我能够使用控制台配置 ALB 以将请求记录到 S3 存储桶。当我尝试在 terraform 中做同样的事情时,我得到
Plan: 0 to add, 2 to change, 0 to destroy.
aws_lb.application-lb: Modifying... [id=arn:aws:elasticloadbalancing:us-east-1:033680424751:loadbalancer/app/jenkins-lb/c07011cee5f1e686]
aws_security_group.jenkins-sg: Modifying... [id=sg-0b34d797276fc4b51]
aws_security_group.jenkins-sg: Modifications complete after 4s [id=sg-0b34d797276fc4b51]
╷
│ Error: failure configuring LB attributes: InvalidConfigurationRequest: Access Denied for bucket: alb-log-bucket-pcooke2002. Please check S3bucket permission
│ status code: 400, request id: 7a7aa92b-dc3c-433c-98d0-1fdcea782897
│
│ with aws_lb.application-lb,
│ on alb_acm.tf line 90, in resource "aws_lb" "application-lb":
│ 90: resource "aws_lb" "application-lb" {
│
知道如何更改我的 terraform 以配置 ALB 日志记录吗?
resource "aws_lb" "application-lb" {
provider = aws.region-master
name = "jenkins-lb"
internal = false
load_balancer_type = "application"
access_logs {
bucket = aws_s3_bucket.alb_log_bucket.bucket
prefix = "jenkins-lb"
enabled = true
}
}
我使用的策略是在我将 ALB 配置为将日志写入存储桶时从控制台生成的。我假设控制台生成的策略应该与使用 terraform 生成的策略相同。
resource "aws_s3_bucket" "alb_log_bucket" {
provider = aws.region-master
bucket = "alb-log-bucket-pcooke2002"
acl = "log-delivery-write"
force_destroy = true ## noticing this is not deleting content
policy = <<EOT
{
"Version": "2012-10-17",
"Id": "AWSConsole-AccessLogs-Policy-1626416539373",
"Statement": [
{
"Sid": "AWSConsoleStmt-1626416539373",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1#######:root"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::alb-log-bucket-pcooke2002/alb/AWSLogs/033680424751/*"
},
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::alb-log-bucket-pcooke2002/alb/AWSLogs/033680424751/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "AWSLogDeliveryAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::alb-log-bucket-pcooke2002"
}
]
}
EOT
### using local-exec provisioner so bucket contets will be removed
provisioner "local-exec" {
command = "aws s3 rm s3://${self.bucket} --recursive"
when = destroy
}
}
resource "aws_s3_bucket_public_access_block" "block-access-log-bucket" {
provider = aws.region-master
bucket = aws_s3_bucket.alb_log_bucket.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
我什至试图将政策减少到任何人无条件的所有行动,但仍然给了我同样的错误