ALB Logging Bucket Policy Incorrect Principal
zwinnerman-fleetdm opened this issue · comments
Description
Please provide a clear and concise description of the issue you are encountering, and a reproduction of your configuration (see the examples/*
directory for references that you can copy+paste and tailor to match your configs if you are unable to copy your exact configuration). The reproduction MUST be executable by running terraform init && terraform apply
without any further changes.
If your request is for a new feature, please use the Feature request
template.
-
✋ I have searched the open/closed issues and my issue is not listed.
I am having an issue with ALB access logging using this module. It is saying permission denied, despite the attach_elb_log_delivery_policy
and attach_lb_log_delivery_policy
variables being set to true:
Error: failure configuring LB attributes: InvalidConfigurationRequest: Access Denied for bucket: <redacted>. Please check S3bucket permission
.
I think I tracked the issue down to here:
https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/blob/master/main.tf#L560
This principal does not match what the documentation here says: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html
Basically, delivery.logs.amazonaws.com
-> logdelivery.elb.amazonaws.com
.
⚠️ Note
Before you submit an issue, please perform the following first:
- Remove the local
.terraform
directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!):rm -rf .terraform/
- Re-initialize the project root to pull down modules:
terraform init
- Re-attempt your terraform plan or apply and check if the issue still persists
Versions
-
Module version [Required]: 3.3.0
-
Terraform version:
Terraform v1.2.7
on linux_amd64
- Provider version(s):
+ provider registry.terraform.io/cloudflare/cloudflare v3.18.0
+ provider registry.terraform.io/gavinbunney/kubectl v1.14.0
+ provider registry.terraform.io/hashicorp/archive v2.2.0
+ provider registry.terraform.io/hashicorp/aws v4.10.0
+ provider registry.terraform.io/hashicorp/cloudinit v2.2.0
+ provider registry.terraform.io/hashicorp/external v2.2.2
+ provider registry.terraform.io/hashicorp/helm v2.6.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.12.1
+ provider registry.terraform.io/hashicorp/local v2.2.3
+ provider registry.terraform.io/hashicorp/null v3.1.1
+ provider registry.terraform.io/hashicorp/random v3.1.3
+ provider registry.terraform.io/hashicorp/time v0.7.2
+ provider registry.terraform.io/hashicorp/tls v3.4.0
+ provider registry.terraform.io/kreuzwerker/docker v2.16.0
+ provider registry.terraform.io/paultyng/git v0.1.0
+ provider registry.terraform.io/terraform-aws-modules/http v2.4.1
Reproduction Code [Required]
module "s3_bucket_for_logs" {
source = "terraform-aws-modules/s3-bucket/aws"
bucket = "${var.prefix}-alb-logs"
acl = "log-delivery-write"
# Allow deletion of non-empty bucket
force_destroy = true
attach_elb_log_delivery_policy = true # Required for ALB logs
attach_lb_log_delivery_policy = true # Required for ALB/NLB logs
attach_deny_insecure_transport_policy = true
attach_require_latest_tls_policy = true
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
server_side_encryption_configuration = {
rule = {
apply_server_side_encryption_by_default = {
kms_master_key_id = var.kms_key.arn
sse_algorithm = "aws:kms"
}
}
}
lifecycle_rule = [
{
id = "log"
enabled = true
transition = [
{
days = 30
storage_class = "ONEZONE_IA"
}
]
expiration = {
days = 90
expired_object_delete_marker = true
}
noncurrent_version_expiration = {
newer_noncurrent_versions = 5
days = 30
}
}
]
}
resource "aws_lb" "main" {
name = var.prefix
internal = false
load_balancer_type = "application"
security_groups = [aws_security_group.lb.id]
subnets = var.vpc.public_subnets
enable_deletion_protection = true
access_logs {
bucket = module.s3_bucket_for_logs.s3_bucket_id
prefix = var.prefix
enabled = true
}
}
Steps to reproduce the behavior:
Just run terraform apply
Expected behavior
Clean apply
Actual behavior
Permission denied
Terminal Output Screenshot(s)
Provided above
Additional context
I'm using an old version, but I checked and the bug affects master too.
Never mind, I misread the documentation, still having this issue just this isn't the solution.
I'm going to lock this issue because it has been closed for 30 days