![](/img/trans.png)
[英]terraform aws_lb getting tainted and the resource is getting recreated
[英]Terraform Failure configuring LB attributes
我在 StackOverflow 上遵循了這篇文章的第一個答案,但我收到了這個錯誤:
配置 LB 屬性失敗:InvalidConfigurationRequest:存儲桶的訪問被拒絕:myproject-log。 請查看S3bucket權限狀態碼:400
這是我的代碼:
s3_bucket
data "aws_elb_service_account" "main" {}
resource "aws_s3_bucket" "bucket_log" {
bucket = "${var.project}-log"
acl = "log-delivery-write"
policy = <<POLICY
{
"Id": "Policy",
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::${var.project}-log/AWSLogs/*",
"Principal": {
"AWS": [
"${data.aws_elb_service_account.main.arn}"
]
}
}
]
}
POLICY
}
負載平衡器
resource "aws_lb" "vm_stage" {
name = "${var.project}-lb-stg"
internal = false
load_balancer_type = "application"
subnets = [aws_subnet.subnet_1.id, aws_subnet.subnet_2.id, aws_subnet.subnet_3.id]
security_groups = [aws_security_group.elb_project_stg.id]
access_logs {
bucket = aws_s3_bucket.bucket_log.id
prefix = "lb-stg"
enabled = true
}
tags = {
Name = "${var.project}-lb-stg"
}
}
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html
參考上面的文檔並更改存儲桶的 iam 策略以反映文檔說明的內容。 日志記錄實際上是由 AWS 完成的,而不是您的角色或 IAM 用戶。 因此,您需要授予 ÅWS 權限才能執行此操作。 這就是文檔在政策中顯示指定delivery.logs.amazonaws.com
主體的聲明的原因。 該委托人是 AWS 日志記錄服務。 即使您的存儲桶托管在 AWS 上,默認情況下他們也不會授予自己訪問您的存儲桶的權限。 如果您希望他們的服務正常工作,您必須明確授予對 AWS 的訪問權限。
只是想把它放在這里,因為這個十字架適用於另一個被問到的問題。
這花了我一段時間才弄清楚,但 S3 存儲桶根據文檔有兩個要求:
來源: https : //docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html
雖然它看起來像是錯誤消息的權限問題,但實際上可能是存儲桶加密類型錯誤的問題。 就我而言,問題是我的存儲桶未加密。
將存儲桶更新為 SSE-S3 加密,我不再收到錯誤消息:
resource "aws_s3_bucket" "s3_access_logs_bucket" {
bucket = var.access_logs_bucket_name
acl = "private"
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
versioning {
enabled = true
}
}
僅僅因為,這是我使用的政策:
data "aws_elb_service_account" "main" {}
data "aws_iam_policy_document" "s3_lb_write" {
statement {
principals {
identifiers = ["${data.aws_elb_service_account.main.arn}"]
type = "AWS"
}
actions = ["s3:PutObject"]
resources = [
"${aws_s3_bucket.s3_access_logs_bucket.arn}/*"
]
}
}
resource "aws_s3_bucket_policy" "load_balancer_access_logs_bucket_policy" {
bucket = aws_s3_bucket.s3_access_logs_bucket.id
policy = data.aws_iam_policy_document.s3_lb_write.json
}
我也為此苦苦掙扎,下面是對我有用的整個 terraform 存儲桶策略。
data "aws_iam_policy_document" "elb_bucket_policy" {
statement {
effect = "Allow"
resources = [
"arn:aws:s3:::unique-bucket-name/${local.prefix}/AWSLogs/${local.application_account_id}/*",
]
actions = ["s3:PutObject"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${local.elb_account_id}:root"]
}
}
statement {
effect = "Allow"
resources = [
"arn:aws:s3:::unique-bucket-name/${local.prefix}/AWSLogs/${local.application_account_id}/*",
]
actions = ["s3:PutObject"]
principals {
type = "Service"
identifiers = ["logdelivery.elb.amazonaws.com"]
}
}
statement {
effect = "Allow"
resources = [
"arn:aws:s3:::unique-bucket-name/${local.prefix}/AWSLogs/${local.application_account_id}/*",
]
actions = ["s3:PutObject"]
principals {
type = "Service"
identifiers = ["logdelivery.elb.amazonaws.com"]
}
condition {
test = "StringEquals"
variable = "s3:x-amz-acl"
values = ["bucket-owner-full-control"]
}
}
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.