社区! 我需要您的建议和帮助来解决我的地形情况。 我已经设置了我的环境: 适用于 Win10 的 WSL2.0 中的 linux_amd64 和 Ubuntu 22.04 上的 Terraform v1.9.8。 现在我正在 AWS 中部署环境,并且我有先决条件将 tfstate 文件保存在 s3bucket 中并通过 dynamodb 锁定它。 当我运行 terraform apply 时,我看到以下错误消息:
# terraform apply
Acquiring state lock. This may take a few moments...
╷
│ Error: Error acquiring the state lock
│
│ Error message: operation error DynamoDB: PutItem, https response error StatusCode: 400, RequestID: 675BRV1T9IUNPI, api error AccessDeniedException: User: arn:aws:iam::***:user/terraform is not authorized to perform: dynamodb:PutItem on resource:
│ arn:aws:dynamodb:us-east-1:***:table/terraform-asav-lock-table because no identity-based policy allows the dynamodb:PutItem action
│ Unable to retrieve item from DynamoDB table "terraform-asav-lock-table": operation error DynamoDB: GetItem, https response error StatusCode: 400, RequestID: 0N2J50TQTG2AKQIM, api error AccessDeniedException: User: arn:aws:iam::***:user/terraform is not authorized to perform: dynamodb:GetItem on
│ resource: arn:aws:dynamodb:us-east-1:***:table/terraform-asav-lock-table because no identity-based policy allows the dynamodb:GetItem action
│
│ Terraform acquires a state lock to protect the state from being written
│ by multiple users at the same time. Please resolve the issue above and try
│ again. For most commands, you can disable locking with the "-lock=false"
│ flag, but this is not recommended.
我的provider.tf是:
required_providers {
aws = {
source = "hashicorp/aws"
version = "5.50.0"
}
}
backend "s3" {
bucket = "asavbacket"
encrypt = true
key = "terraform.tfstate/state"
region = "us-east-1"
access_key = "***"
secret_key = "***"
dynamodb_table = "terraform-asav-lock-table"
}
}
请帮助我理解,为什么会出现这个错误?
我尝试将 IAM 策略添加到 IAM 用户 terraform,以便正确访问 s3 存储桶和 dynamodb 表
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnableIAMUserPermissions",
"Effect": "Allow",
"Action": "kms:*",
"Resource": "arn:aws:kms:us-east-1:***:key/d6c67"
},
{
"Sid": "StateBucketObjectAccess",
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem"
],
"Resource": "arn:aws:dynamodb:us-east-1:***:table/terraform-asav-lock-table"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::asavbacket"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::asavbacket/terraform.tfstate/state"
}
]
}
更新。我已经找到了这个错误的解决方案。我在我的 AWS 账户中创建了管理员组,并将用户 terraform 附加到该组。
但是现在我遇到了下一个错误:
Error message: operation error DynamoDB: PutItem, https response error StatusCode: 400, RequestID: H3QGJJHIOBPHFUAPNDE26HS82JVV4KQNSO5AEMVJF66Q9ASUAAJG, api error ValidationException: One or more parameter values were invalid: Missing the key terraform.tfstate in the item
│ Unable to retrieve item from DynamoDB table "terraform-asav-lock-table": operation error DynamoDB: GetItem, https response error StatusCode: 400, RequestID: 2Q9SQ7M20CT913K5RU3NHUPUIRVV4KQNSO5AEMVJF66Q9ASUAAJG, api error ValidationException: The provided key element does not match the schema
可以帮我解决吗?
此问题表明您为
GetItemtable.get_item(Key={"terraform.tfstate": "some value"})