Terraformで"Error deleting S3 notification configuration: OperationAborted"エラーが出力された時の対応
こんにちわ
がじぇったー (@hackmylife7) | Twitter
です。
Terraformでちょっとハマったので対応方法をメモに残しておきます。
TL;DR(要約)
- S3に対するS3バケットポリシーとバケットのS3パブリックアクセスブロックを同時に作成するとTerraform apply/destroy時にエラーになります
- そのためdepends onを用い作成順序を制御する必要があります
Before(エラーが発生していたS3のリソース定義)
s3.tf
/* ====================
Resources
==================== */
/*
ALBのアクセスログを保管するS3バケット
*/
data "aws_iam_policy_document" "alb-log" {
statement {
actions = [
"s3:PutObject",
]
resources = [
"arn:aws:s3:::${var.default.site}-${var.default.env}-lb-log/*",
]
principals {
type = "AWS"
identifiers = ["account_idが入る"]
}
}
}
resource "aws_s3_bucket_public_access_block" "alb-log" {
bucket = aws_s3_bucket.alb-log.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket" "alb-log" {
# force_destroy = true
bucket = "${var.default.site}-${var.default.env}-lb-log"
acl = "private"
versioning {
enabled = true
}
policy = data.aws_iam_policy_document.alb-log.json
}
resource "aws_s3_bucket_notification" "bucket_notification" {
bucket = aws_s3_bucket.alb-log.id
lambda_function {
lambda_function_arn = aws_lambda_function.alb_logger.arn
events = ["s3:ObjectCreated:*"]
}
}
上記のリソース定義で、terraform apply/destroyを実行すると aws_s3_bucket_public_access_blockとaws_s3_bucket_notificationの実行/削除命令が競合し、実行に失敗します
エラー内容
Error: Error deleting S3 notification configuration: OperationAborted: A conflicting conditional operation is currently in progress against this resource. Please try again
After
aws_s3_bucket_public_access_blockブロックにdepends on 変数で実行順序を制御します
s3.tf
/* ====================
Resources
==================== */
/*
ALBのアクセスログを保管するS3バケット
*/
data "aws_iam_policy_document" "alb-log" {
statement {
actions = [
"s3:PutObject",
]
resources = [
"arn:aws:s3:::${var.default.site}-${var.default.env}-lb-log/*",
]
principals {
type = "AWS"
identifiers = ["account_idが入る"]
}
}
}
resource "aws_s3_bucket_public_access_block" "alb-log" {
#--------------------------------------------------------------------------------
# To avoid OperationAborted: A conflicting conditional operation is currently in progress
#--------------------------------------------------------------------------------
depends_on = [
aws_s3_bucket_notification.bucket_notification
]
bucket = aws_s3_bucket.alb-log.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket" "alb-log" {
# force_destroy = true
bucket = "${var.default.site}-${var.default.env}-lb-log"
acl = "private"
versioning {
enabled = true
}
policy = data.aws_iam_policy_document.alb-log.json
}
resource "aws_s3_bucket_notification" "bucket_notification" {
bucket = aws_s3_bucket.alb-log.id
lambda_function {
lambda_function_arn = aws_lambda_function.alb_logger.arn
events = ["s3:ObjectCreated:*"]
}
}
以上です
