Terraform:设置从AWS LoadBalancer到S3 bucket的日志记录
我有一个aws_lb,我想登录到S3存储桶 我尝试过但没有成功的事情:Terraform:设置从AWS LoadBalancer到S3 bucket的日志记录,terraform,terraform-provider-aws,Terraform,Terraform Provider Aws,我有一个aws_lb,我想登录到S3存储桶 我尝试过但没有成功的事情: data "aws_elb_service_account" "main" {} data "aws_iam_policy_document" "bucket_policy" { statement { sid = "" actions = ["s3:PutObject"] resources = ["arn:aws:s3:::my-bucket/*"] princip
data "aws_elb_service_account" "main" {}
data "aws_iam_policy_document" "bucket_policy" {
statement {
sid = ""
actions = ["s3:PutObject"]
resources = ["arn:aws:s3:::my-bucket/*"]
principals {
type = "AWS"
identifiers = ["${data.aws_elb_service_account.main.arn}"]
}
}
}
我也试过:
resource "aws_iam_role" "lb-logs-role" {
name = "lb-logs-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "elasticloadbalancing.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
tags = {
Name = "lb-logs-role"
Environment = terraform.workspace
Management = "Managed by Terraform"
}
}
resource "aws_iam_role_policy" "s3-logs-access" {
name = "s3-logs-access"
role = aws_iam_role.lb-logs-role.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
EOF
}
有什么想法吗?问题似乎出在您的策略上,但您可以使用aws_lb尝试我的代码,以下是在默认VPC中启动lb并创建名为
test-bucket-1-unique-name
的bucket、名为test http lb
的策略和lb的完整配置。以及已注释的SG和Route53条目
# Creating Load Balancer
resource "aws_lb" "httplb" {
name = "test-http-lb"
internal = false
load_balancer_type = "application"
security_groups = ["${aws_security_group.lbsg.id}"]
subnets = ["subnet-99fdf8e0", "subnet-902b0ddb"]
enable_deletion_protection = false
access_logs {
bucket = "${aws_s3_bucket.bucket.bucket}"
prefix = "http-lb"
enabled = true
}
tags = {
Environment = "test-http"
}
}
# Creating Security Groups for Load Balancer
resource "aws_security_group" "lbsg" {
name = "test-loadbalancer-sg"
description = "test-Allow LB traffic"
tags = {
Name = "test-SG-Balancer"
}
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
description = "HTTP"
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
#uncomment this if you want to add route53 record
# resource "aws_route53_record" "web" {
# zone_id = "${data.aws_route53_zone.primary.zone_id}"
# name = "${var.env_prefix_name}.ironman.co
# type = "A"
# alias {
# name = "${aws_lb.httplb.dns_name}"
# zone_id = "${aws_lb.httplb.zone_id}"
# evaluate_target_health = true
# }
# }
data "aws_elb_service_account" "main" {}
# Creating policy on S3, for lb to write
resource "aws_s3_bucket_policy" "lb-bucket-policy" {
bucket = "${aws_s3_bucket.bucket.id}"
policy = <<POLICY
{
"Id": "testPolicy1561031527701",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "testStmt1561031516716",
"Action": [
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::test-bucket-1-for-lb-logs/http-lb/*",
"Principal": {
"AWS": [
"${data.aws_elb_service_account.main.arn}"
]
}
}
]
}
POLICY
}
resource "aws_s3_bucket" "bucket" {
bucket = "test-bucket-1-for-lb-logs"
acl = "private"
region = "us-west-2"
versioning {
enabled = false
}
force_destroy = true
}
#创建负载平衡器
资源“aws_lb”“httplb”{
name=“测试http lb”
内部=错误
负载平衡器类型=“应用”
security_groups=[“${aws_security_group.lbsg.id}”]
子网=[“子网-99fdf8e0”,“子网-902b0ddb”]
启用删除保护=错误
访问日志{
bucket=“${aws\u s3\u bucket.bucket.bucket}”
prefix=“http-lb”
启用=真
}
标签={
环境=“测试http”
}
}
#为负载平衡器创建安全组
资源“aws\U安全组”“lbsg”{
name=“测试负载平衡器sg”
description=“测试允许LB通信”
标签={
Name=“测试SG平衡器”
}
入口{
从_端口=80
至_端口=80
协议=“tcp”
cidr_块=[“0.0.0.0/0”]
description=“HTTP”
}
出口{
从_端口=0
至_端口=0
协议=“-1”
cidr_块=[“0.0.0.0/0”]
}
}
#如果要添加route53记录,请取消对此的注释
#资源“aws\U路由53\U记录”“web”{
#zone_id=“${data.aws_route53_zone.primary.zone_id}”
#name=“${var.env_prefix_name}.ironman.co
#type=“A”
#别名{
#name=“${aws_lb.httplb.dns_name}”
#zone_id=“${aws_lb.httplb.zone_id}”
#评估目标健康状况=真
# }
# }
数据“aws_elb_服务_帐户”主“{}
#在S3上创建策略,以便lb写入
资源“aws\U s3\U桶策略”“lb桶策略”{
bucket=“${aws\u s3\u bucket.bucket.id}”
policy=看起来API将请求bucket的ACL以查看其是否具有权限,并填充初始文件夹结构,因此,即使aws_elb_服务_帐户
具有bucket中的putObject
的权限,API调用也将失败。此策略是aws web控制台在创建他帮你解决了S3的问题,也帮我解决了
data "aws_region" "current" {}
data "aws_caller_identity" "current" {}
data "aws_elb_service_account" "main" {}
resource "aws_s3_bucket_policy" "lb-bucket-policy" {
bucket = aws_s3_bucket.lb-log-storage-s3.id
policy = <<POLICY
{
"Id": "Policy",
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": [
"${data.aws_elb_service_account.main.arn}"
]
},
"Action": [
"s3:PutObject"
],
"Resource": "${aws_s3_bucket.lb-log-storage-s3.arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/*"
},
{
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": [
"s3:PutObject"
],
"Resource": "${aws_s3_bucket.lb-log-storage-s3.arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": [
"s3:GetBucketAcl"
],
"Resource": "${aws_s3_bucket.lb-log-storage-s3.arn}"
}
]
}
POLICY
}
数据“aws_区域”“当前”{
数据“aws_调用方_标识”当前“{}
数据“aws_elb_服务_帐户”主“{}
资源“aws\U s3\U桶策略”“lb桶策略”{
bucket=aws_s3_bucket.lb-log-storage-s3.id
policy=请添加编辑问题时遇到的错误。我添加了错误的可能副本。不知道有多大帮助。我尝试了可能副本中的代码,但无效。不知道这是否重要,但该问题使用的是aws_elb,而不是aws_lb。@JosephTura请检查我使用Terraform versionTerrafor进行的测试m v0.12.1
@Joseph您尝试过这个吗。
data "aws_region" "current" {}
data "aws_caller_identity" "current" {}
data "aws_elb_service_account" "main" {}
resource "aws_s3_bucket_policy" "lb-bucket-policy" {
bucket = aws_s3_bucket.lb-log-storage-s3.id
policy = <<POLICY
{
"Id": "Policy",
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": [
"${data.aws_elb_service_account.main.arn}"
]
},
"Action": [
"s3:PutObject"
],
"Resource": "${aws_s3_bucket.lb-log-storage-s3.arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/*"
},
{
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": [
"s3:PutObject"
],
"Resource": "${aws_s3_bucket.lb-log-storage-s3.arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": [
"s3:GetBucketAcl"
],
"Resource": "${aws_s3_bucket.lb-log-storage-s3.arn}"
}
]
}
POLICY
}