Terraform – 无法检测到基础设施更改

58次阅读
没有评论

问题描述

在使用Terraform时,部署了一个Cloudwatch Log Group的community module到他的terraform stack中(从https://github.com/cloudposse/terraform-aws-components获取)。但是他花了一天多的时间尝试解决这个问题,但没有成功。
当他运行terraform plan命令时,新的组件没有显示为新的基础设施。

$ terraform plan
No changes. Your infrastructure matches the configuration.Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

他想请有经验的人帮忙检查一下他的配置,看看是否有可能缺少或配置错误,导致Terraform忽略了新的组件。他之前解决了Terraform运行错误的问题,但这个问题让他感到困惑。他的配置如下:

test-stage-eu-west-1.yaml
    ec2_session_manager_log:
      component: cloudwatch_logs
      vars:
        context:
          enabled: true
          name: "ssm-logs"
        enabled: true
        name: "ec2-ssm-log-name"
        retention_in_days: 7
        kms_key_arn: "arn:aws:kms:eu-west-1:12345667890:key/xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx"
        principals: "ec2.amazonaws.com"
        additional_permissions: []
        stream_names: [ "app1", "app2" ]
        region: eu-west-1
    cloudwatch_logs:
      vars:
        context:
          enabled: false

cloudwatch-logs module: ./module/cloudwatch-logs/main.tf

locals {
  enabled = module.this.enabled
}

data "aws_caller_identity" "current" {
  count = local.enabled ? 1 : 0
}

data "aws_partition" "current" {
  count = local.enabled ? 1 : 0
}

module "logs" {
  source  = "cloudposse/cloudwatch-logs/aws"
  version = "0.6.5"

  name                   = var.name
  stream_names           = var.stream_names
  retention_in_days      = var.retention_in_days
  principals             = var.principals
  additional_permissions = var.additional_permissions
  kms_key_arn            = var.kms_key_arn
}

module "kms_key_logs" {
  source  = "cloudposse/kms-key/aws"
  version = "0.12.1"

  description             = "KMS key for CloudWatch Logs"
  deletion_window_in_days = 10
  enable_key_rotation     = true
  alias                   = "alias/${module.this.id}"
  policy                  = join("", data.aws_iam_policy_document.kms.*.json)
}

data "aws_iam_policy_document" "kms" {
  count = local.enabled ? 1 : 0

  statement {
    sid    = "EnableRootUserPermissions"
    effect = "Allow"
    actions = [
      "kms:Create*",
      "kms:Describe*",
      "kms:Enable*",
      "kms:List*",
      "kms:Put*",
      "kms:Update*",
      "kms:Revoke*",
      "kms:Disable*",
      "kms:Get*",
      "kms:Delete*",
      "kms:Tag*",
      "kms:Untag*",
      "kms:ScheduleKeyDeletion",
      "kms:CancelKeyDeletion"
    ]
    resources = [
      "*"
    ]
    principals {
      type = "AWS"
      identifiers = [
        "arn:${join("", data.aws_partition.current[*].partition)}:iam::${join("", data.aws_caller_identity.current[*].account_id)}:root"
      ]
    }
  }

  statement {
    sid    = "Allow CloudWatch to Encrypt with the key"
    effect = "Allow"
    actions = [
      "kms:Encrypt*",
      "kms:Decrypt*",
      "kms:ReEncrypt*",
      "kms:GenerateDataKey*",
      "kms:Describe*"
    ]
    resources = [
      "*"
    ]
    principals {
      type = "Service"
      identifiers = [
        "logs.${var.region}.amazonaws.com",
      ]
    }
  }
}

Root: ./main.tf:

module "cloudwatch-logs" {
  source  = "./modules/cloudwatch-logs"
  for_each = local.cloudwatch_logs_components

  name                   = try(each.value.vars.name, null)
  stream_names           = try(each.value.vars.stream_names, null)
  retention_in_days      = try(each.value.vars.retention_in_days, null)
  aws_service_principal  = try(each.value.vars.principal, null)
  additional_permissions = try(each.value.vars.additional_permissions, null)
  region                 = try(each.value.vars.region, null)
  kms_key_arn            = try (each.value.vars.region, null)
  context                = try(each.value.vars.context, null)
}

解决方案

请注意以下操作注意版本差异及修改前做好备份。

方案1

根据您提供的配置文件,我注意到cloudwatch_logs模块的context.enabled属性被设置为false,这可能是导致Terraform无法检测到新组件的原因。您可以尝试将其设置为true,然后再次运行terraform plan命令,看看是否能够检测到新的基础设施。

cloudwatch_logs:
  vars:
    context:
      enabled: true

方案2

如果方案1没有解决您的问题,您可以检查cloudwatch-logs模块的变量,看看是否有其他需要启用的可选组件。您可以查看模块的文档或源代码,了解哪些变量需要设置为true才能启用相应的组件。

方案3

如果以上两个方案都没有解决您的问题,您可以尝试重新部署整个terraform stack。有时候,Terraform可能会出现一些奇怪的问题,重新部署可以清除一些潜在的缓存或状态问题。
请注意,这些解决方案仅供参考,具体取决于您的环境和配置。您可能需要根据您的实际情况进行调整和修改。

正文完
devops 运维
发表至: 运维问题
2023-12-02
 
使用AWS API Gateway作为HTTP代理到ALB的自定义域名设置指南
如何在Kubernetes中使用集群自动伸缩器(Cluster Autoscaler)确保任务完成后节点被释放
如何在Jenkins的Docker Pipeline中连接到Kubernetes集群
在Openshift/Kubernetes上将Opentelemetry-operator以非root用户运行
androiddevopsiphone移动端运维
-「
最新文章