我遵循了 this 上的第一个答案在 StackOverflow 上发帖,但我收到此错误:
Failure configuring LB attributes: InvalidConfigurationRequest: Access Denied for bucket: myproject-log. Please check S3bucket permission status code: 400
这是我的代码:
s3_bucket
data "aws_elb_service_account" "main" {}
resource "aws_s3_bucket" "bucket_log" {
bucket = "${var.project}-log"
acl = "log-delivery-write"
policy = <<POLICY
{
"Id": "Policy",
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::${var.project}-log/AWSLogs/*",
"Principal": {
"AWS": [
"${data.aws_elb_service_account.main.arn}"
]
}
}
]
}
POLICY
}
负载均衡器
resource "aws_lb" "vm_stage" {
name = "${var.project}-lb-stg"
internal = false
load_balancer_type = "application"
subnets = [aws_subnet.subnet_1.id, aws_subnet.subnet_2.id, aws_subnet.subnet_3.id]
security_groups = [aws_security_group.elb_project_stg.id]
access_logs {
bucket = aws_s3_bucket.bucket_log.id
prefix = "lb-stg"
enabled = true
}
tags = {
Name = "${var.project}-lb-stg"
}
}
最佳答案
官方 AWS 文档
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html
解决方案
引用上面的文档并更改存储桶的 iam 策略以反射(reflect)文档说明的内容。日志记录实际上是由 AWS 完成的,而不是您的角色或 IAM 用户。因此,您需要授予 ÅWS 权限才能执行此操作。这就是为什么文档在策略中显示指定 delivery.logs.amazonaws.com 的声明的原因。主要的。该委托(delegate)人是 AWS 日志记录服务。即使您的存储桶托管在 AWS 上,默认情况下他们也不会授予自己访问您的存储桶的权限。如果您希望他们的服务正常工作,您必须明确授予对 AWS 的访问权限。
关于amazon-web-services - Terraform 配置 LB 属性失败,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/60110062/