terraform - 创建 CacheSecurityGroup : InvalidParameterValue 时出错

Question

我正在尝试使用 Terraform 在 Elasticache 上启动 Redis 实例，但遇到以下错误。

* module.main.module.redis.aws_elasticache_security_group.redis: 1 error(s) occurred:

* aws_elasticache_security_group.redis: Error creating CacheSecurityGroup: InvalidParameterValue: Use of cache security groups is not permitted in this API version for your account.

我在 GH 问题中发现的任何内容都没有帮助。这是我的 Terraform 的样子(我已经确认变量被正确传递):

resource "aws_elasticache_subnet_group" "redis" {
  name       = "vpc-public-subnet"
  description = "subnet where redis will live"
  subnet_ids = ["${var.subnet}"]
}

resource "aws_elasticache_security_group" "redis" {
  name                 = "redis-security-group"
  security_group_names = ["${var.redis_sec_group}"]
}

resource "aws_elasticache_replication_group" "redis" {
  automatic_failover_enabled    = true
  availability_zones            = ["us-east-2a"]
  replication_group_id          = "${var.environment}-myapp-rep-group-1"
  replication_group_description = "redis rep group - ${var.environment} env"
  node_type                     = "cache.t2.micro"
  number_cache_clusters         = 2
  parameter_group_name          = "default.redis3.2"
  port                          = 6379
  at_rest_encryption_enabled    = true
  transit_encryption_enabled    = true

  subnet_group_name = "${aws_elasticache_subnet_group.redis.name}"
  security_group_ids = ["${aws_elasticache_security_group.redis.id}"]

  lifecycle {
    ignore_changes = ["number_cache_clusters"]
  }
}

resource "aws_elasticache_cluster" "redis" {
  cluster_id           = "${var.environment}-myapp"
  count                = 1
  replication_group_id = "${aws_elasticache_replication_group.redis.id}"
}

我认为问题可能出在我的 IAM 用户上，所以我添加了 AmazonElastiCacheFullAccess政策，但它仍然说这是不允许的。我是在阅读 AWS 文档上关于 API_CreateCacheSecurityGroup 的帖子后这样做的。并确认这三项政策已包含在 AmazonElastiCacheFullAccess 中.

这些资源似乎存在一些错误行为

https://github.com/hashicorp/terraform/issues/10127

我的解决方案

对不起，请在这儿忍受我。发布这个并完全写出来确实帮助我处理我的想法。我发现 aws_elasticache_security_group没有必要，只是决定通过 ["${var.redis_sec_group}"]直接进入 security_group_ids为 aws_elasticache_replication_group .

对于以前已经处理过这个问题的人来说，这似乎很明显，现在对我来说也是如此。但进入这个全新的它不是。所以这不是我遇到的权限问题的解决方案。但是，就像许多事情一样，我退后一步并质疑我是否真的需要它，答案是否定的。

Answer 1

看起来您已经意识到 aws_elasticache_security_group仅在您不使用 VPC 时在 EC2 经典账户中使用。最近创建的账户不允许在 VPC 之外创建网络级资源(实例、负载均衡器、RDS 实例、Elasticache 实例等)。
这在 Terraform docs for the aws_elasticache_security_group resource 中提到:

NOTE: ElastiCache Security Groups are for use only when working with an ElastiCache cluster outside of a VPC. If you are using a VPC, see the ElastiCache Subnet Group resource.

AWS docs for Elasticache security groups进一步详细说明:

Important

Amazon ElastiCache security groups are only applicable to clusters that are not running in an Amazon Virtual Private Cloud environment (VPC). If you are running in an Amazon Virtual Private Cloud, Security Groups is not available in the console navigation pane.

If you are running your ElastiCache nodes in an Amazon VPC, you control access to your clusters with Amazon VPC security groups, which are different from ElastiCache security groups. For more information about using ElastiCache in an Amazon VPC, see Amazon VPCs and ElastiCache Security