Add support for new regions in ELB IAM policy

Question

Add support for new regions in ELB IAM policy

dfradejas opened this issue a year ago · comments

Hi,

Since regions created after August 2022, the S3 policy to allow ELB access log storage has changed. Here it is the documentation (into the step 2) https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html.

To avoid this problem, i suggest this changes in the following files:

main.tf

data "aws_elb_service_account" "this" {
-  count = local.create_bucket && var.attach_elb_log_delivery_policy ? 1 : 0
+  count = local.create_bucket && var.attach_elb_log_delivery_policy && ! var.elb_in_new_region ? 1 : 0
 }
 
data "aws_iam_policy_document" "elb_log_delivery" {
  count = local.create_bucket && var.attach_elb_log_delivery_policy ? 1 : 0

  statement {
     sid = ""
 
     principals {
-      type        = "AWS"
-      identifiers = data.aws_elb_service_account.this[*].arn
+      type        = var.elb_in_new_region ? "Service" : "AWS"
+      identifiers = var.elb_in_new_region ? ["logdelivery.elasticloadbalancing.amazonaws.com"] : data.aws_elb_service_account.this[*].arn
     }

variables.tf

variable "putin_khuylo" {
  description = "Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo!"
   type        = bool
   default     = true
 }
+
+variable "elb_in_new_region" {
+  description = "Set to True if the ELB is a region created after August 2022, so many S3 policies changes"
+  type        = bool
+  default     = false
+}

Could you add these changes please?

Regards,
Daniel

Anton Babenko · Answer 1 · Fri Mar 10 2023 19:46:20 GMT+0800 (China Standard Time)

This issue has been resolved in version 3.8.0 🎉

Daniel Fradejas · Answer 2 · Fri Mar 10 2023 21:06:39 GMT+0800 (China Standard Time)

Hi @antonbabenko,

I've tried your solution in the new version but it stills throws an error:

│ Error: Unknown region ("eu-south-2")
│ 
│   with module.s3_bucket_private_proxy.data.aws_elb_service_account.this[0],
│   on .terraform/modules/s3_bucket_private_proxy/main.tf line 530, in data "aws_elb_service_account" "this":
│  530: data "aws_elb_service_account" "this" {

Regards,
Daniel

Anton Babenko · Answer 3 · Fri Mar 10 2023 21:08:09 GMT+0800 (China Standard Time)

Ok, thanks for giving it a shot. I will take a look at this issue and fix it.

Daniel Fradejas · Answer 4 · Fri Mar 10 2023 21:09:16 GMT+0800 (China Standard Time)

Thanks a lot.

Anton Babenko · Answer 5 · Sat Mar 11 2023 00:46:15 GMT+0800 (China Standard Time)

This issue has been resolved in version 3.8.2 🎉

Anton Babenko · Answer 6 · Sat Mar 11 2023 00:46:30 GMT+0800 (China Standard Time)

@dfradejas Fixed in #219. Please try it out!

Daniel Fradejas · Answer 7 · Sat Mar 11 2023 18:05:49 GMT+0800 (China Standard Time)

@antonbabenko Thanks a lot.

I noticed that the policy for new regions is being created for all the regions. Is it correct? I suppouse it is not an error, but just for notice you.

Regards,
Daniel.

Anton Babenko · Answer 8 · Sat Mar 11 2023 18:06:32 GMT+0800 (China Standard Time)

Yes, I think this is correct.