1

Im using terraform 0.12.4 to attempt tor write some code to enable the ‘access logs’ for my load balancer to write logs to an s3 bucket.

So far the buckets been created and the load balancers have been created by someone else but the bit where the ‘access_logs’ were supposeed to be configured was commented out and a TODO comment was placed there also. Hmmm methinks.

Theres too much code to place here but i keep receving access denied errors when setting them up. Ive found a couple of resources detailing what to do but none work. Has anyone managed to do this in TF?

user1673554
  • 451
  • 2
  • 6
  • 12
  • You need to be very specific. What exactly are the errors? What is code that triggers the errors? – Marcin Apr 16 '21 at 06:57
  • As Marcin above mentions it's going to be difficult to answer your question as is right now. It would be greatly improved if you could add a [mcve] to your question where you show just the creation of the load balancers and the S3 buckets alone and then show what error you get with that configuration. It's also possible that this is a duplicate of https://stackoverflow.com/a/43370460/2291321 which shows how to configure the permissions for load balancer access logs. – ydaetskcoR Apr 16 '21 at 09:37

1 Answers1

1

According to the documentation on the Access Logs, you need to add permissions on your bucket for the ALB to write to S3.

data "aws_elb_service_account" "main" {}
data "aws_caller_identity" "current" {}

data "aws_iam_policy_document" "allow_load_balancer_write" {
  statement {
    principals {
      type        = "AWS"
      identifiers = ["${data.aws_elb_service_account.main.arn}"]
    }

    actions = [
      "s3:PutObject"
    ]

    resources = [
      "${aws_s3_bucket.access_logs.arn}/<YOUR_PREFIX_HERE>/AWSLogs/${data.aws_caller_identity.current.account_id}/*",
    ]
  }
}

resource "aws_s3_bucket_policy" "access_logs" {
    bucket = "${aws_s3_bucket.<YOUR_BUCKET>.id}"
    policy = data.aws_iam_policy_document.allow_load_balancer_write.json
}

Also, it seems server side encryption needs to be enabled on the bucket.

resource "aws_s3_bucket" "access_logs" {
    bucket_prefix = "<YOUR_BUCKET_NAME>-"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "access_logs_encryption" {
  bucket = "${aws_s3_bucket.access_logs.bucket}"

  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm     = "AES256"
    }
  }
}
Arthur Gusmão
  • 118
  • 6