我正在尝试将一些Terraform代码部署到我具有管理员访问权限设置的AWS环境中。此代码的目的是将日志从应用程序负载平衡器发送到S3存储桶。该代码能够毫无问题地创建存储桶,但是在记录其一部分时,会出现以下错误:
我无法解决此错误。下面是我的代码,用于创建负载均衡器,S3存储桶,以及为实施日志记录而实现的策略。任何意见将是有益的。预先感谢。
S3桶
data "aws_elb_service_account" "javahome" {}
resource "aws_s3_bucket" "alb_access_logs" {
bucket = var.alb_s3_logs
acl = "private"
region = var.region
tags = {
Name = "jalb-access-logs"
Environment = terraform.workspace
}
policy = templatefile("${path.module}/scripts/iam/alb-s3-access-logs.json", {
bucket_name = var.alb_s3_logs
prefix = var.prefix
policy_arn = data.aws_elb_service_account.javahome.arn
}
)
}
应用程序负载平衡器
resource "aws_lb" "javahome" {
name = var.alb_name
internal = false
load_balancer_type = var.lb_type
security_groups = [aws_security_group.elb_sg.id]
subnets = local.pub_sub_ids
access_logs {
bucket = aws_s3_bucket.alb_access_logs.bucket
prefix = var.prefix
enabled = true
}
tags = {
Environment = terraform.workspace
}
}
政策
{
"Version": "2012-10-17",
"Id": "javahome-alb-pilicy",
"Statement": [
{
"Sid": "root-access",
"Effect": "Allow",
"Principal": {
"AWS": "${policy_arn}"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::${bucket_name}/${prefix}/AWSLogs/*"
},
{
"Sid": "log-delivery",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::${bucket_name}/${prefix}/AWSLogs/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "log-delivery-access-check",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::${bucket_name}"
}
]
}