2

I am trying to deploy some terraform code into an AWS environment that I have admin access setup for. The purpose of this code is to send logs from an application load balancer into an S3 bucket. The code is able to create the bucket with no issue, but when it comes to logging part of it I am being presented with the following error: enter image description here

I am having trouble how to get around this error. Below is my code for the creation of the load balancer, the S3 bucket, and also the policy I have implemented for the logging to take place. Any advice would be helpful. Thanks in advance.

S3 Bucket

data "aws_elb_service_account" "javahome" {}

resource "aws_s3_bucket" "alb_access_logs" {
  bucket = var.alb_s3_logs
  acl    = "private"
  region = var.region
  tags = {
    Name        = "jalb-access-logs"
    Environment = terraform.workspace
  }
  policy = templatefile("${path.module}/scripts/iam/alb-s3-access-logs.json", {
    bucket_name = var.alb_s3_logs
    prefix      = var.prefix
    policy_arn  = data.aws_elb_service_account.javahome.arn
    }
  )
}

Application Load Balancer

resource "aws_lb" "javahome" {


name               = var.alb_name
  internal           = false
  load_balancer_type = var.lb_type
  security_groups    = [aws_security_group.elb_sg.id]
  subnets            = local.pub_sub_ids

  access_logs {
    bucket  = aws_s3_bucket.alb_access_logs.bucket
    prefix  = var.prefix
    enabled = true
  }

  tags = {
    Environment = terraform.workspace
  }
}

Policy

{
"Version": "2012-10-17",
"Id": "javahome-alb-pilicy",
"Statement": [
    {
        "Sid": "root-access",
        "Effect": "Allow",
        "Principal": {
            "AWS": "${policy_arn}"
        },
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::${bucket_name}/${prefix}/AWSLogs/*"
    },
    {
        "Sid": "log-delivery",
        "Effect": "Allow",
        "Principal": {
            "Service": "delivery.logs.amazonaws.com"
        },
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::${bucket_name}/${prefix}/AWSLogs/*",
        "Condition": {
            "StringEquals": {
                "s3:x-amz-acl": "bucket-owner-full-control"
            }
        }
    },
    {
        "Sid": "log-delivery-access-check",
        "Effect": "Allow",
        "Principal": {
            "Service": "delivery.logs.amazonaws.com"
        },
        "Action": "s3:GetBucketAcl",
        "Resource": "arn:aws:s3:::${bucket_name}"
    }
]

}

Imran Sandozi
  • 235
  • 1
  • 3
  • 11
  • Does this answer your question? [Terraform ELB S3 Permissions Issue](https://stackoverflow.com/questions/43366038/terraform-elb-s3-permissions-issue) – ydaetskcoR Dec 09 '19 at 15:19
  • The log delivery stuff you have is for S3 writing access logs to an S3 bucket, not for ELB access logs. The linked answer above shows how to configure that properly for ELB access logs. – ydaetskcoR Dec 09 '19 at 15:21

1 Answers1

1

This took me awhile to figure out, but the S3 bucket has two requirements per the documentation:

  • The bucket must be located in the same Region as the load balancer.
  • Amazon S3-Managed Encryption Keys (SSE-S3) is required. No other encryption options are supported.

Source: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html

While it makes it seem like it's a permissions issue with the error message given it may actually be an issue with the bucket having the wrong encryption type. In my case the issue was that my bucket was unencrypted.

Updated the bucket to SSE-S3 encryption and I no longer received the error:

resource "aws_s3_bucket" "s3_access_logs_bucket" {
  bucket = var.access_logs_bucket_name
  acl = "private"
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"
      }
    }
  }

  versioning {
    enabled = true
  }

}
Dantheman91
  • 774
  • 9
  • 15