こんにちわ

がじぇったー (@hackmylife7) | Twitter

です。

Terraformでちょっとハマったので対応方法をメモに残しておきます。

• TL;DR(要約)
• Before(エラーが発生していたS3のリソース定義)
• After

TL;DR(要約)

• S3に対するS3バケットポリシーとバケットのS3パブリックアクセスブロックを同時に作成するとTerraform apply/destroy時にエラーになります
• そのためdepends onを用い作成順序を制御する必要があります

Before(エラーが発生していたS3のリソース定義)

s3.tf

/* ====================
Resources
==================== */
/*
ALBのアクセスログを保管するS3バケット
*/

data "aws_iam_policy_document" "alb-log" {
  statement {
    actions = [
      "s3:PutObject",
    ]

    resources = [
      "arn:aws:s3:::${var.default.site}-${var.default.env}-lb-log/*",
    ]
    principals {
      type        = "AWS"
      identifiers = ["account_idが入る"]
    }
  }
}

resource "aws_s3_bucket_public_access_block" "alb-log" {
  bucket                  = aws_s3_bucket.alb-log.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

resource "aws_s3_bucket" "alb-log" {
  # force_destroy = true
  bucket = "${var.default.site}-${var.default.env}-lb-log"
  acl    = "private"
  versioning {
    enabled = true
  }
  policy = data.aws_iam_policy_document.alb-log.json
}

resource "aws_s3_bucket_notification" "bucket_notification" {
  bucket = aws_s3_bucket.alb-log.id
  lambda_function {
    lambda_function_arn = aws_lambda_function.alb_logger.arn
    events              = ["s3:ObjectCreated:*"]
  }
}

上記のリソース定義で、terraform apply/destroyを実行すると aws_s3_bucket_public_access_blockとaws_s3_bucket_notificationの実行/削除命令が競合し、実行に失敗します

エラー内容

Error: Error deleting S3 notification configuration: OperationAborted: A conflicting conditional operation is currently in progress against this resource. Please try again

After

aws_s3_bucket_public_access_blockブロックにdepends on 変数で実行順序を制御します

s3.tf

/* ====================
Resources
==================== */
/*
ALBのアクセスログを保管するS3バケット
*/

data "aws_iam_policy_document" "alb-log" {
  statement {
    actions = [
      "s3:PutObject",
    ]

    resources = [
      "arn:aws:s3:::${var.default.site}-${var.default.env}-lb-log/*",
    ]
    principals {
      type        = "AWS"
      identifiers = ["account_idが入る"]
    }
  }
}

resource "aws_s3_bucket_public_access_block" "alb-log" {

  #--------------------------------------------------------------------------------
  # To avoid OperationAborted: A conflicting conditional operation is currently in progress
  #--------------------------------------------------------------------------------
  depends_on = [
    aws_s3_bucket_notification.bucket_notification
  ]


  bucket                  = aws_s3_bucket.alb-log.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

resource "aws_s3_bucket" "alb-log" {
  # force_destroy = true
  bucket = "${var.default.site}-${var.default.env}-lb-log"
  acl    = "private"
  versioning {
    enabled = true
  }
  policy = data.aws_iam_policy_document.alb-log.json
}

resource "aws_s3_bucket_notification" "bucket_notification" {
  bucket = aws_s3_bucket.alb-log.id
  lambda_function {
    lambda_function_arn = aws_lambda_function.alb_logger.arn
    events              = ["s3:ObjectCreated:*"]
  }
}

以上です