Terraform ELB S3權限問題

Question

我在使用Terraform（v0.9.2）將服務添加到ELB（我正在使用：https://github.com/segmentio/stack/blob/master/s3-logs/main.tf）時遇到問題。

當我運行terraform apply我得到這個錯誤：

* module.solr.module.elb.aws_elb.main: 1 error(s) occurred: 

* aws_elb.main: Failure configuring ELB attributes: 
    InvalidConfigurationRequest: Access Denied for bucket: my-service- 
    logs. Please check S3bucket permission 
    status code: 409, request id: xxxxxxxxxx-xxxx-xxxx-xxxxxxxxx 

我的服務是這樣的：

module "solr" { 
    source = "github.com/segmentio/stack/service" 
    name = "${var.prefix}-${terraform.env}-solr" 
    environment = "${terraform.env}" 
    image = "123456789876.dkr.ecr.eu-west-2.amazonaws.com/my-docker-image" 
    subnet_ids = "${element(split(",", module.vpc_subnets.private_subnets_id), 3)}" 
    security_groups = "${module.security.apache_solr_group}" 
    port = "8983" 
    cluster = "${module.ecs-cluster.name}" 
    log_bucket = "${module.s3_logs.id}" 

    iam_role = "${aws_iam_instance_profile.ecs.id}" 
    dns_name = "" 
    zone_id = "${var.route53_zone_id}" 
} 

我的S3-日誌桶看起來是這樣的：

module "s3_logs" { 
    source = "github.com/segmentio/stack/s3-logs" 
    name = "${var.prefix}" 
    environment = "${terraform.env}" 
    account_id = "123456789876" 
} 

我在S3中檢查，並且存儲桶策略如下所示：

{ 
    "Version": "2012-10-17", 
    "Id": "log-bucket-policy", 
    "Statement": [ 
    { 
    "Sid": "log-bucket-policy", 
    "Effect": "Allow", 
    "Principal": { 
    "AWS": "arn:aws:iam::123456789876:root" 
    }, 
    "Action": "s3:PutObject", 
    "Resource": "arn:aws:s3:::my-service-logs/*" 
    } 
    ] 
} 

據我所見，ELB應該有權訪問S3存儲區來存儲日誌（它運行在同一AWS賬戶中）。

桶和ELB都在eu-west-2。

任何想法可能會是什麼問題將不勝感激。

Answer 1

ELB訪問日誌的docs表示您希望允許特定的Amazon帳戶能夠寫入S3，而不是您的帳戶。

因此你想要的東西，如：

{ 
    "Id": "Policy1429136655940", 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Sid": "Stmt1429136633762", 
     "Action": [ 
     "s3:PutObject" 
     ], 
     "Effect": "Allow", 
     "Resource": "arn:aws:s3:::my-loadbalancer-logs/my-app/AWSLogs/123456789012/*", 
     "Principal": { 
     "AWS": [ 
      "652711504416" 
     ] 
     } 
    } 
    ] 
} 

在Terraform可以使用aws_elb_service_account data source來自動獲取用於寫入日誌的帳戶ID作爲可以在例如在文檔中可以看出：

data "aws_elb_service_account" "main" {} 

resource "aws_s3_bucket" "elb_logs" { 
    bucket = "my-elb-tf-test-bucket" 
    acl = "private" 

    policy = <<POLICY 
{ 
    "Id": "Policy", 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Action": [ 
     "s3:PutObject" 
     ], 
     "Effect": "Allow", 
     "Resource": "arn:aws:s3:::my-elb-tf-test-bucket/AWSLogs/*", 
     "Principal": { 
     "AWS": [ 
      "${data.aws_elb_service_account.main.arn}" 
     ] 
     } 
    } 
    ] 
} 
POLICY 
} 

resource "aws_elb" "bar" { 
    name    = "my-foobar-terraform-elb" 
    availability_zones = ["us-west-2a"] 

    access_logs { 
    bucket = "${aws_s3_bucket.elb_logs.bucket}" 
    interval = 5 
    } 

    listener { 
    instance_port  = 8000 
    instance_protocol = "http" 
    lb_port   = 80 
    lb_protocol  = "http" 
    } 
}