【发布时间】:2020-04-01 23:28:46
【问题描述】:
我正在尝试将一些 terraform 代码部署到我设置了管理员访问权限的 AWS 环境中。此代码的目的是将日志从应用程序负载均衡器发送到 S3 存储桶。该代码能够毫无问题地创建存储桶,但是在记录其中的一部分时,我会遇到以下错误:
我无法解决这个错误。下面是我创建负载均衡器、S3 存储桶的代码,以及我为进行日志记录而实施的策略。任何意见将是有益的。提前致谢。
S3 存储桶
data "aws_elb_service_account" "javahome" {}
resource "aws_s3_bucket" "alb_access_logs" {
bucket = var.alb_s3_logs
acl = "private"
region = var.region
tags = {
Name = "jalb-access-logs"
Environment = terraform.workspace
}
policy = templatefile("${path.module}/scripts/iam/alb-s3-access-logs.json", {
bucket_name = var.alb_s3_logs
prefix = var.prefix
policy_arn = data.aws_elb_service_account.javahome.arn
}
)
}
应用负载均衡器
resource "aws_lb" "javahome" {
name = var.alb_name
internal = false
load_balancer_type = var.lb_type
security_groups = [aws_security_group.elb_sg.id]
subnets = local.pub_sub_ids
access_logs {
bucket = aws_s3_bucket.alb_access_logs.bucket
prefix = var.prefix
enabled = true
}
tags = {
Environment = terraform.workspace
}
}
政策
{
"Version": "2012-10-17",
"Id": "javahome-alb-pilicy",
"Statement": [
{
"Sid": "root-access",
"Effect": "Allow",
"Principal": {
"AWS": "${policy_arn}"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::${bucket_name}/${prefix}/AWSLogs/*"
},
{
"Sid": "log-delivery",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::${bucket_name}/${prefix}/AWSLogs/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "log-delivery-access-check",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::${bucket_name}"
}
]
}
【问题讨论】:
-
这能回答你的问题吗? Terraform ELB S3 Permissions Issue
-
您所拥有的日志传递内容是用于 S3 将访问日志写入 S3 存储桶,而不是用于 ELB 访问日志。上面的链接答案显示了如何为 ELB 访问日志正确配置。
标签: amazon-web-services amazon-s3 terraform amazon-iam aws-application-load-balancer