Question

我有一个要登录到S3存储桶的aws_lb。

我尝试失败的事情：

data "aws_elb_service_account" "main" {}

data "aws_iam_policy_document" "bucket_policy" {
  statement {
    sid       = ""
    actions   = ["s3:PutObject"]
    resources = ["arn:aws:s3:::my-bucket/*"]

    principals {
      type        = "AWS"
      identifiers = ["${data.aws_elb_service_account.main.arn}"]
    }
  }
}

我也尝试过：

resource "aws_iam_role" "lb-logs-role" {
  name = "lb-logs-role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "elasticloadbalancing.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF

  tags = {
    Name = "lb-logs-role"
    Environment  = terraform.workspace
    Management   = "Managed by Terraform"
  }
}

resource "aws_iam_role_policy" "s3-logs-access" {
  name = "s3-logs-access"
  role = aws_iam_role.lb-logs-role.id

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}
EOF
}

这是我看到的错误：

Error: Failure configuring LB attributes: InvalidConfigurationRequest: Access Denied for bucket: my-bucket. Please check S3bucket permission
        status code: 400, request id: 5b629210-9738-11e9-bcc6-6f3b4f22bf28

  on modules/tableau-linux/lb.tf line 1, in resource "aws_lb" "main":
   1: resource "aws_lb" "main" {

有什么想法吗？

Answer 1

似乎是您的策略存在问题，但是您可以使用aws_lb尝试我的代码，这是在默认VPC中启动到LB并创建名为test-bucket-1-unique-name，策略和名为{{1}的存储桶的完整配置}。连同已注释的SG和Route53条目。

test-http-lb

然后转到您的S3存储桶并验证# Creating Load Balancer resource "aws_lb" "httplb" { name = "test-http-lb" internal = false load_balancer_type = "application" security_groups = ["${aws_security_group.lbsg.id}"] subnets = ["subnet-99fdf8e0", "subnet-902b0ddb"] enable_deletion_protection = false access_logs { bucket = "${aws_s3_bucket.bucket.bucket}" prefix = "http-lb" enabled = true } tags = { Environment = "test-http" } } # Creating Security Groups for Load Balancer resource "aws_security_group" "lbsg" { name = "test-loadbalancer-sg" description = "test-Allow LB traffic" tags = { Name = "test-SG-Balancer" } ingress { from_port = 80 to_port = 80 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] description = "HTTP" } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } } #uncomment this if you want to add route53 record # resource "aws_route53_record" "web" { # zone_id = "${data.aws_route53_zone.primary.zone_id}" # name = "${var.env_prefix_name}.ironman.co # type = "A" # alias { # name = "${aws_lb.httplb.dns_name}" # zone_id = "${aws_lb.httplb.zone_id}" # evaluate_target_health = true # } # } data "aws_elb_service_account" "main" {} # Creating policy on S3, for lb to write resource "aws_s3_bucket_policy" "lb-bucket-policy" { bucket = "${aws_s3_bucket.bucket.id}" policy = <<POLICY { "Id": "testPolicy1561031527701", "Version": "2012-10-17", "Statement": [ { "Sid": "testStmt1561031516716", "Action": [ "s3:PutObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::test-bucket-1-for-lb-logs/http-lb/*", "Principal": { "AWS": [ "${data.aws_elb_service_account.main.arn}" ] } } ] } POLICY } resource "aws_s3_bucket" "bucket" { bucket = "test-bucket-1-for-lb-logs" acl = "private" region = "us-west-2" versioning { enabled = false } force_destroy = true }。这是terraform的日志

Answer 2

该API似乎会请求存储桶的ACL以查看其是否具有权限，并填充初始文件夹结构，因此即使aws_elb_service_account对该存储桶中的putObject拥有权限api调用将失败。该策略是AWS Web控制台在为您创建S3存储桶并为我解决该问题时创建的。

data "aws_region" "current" {}
data "aws_caller_identity" "current" {}
data "aws_elb_service_account" "main" {}
resource "aws_s3_bucket_policy" "lb-bucket-policy" {
  bucket = aws_s3_bucket.lb-log-storage-s3.id

  policy = <<POLICY
{
    "Id": "Policy",
    "Version": "2012-10-17",
    "Statement": [{
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "${data.aws_elb_service_account.main.arn}"
                ]
            },
            "Action": [
                "s3:PutObject"
            ],
            "Resource": "${aws_s3_bucket.lb-log-storage-s3.arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/*"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": [
                "s3:PutObject"
            ],
            "Resource": "${aws_s3_bucket.lb-log-storage-s3.arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": [
                "s3:GetBucketAcl"
            ],
            "Resource": "${aws_s3_bucket.lb-log-storage-s3.arn}"
        }
    ]
}
POLICY
}

Terraform：设置从AWS LoadBalancer到S3存储桶的日志记录

2 个答案: