5

I am having issues with terraform when I am trying to create an s3 bucket for my elb access_log I get the following error below:

Error applying plan:

1 error(s) occurred:

* module.elb-author-dev.aws_elb.elb: 1 error(s) occurred:

* aws_elb.elb: Failure configuring ELB attributes: InvalidConfigurationRequest: Access Denied for bucket: my-elb-access-log. Please check S3bucket permission
status code: 409, request id: 13c63697-c016-11e7-8978-67fad50955bd

But, If I go to AWS console and manually give permissions to my s3 Public access to everyone. Re-run terraform apply it works fine, please help me resolve this issue.

My main.tf file

module "s3-access-logs" {
  source = "../../../../modules/aws/s3"

  s3_bucket_name       = "my-elb-access-data"
  s3_bucket_acl        = "private"
  s3_bucket_versioning = true
  s3_bucket_region = "us-east-2"
}
 # elastic load balancers (elb)
module "elb-author-dev" {
  source           = "../../../../modules/aws/elb"
  elb_sgs          = "${module.secgrp-elb-nonprod-
author.security_group_id}"
  subnets          = ["subnet-a7ec0cea"]
  application_tier    = "auth"
  access_logs_enabled = true
  access_logs_bucket  = "my-elb-access-log"  
  access_logs_prefix  = "dev-auth-elb-access-log" 
 access_logs_interval = "5"
 instances           = ["${module.ec2-author-dev.ec2_instance[0]}"]
}

my s3/main.tf

  resource "aws_s3_bucket" "s3_data_bucket" {
    bucket = "${var.s3_bucket_name}"
    acl    = "${var.s3_bucket_acl}" #"public"

    region = "${var.s3_bucket_region}"

   policy = <<EOF
  {
   "Id": "Policy1509573454872",
   "Version": "2012-10-17",
   "Statement": [
   {
      "Sid": "Stmt1509573447773",
      "Action": "s3:PutObject",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::my-elb-access-log/dev-auth-elb/AWSLogs/my_account_id/*",
      "Principal": {
      "AWS": [
          "033677994240"
        ]
      }
    }
  ]
}
EOF

  versioning {
    enabled = "${var.s3_bucket_versioning}" #true
  }
  tags {
    Name        = "${var.s3_bucket_name}"
    Terraform   = "${var.terraform_tag}"
 }
}

My elb.main.tf

  access_logs {
    enabled       = "${var.access_logs_enabled}"  #false
    bucket        = "${var.access_logs_bucket}"
    bucket_prefix = "${var.environment_name}-${var.application_tier}-${var.access_logs_prefix}"
    interval      = "${var.access_logs_interval}"  #60
  }
yesco1
  • 371
  • 2
  • 7
  • 22
  • Possible duplicate of [Terraform ELB S3 Permissions Issue](https://stackoverflow.com/questions/43366038/terraform-elb-s3-permissions-issue) – ydaetskcoR Nov 03 '17 at 12:21

2 Answers2

12

AWS Bucket Permissions

You need to grant access to the ELB principal. Each region has a different principal.

Region, ELB Account Principal ID

us-east-1, 127311923021

us-east-2, 033677994240

us-west-1, 027434742980

us-west-2, 797873946194

ca-central-1, 985666609251

eu-west-1, 156460612806

eu-central-1, 054676820928

eu-west-2, 652711504416

ap-northeast-1, 582318560864

ap-northeast-2, 600734575887

ap-southeast-1, 114774131450

ap-southeast-2, 783225319266

ap-south-1, 718504428378

sa-east-1, 507241528517

us-gov-west-1*, 048591011584

cn-north-1*, 638102146993

* These regions require a separate account.

source: AWS access logging bucket permissions

Update Looks like the info is no longer available at the link I posted. I haven't been able to find its new location. If someone locates it please posta comment and I'll update this answer accordingly.

Terraform

In terraform your resource config should look like the example below. You will need your aws account-id and the principal id from the table above:

resource "aws_s3_bucket" "s3_data_bucket" {
    bucket = "${var.s3_bucket_name}"
    acl    = "${var.s3_bucket_acl}"
    region = "${var.s3_bucket_region}"

    policy =<<EOF
{
"Id": "Policy1509573454872",
"Version": "2012-10-17",
"Statement": [
    {
    "Sid": "Stmt1509573447773",
    "Action": "s3:PutObject",
    "Effect": "Allow",
    "Resource": "arn:aws:s3:::my-elb-access-data/dev-auth-elb/AWSLogs/your-account-id/*",
    "Principal": {
        "AWS": ["principal_id_from_table_above"]
    }
    }
]
}
EOF
}

You may need to split the policy out separately rather than keeping it inline as above. In which case you'd need to add a bucket policy resource like this:

resource "aws_s3_bucket_policy" "elb_access_logs" {
  bucket = "${aws_s3_bucket.s3_data_bucket.id}"
  policy =<<EOF
{
"Id": "Policy1509573454872",
"Version": "2012-10-17",
"Statement": [
    {
    "Sid": "Stmt1509573447773",
    "Action": "s3:PutObject",
    "Effect": "Allow",
    "Resource": "arn:aws:s3:::my-elb-access-data/dev-auth-elb/AWSLogs/your-account-id/*",
    "Principal": {
        "AWS": ["principal_id_from_table_above"]
    }
    }
]
}
EOF
}
schmidlop
  • 1,356
  • 16
  • 31
  • I ran terraform and received the same error. I update my s3/main.tf above and still fails. Any ideas what am I missing – yesco1 Nov 03 '17 at 21:01
  • 1
    your bucket name doesn't match its 'my-elb-access-data' in main.tf and 'my-elb-access-log' in the resource name in s3/main.tf. I'll update my answer since it also doesn't match... – schmidlop Nov 06 '17 at 15:12
  • 1
    If you want to get the principal IDs from a lookup table, you can create a variable with a map: ` variable "alb_logging_principals" { type = "map" default = {"us-east-1": 127311923021,"us-east-2": 033677994240,...}}` And look it up in the S3 bucket section: `"AWS": ["${var.alb_logging_principals[var.aws_region]}"]` – Shaun Taylor May 27 '20 at 08:56
  • For your "Region, ELB Account Principal ID" list. How did you get this list of IDs? – ONMNZ Feb 28 '23 at 00:34
0

This worked for me from the AWS documentation https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html#attach-bucket-policy

   {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::elb-account-id:root"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::bucket-name/prefix/AWSLogs/your-aws-account-id/*"
    }
  ]
}

elb-account-id was replaced with 127311923021 as for me it was N.Virginia region.

Paul
  • 31
  • 4