AWS ALB 无法将访问日志写入存储桶

时间:2021-07-18 01:10:03

标签: terraform terraform-provider-aws

我能够使用控制台配置 ALB 以将请求记录到 S3 存储桶。当我尝试在 terraform 中做同样的事情时,我得到

Plan: 0 to add, 2 to change, 0 to destroy.
aws_lb.application-lb: Modifying... [id=arn:aws:elasticloadbalancing:us-east-1:033680424751:loadbalancer/app/jenkins-lb/c07011cee5f1e686]
aws_security_group.jenkins-sg: Modifying... [id=sg-0b34d797276fc4b51]
aws_security_group.jenkins-sg: Modifications complete after 4s [id=sg-0b34d797276fc4b51]
╷
│ Error: failure configuring LB attributes: InvalidConfigurationRequest: Access Denied for bucket: alb-log-bucket-pcooke2002. Please check S3bucket permission
│   status code: 400, request id: 7a7aa92b-dc3c-433c-98d0-1fdcea782897
│ 
│   with aws_lb.application-lb,
│   on alb_acm.tf line 90, in resource "aws_lb" "application-lb":
│   90: resource "aws_lb" "application-lb" {
│

知道如何更改我的 terraform 以配置 ALB 日志记录吗?

resource "aws_lb" "application-lb" {
  provider           = aws.region-master
  name               = "jenkins-lb"
  internal           = false
  load_balancer_type = "application"

  access_logs {
    bucket  = aws_s3_bucket.alb_log_bucket.bucket
    prefix  = "jenkins-lb"
    enabled = true
  }
}

我使用的策略是在我将 ALB 配置为将日志写入存储桶时从控制台生成的。我假设控制台生成的策略应该与使用 terraform 生成的策略相同。


resource "aws_s3_bucket" "alb_log_bucket" {
  provider = aws.region-master

  bucket        = "alb-log-bucket-pcooke2002"
  acl           = "log-delivery-write"
  force_destroy = true ## noticing this is not deleting content
  policy        = <<EOT
{
    "Version": "2012-10-17",
    "Id": "AWSConsole-AccessLogs-Policy-1626416539373",
    "Statement": [
        {
            "Sid": "AWSConsoleStmt-1626416539373",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::1#######:root"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::alb-log-bucket-pcooke2002/alb/AWSLogs/033680424751/*"
        },
        {
            "Sid": "AWSLogDeliveryWrite",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::alb-log-bucket-pcooke2002/alb/AWSLogs/033680424751/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        },
        {
            "Sid": "AWSLogDeliveryAclCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::alb-log-bucket-pcooke2002"
        }
    ]
}
EOT

  ### using local-exec provisioner so bucket contets will be removed
  provisioner "local-exec" {
    command = "aws s3 rm s3://${self.bucket} --recursive"
    when    = destroy
  }
}

resource "aws_s3_bucket_public_access_block" "block-access-log-bucket" {
  provider                = aws.region-master
  bucket                  = aws_s3_bucket.alb_log_bucket.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

我什至试图将政策减少到任何人无条件的所有行动,但仍然给了我同样的错误

0 个答案:

没有答案
相关问题
最新问题