-role"
assume_role_policy = <<EOF
"Version": "2008-10-17",
"Statement": [
"Sid": "",
"Effect": "Allow",
"Principal":
"Service": "ec2.amazonaws.com"
,
"Action": "sts:AssumeRole"
]
EOF
resource "aws_iam_policy_attachment" "beanstalk_service_health"
name = "elastic-beanstalk-service-health"
roles = ["$aws_iam_role.beanstalk_service.id"]
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth"
resource "aws_iam_policy_attachment" "beanstalk_ec2_worker"
name = "elastic-beanstalk-ec2-worker"
roles = ["$aws_iam_role.beanstalk_ec2.id"]
policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier"
resource "aws_iam_service_linked_role" "managedupdates_eb"
aws_service_name = "managedupdates.elasticbeanstalk.amazonaws.com"
resource "aws_iam_policy_attachment" "beanstalk_ec2_web"
name = "elastic-beanstalk-ec2-web"
roles = ["$aws_iam_role.beanstalk_ec2.id"]
policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier"
resource "aws_iam_policy_attachment" "beanstalk_ec2_container"
name = "elastic-beanstalk-ec2-container"
roles = ["$aws_iam_role.beanstalk_ec2.id"]
policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker"
resource "aws_iam_policy_attachment" "beanstalk_service"
name = "elastic-beanstalk-service"
roles = ["$aws_iam_role.beanstalk_service.id"]
policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy"
我确实尝试创建链接服务角色,但这不是解决上述错误的方法。
setting
namespace = "aws:elasticbeanstalk:managedactions"
name = "ServiceRoleForManagedUpdates"
value = aws_iam_service_linked_role.managedupdates_eb.arn
【问题讨论】:
【参考方案1】:我缺少以下设置
setting
namespace = "aws:elasticbeanstalk:environment"
name = "ServiceRole"
value = aws_iam_role.beanstalk_service.id
【讨论】:
以上是关于使用 terraform 为 Elastic Beanstalk 启用托管更新的主要内容,如果未能解决你的问题,请参考以下文章
如何使用 Terraform 为 Elastic Beanstalk 中的 EC2 实例设置 EBS 根卷以持久保存
使用 Terraform 关闭/打开 Elastic Beanstalk 负载均衡器?
无法使用 Terraform 在自定义 VPC 中创建 Elastic Beanstalk 应用程序