Блог

Я пытаюсь включить управляемые обновления с помощью terraform, но получаю следующую ошибку

 Error: ConfigurationValidationException: Configuration validation exception: Invalid option specification (Namespace: 'aws:elasticbeanstalk:managedactions', OptionName: 'ManagedActionsEnabled'): You can't enable managed platform updates when your environment uses the service-linked role 'AWSServiceRoleForElasticBeanstalk'. Select a service role that has the 'AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy' managed policy.  

Код терраформирования:

 resource "aws_elastic_beanstalk_environment" "eb_env" {   setting {  namespace = "aws:elasticbeanstalk:managedactions"  name = "ManagedActionsEnabled"  value = "True"  }   setting {  namespace = "aws:elasticbeanstalk:managedactions"  name = "ServiceRoleForManagedUpdates"  value = aws_iam_role.beanstalk_service.arn  }   setting {  namespace = "aws:elasticbeanstalk:managedactions"  name = "PreferredStartTime"  value = "Sat:04:00"  }   setting {  namespace = "aws:elasticbeanstalk:managedactions:platformupdate"  name = "UpdateLevel"  value = "patch"  }    }   resource "aws_iam_instance_profile" "beanstalk_service" {  name = "beanstalk-service-user"  role = "${aws_iam_role.beanstalk_service.name}" }  resource "aws_iam_instance_profile" "beanstalk_ec2" {  name = "beanstalk-ec2-user"  role = "${aws_iam_role.beanstalk_ec2.name}" }  resource "aws_iam_role" "beanstalk_service" {  name = "beanstalk-service"  assume_role_policy = lt;lt;EOF {  "Version": "2012-10-17",  "Statement": [  {  "Effect": "Allow",  "Principal": {  "Service": "elasticbeanstalk.amazonaws.com"  },  "Action": "sts:AssumeRole",  "Condition": {  "StringEquals": {  "sts:ExternalId": "elasticbeanstalk"  }  }  }  ] } EOF }  resource "aws_iam_role" "beanstalk_ec2" {  name = "aws-elasticbeanstalk-ec2-role"  assume_role_policy = lt;lt;EOF {  "Version": "2008-10-17",  "Statement": [  {  "Sid": "",  "Effect": "Allow",  "Principal": {  "Service": "ec2.amazonaws.com"  },  "Action": "sts:AssumeRole"  }  ] } EOF }  resource "aws_iam_policy_attachment" "beanstalk_service_health" {  name = "elastic-beanstalk-service-health"  roles = ["${aws_iam_role.beanstalk_service.id}"]  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth" }  resource "aws_iam_policy_attachment" "beanstalk_ec2_worker" {  name = "elastic-beanstalk-ec2-worker"  roles = ["${aws_iam_role.beanstalk_ec2.id}"]  policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier" }  resource "aws_iam_service_linked_role" "managedupdates_eb" {  aws_service_name = "managedupdates.elasticbeanstalk.amazonaws.com" }  resource "aws_iam_policy_attachment" "beanstalk_ec2_web" {  name = "elastic-beanstalk-ec2-web"  roles = ["${aws_iam_role.beanstalk_ec2.id}"]  policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier" }  resource "aws_iam_policy_attachment" "beanstalk_ec2_container" {  name = "elastic-beanstalk-ec2-container"  roles = ["${aws_iam_role.beanstalk_ec2.id}"]  policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker" }  resource "aws_iam_policy_attachment" "beanstalk_service" {  name = "elastic-beanstalk-service"  roles = ["${aws_iam_role.beanstalk_service.id}"]  policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy" }  

Я попытался создать связанную роль службы, но это не решение проблемы, описанной выше.

 setting {  namespace = "aws:elasticbeanstalk:managedactions"  name = "ServiceRoleForManagedUpdates"  value = aws_iam_service_linked_role.managedupdates_eb.arn  }  

Мне не хватало следующих настроек

 setting {  namespace = "aws:elasticbeanstalk:environment"  name = "ServiceRole"  value = aws_iam_role.beanstalk_service.id  }