0

我正在尝试将一些 terraform 代码部署到我设置了管理员访问权限的 AWS 环境中。此代码的目的是将日志从应用程序负载均衡器发送到 S3 存储桶。该代码能够毫无问题地创建存储桶,但是在记录其中的一部分时,我会遇到以下错误:在此处输入图像描述

我在如何解决这个错误时遇到了麻烦。下面是我创建负载均衡器、S3 存储桶的代码,以及我为进行日志记录而实施的策略。任何意见将是有益的。提前致谢。

S3 存储桶

data "aws_elb_service_account" "javahome" {}

resource "aws_s3_bucket" "alb_access_logs" {
  bucket = var.alb_s3_logs
  acl    = "private"
  region = var.region
  tags = {
    Name        = "jalb-access-logs"
    Environment = terraform.workspace
  }
  policy = templatefile("${path.module}/scripts/iam/alb-s3-access-logs.json", {
    bucket_name = var.alb_s3_logs
    prefix      = var.prefix
    policy_arn  = data.aws_elb_service_account.javahome.arn
    }
  )
}

应用程序负载均衡器

resource "aws_lb" "javahome" {


name               = var.alb_name
  internal           = false
  load_balancer_type = var.lb_type
  security_groups    = [aws_security_group.elb_sg.id]
  subnets            = local.pub_sub_ids

  access_logs {
    bucket  = aws_s3_bucket.alb_access_logs.bucket
    prefix  = var.prefix
    enabled = true
  }

  tags = {
    Environment = terraform.workspace
  }
}

政策

{
"Version": "2012-10-17",
"Id": "javahome-alb-pilicy",
"Statement": [
    {
        "Sid": "root-access",
        "Effect": "Allow",
        "Principal": {
            "AWS": "${policy_arn}"
        },
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::${bucket_name}/${prefix}/AWSLogs/*"
    },
    {
        "Sid": "log-delivery",
        "Effect": "Allow",
        "Principal": {
            "Service": "delivery.logs.amazonaws.com"
        },
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::${bucket_name}/${prefix}/AWSLogs/*",
        "Condition": {
            "StringEquals": {
                "s3:x-amz-acl": "bucket-owner-full-control"
            }
        }
    },
    {
        "Sid": "log-delivery-access-check",
        "Effect": "Allow",
        "Principal": {
            "Service": "delivery.logs.amazonaws.com"
        },
        "Action": "s3:GetBucketAcl",
        "Resource": "arn:aws:s3:::${bucket_name}"
    }
]

}

4

1 回答 1

0

我花了一段时间才弄明白,但 S3 存储桶根据文档有两个要求:

  • 存储桶必须与负载均衡器位于同一区域。
  • 需要 Amazon S3 托管的加密密钥 (SSE-S3)。不支持其他加密选项。

资料来源:https ://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html

虽然它看起来像是错误消息的权限问题,因为它实际上可能是存储桶具有错误加密类型的问题。就我而言,问题是我的存储桶未加密。

将存储桶更新为 SSE-S3 加密,我不再收到错误消息:

resource "aws_s3_bucket" "s3_access_logs_bucket" {
  bucket = var.access_logs_bucket_name
  acl = "private"
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"
      }
    }
  }

  versioning {
    enabled = true
  }

}
于 2021-12-28T23:44:04.273 回答