ALB Logging Bucket Policy Incorrect Principal

Question

ALB Logging Bucket Policy Incorrect Principal

zwinnerman-fleetdm opened this issue 2 years ago · comments

Description

Please provide a clear and concise description of the issue you are encountering, and a reproduction of your configuration (see the examples/* directory for references that you can copy+paste and tailor to match your configs if you are unable to copy your exact configuration). The reproduction MUST be executable by running terraform init && terraform apply without any further changes.

If your request is for a new feature, please use the Feature request template.

✋ I have searched the open/closed issues and my issue is not listed.

I am having an issue with ALB access logging using this module. It is saying permission denied, despite the attach_elb_log_delivery_policy and attach_lb_log_delivery_policy variables being set to true:
Error: failure configuring LB attributes: InvalidConfigurationRequest: Access Denied for bucket: <redacted>. Please check S3bucket permission.

I think I tracked the issue down to here:
https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/blob/master/main.tf#L560

This principal does not match what the documentation here says: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html

Basically, delivery.logs.amazonaws.com -> logdelivery.elb.amazonaws.com.

⚠️ Note

Before you submit an issue, please perform the following first:

Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
Re-initialize the project root to pull down modules: terraform init
Re-attempt your terraform plan or apply and check if the issue still persists

Versions

Module version [Required]: 3.3.0
Terraform version:

Terraform v1.2.7
on linux_amd64

Provider version(s):

+ provider registry.terraform.io/cloudflare/cloudflare v3.18.0
+ provider registry.terraform.io/gavinbunney/kubectl v1.14.0
+ provider registry.terraform.io/hashicorp/archive v2.2.0
+ provider registry.terraform.io/hashicorp/aws v4.10.0
+ provider registry.terraform.io/hashicorp/cloudinit v2.2.0
+ provider registry.terraform.io/hashicorp/external v2.2.2
+ provider registry.terraform.io/hashicorp/helm v2.6.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.12.1
+ provider registry.terraform.io/hashicorp/local v2.2.3
+ provider registry.terraform.io/hashicorp/null v3.1.1
+ provider registry.terraform.io/hashicorp/random v3.1.3
+ provider registry.terraform.io/hashicorp/time v0.7.2
+ provider registry.terraform.io/hashicorp/tls v3.4.0
+ provider registry.terraform.io/kreuzwerker/docker v2.16.0
+ provider registry.terraform.io/paultyng/git v0.1.0
+ provider registry.terraform.io/terraform-aws-modules/http v2.4.1

Reproduction Code [Required]

module "s3_bucket_for_logs" {
  source = "terraform-aws-modules/s3-bucket/aws"

  bucket = "${var.prefix}-alb-logs"
  acl    = "log-delivery-write"

  # Allow deletion of non-empty bucket
  force_destroy = true

  attach_elb_log_delivery_policy        = true # Required for ALB logs
  attach_lb_log_delivery_policy         = true # Required for ALB/NLB logs
  attach_deny_insecure_transport_policy = true
  attach_require_latest_tls_policy      = true
  block_public_acls                     = true
  block_public_policy                   = true
  ignore_public_acls                    = true
  restrict_public_buckets               = true
  server_side_encryption_configuration = {
    rule = {
      apply_server_side_encryption_by_default = {
        kms_master_key_id = var.kms_key.arn
        sse_algorithm     = "aws:kms"
      }
    }
  }
  lifecycle_rule = [
    {
      id      = "log"
      enabled = true

      transition = [
        {
          days          = 30
          storage_class = "ONEZONE_IA"
        }
      ]
      expiration = {
        days                         = 90
        expired_object_delete_marker = true
      }
      noncurrent_version_expiration = {
        newer_noncurrent_versions = 5
        days                      = 30
      }
    }
  ]
}

resource "aws_lb" "main" {
  name                       = var.prefix
  internal                   = false
  load_balancer_type         = "application"
  security_groups            = [aws_security_group.lb.id]
  subnets                    = var.vpc.public_subnets
  enable_deletion_protection = true

  access_logs {
    bucket  = module.s3_bucket_for_logs.s3_bucket_id
    prefix  = var.prefix
    enabled = true
  }
}

Steps to reproduce the behavior:

Just run terraform apply

Expected behavior

Clean apply

Actual behavior

Permission denied

Terminal Output Screenshot(s)

Provided above

Additional context

I'm using an old version, but I checked and the bug affects master too.

Zachary Winnerman · Answer 1 · Wed Sep 14 2022 03:14:55 GMT+0800 (China Standard Time)

Never mind, I misread the documentation, still having this issue just this isn't the solution.

github-actions · Answer 2 · Fri Oct 28 2022 10:40:29 GMT+0800 (China Standard Time)

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.