amazon s3 – S3 IAM error while “put” ing logs from ALB to S3 bucket

s3.tf

resource "aws_iam_role" "iam_role_replication" {
  name = "tf-iam-role-replication-12345"

  assume_role_policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
POLICY
}

resource "aws_iam_policy" "iam_policy_replication" {
  name = "tf-iam-role-policy-replication-12345"

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetReplicationConfiguration",
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "${aws_s3_bucket.s3_bucket_master.arn}"
      ]
    },
    {
      "Action": [
        "s3:GetObjectVersionForReplication",
        "s3:GetObjectVersionAcl",
         "s3:GetObjectVersionTagging"
      ],
      "Effect": "Allow",
      "Resource": [
        "${aws_s3_bucket.s3_bucket_master.arn}/*"
      ]
    },
    {
      "Action": [
        "s3:ReplicateObject",
        "s3:ReplicateDelete",
        "s3:ReplicateTags"
      ],
      "Effect": "Allow",
      "Resource": "${aws_s3_bucket.s3_bucket_slave.arn}/*"
    }
  ]
}
POLICY
}

resource "aws_iam_role_policy_attachment" "replication" {
  role       = aws_iam_role.iam_role_replication.name
  policy_arn = aws_iam_policy.iam_policy_replication.arn
}

resource "aws_s3_bucket" "s3_bucket_slave" {
  bucket_prefix = "s3-bucket-slave-"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "s3_bucket_slave_sse_config" {
  bucket = aws_s3_bucket.s3_bucket_slave.bucket

  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = aws_kms_key.s3_kms_key.arn
      sse_algorithm     = "aws:kms"
    }
  }
}

resource "aws_s3_bucket_versioning" "s3_bucket_slave_versioning" {
  bucket = aws_s3_bucket.s3_bucket_slave.id
  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket" "s3_bucket_master" {
  bucket_prefix = "s3-bucket-master-"
}
resource "aws_s3_bucket_policy" "s3_bucket_master_alb_put_policy" {
  bucket = aws_s3_bucket.s3_bucket_master.id
  policy = <<POLICY
{
  "Id": "Policy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::my-elb-tf-test-bucket/AWSLogs/*",
      "Principal": {
        "AWS": [
          "${data.aws_elb_service_account.main.arn}"
        ]
      }
    }
  ]
}
POLICY
}


resource "aws_s3_bucket_server_side_encryption_configuration" "s3_bucket_master_sse_config" {
  bucket = aws_s3_bucket.s3_bucket_master.bucket
  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = aws_kms_key.s3_kms_key.arn
      sse_algorithm     = "aws:kms"
    }
  }
}

resource "aws_s3_bucket_versioning" "s3_bucket_master_versioning" {
  bucket = aws_s3_bucket.s3_bucket_master.id
  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket_replication_configuration" "s3_bucket_master_replication" {
  # Must have bucket versioning enabled first
  depends_on = [aws_s3_bucket_versioning.s3_bucket_master_versioning]

  role   = aws_iam_role.iam_role_replication.arn
  bucket = aws_s3_bucket.s3_bucket_master.id

  rule {
    id = "foobar"
    delete_marker_replication {
      status = "Disabled"
    }
    filter {
      prefix = "foo"
    }

    status = "Enabled"

    destination {
      bucket        = aws_s3_bucket.s3_bucket_slave.arn
      storage_class = "STANDARD"
    }
  }
}

resource "aws_s3_bucket_acl" "s3_bucket_master_acl" {
  bucket = aws_s3_bucket.s3_bucket_master.id
  acl    = "private"
}

resource "aws_s3_bucket_acl" "s3_bucket_slave_acl" {
  bucket = aws_s3_bucket.s3_bucket_slave.id
  acl    = "log-delivery-write"
}
resource "aws_s3_bucket_public_access_block" "s3_bucket_master_public_access" {
  bucket                  = aws_s3_bucket.s3_bucket_master.id
  restrict_public_buckets = true
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
}
resource "aws_s3_bucket_public_access_block" "s3_bucket_slave_public_access" {
  bucket                  = aws_s3_bucket.s3_bucket_slave.id
  restrict_public_buckets = true
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
}
resource "aws_s3_bucket_logging" "example" {
  bucket = aws_s3_bucket.s3_bucket_master.id

  target_bucket = aws_s3_bucket.s3_bucket_slave.id
  target_prefix = "log/"
}

alb.tf

####################################################
# Target Group Creation
####################################################

resource "aws_lb_target_group" "lb_tg" {
  name        = "alb-target-group"
  port        = 80
  target_type = "instance"
  protocol    = "HTTP"
  vpc_id      = aws_vpc.vpc.id
}

####################################################
# Target Group Attachment with Instance
####################################################

resource "aws_alb_target_group_attachment" "tg_attachment" {
  count            = length(aws_instance.instance.*.id) == 3 ? 3 : 0
  target_group_arn = aws_lb_target_group.lb_tg.arn
  target_id        = element(aws_instance.instance.*.id, count.index)
}

####################################################
# Application Load balancer
####################################################

resource "aws_lb" "lb" {
  name                       = "alb"
  internal                   = true
  load_balancer_type         = "application"
  security_groups            = [aws_security_group.sg.id, ]
  subnets                    = aws_subnet.public_subnet.*.id
  drop_invalid_header_fields = true
  access_logs {
    bucket  = aws_s3_bucket.s3_bucket_master.bucket
    prefix  = "access-logs-bucket"
    enabled = true
  }
  enable_deletion_protection = true
}

####################################################
# Listner
####################################################

resource "aws_lb_listener" "front_end" {
  load_balancer_arn = aws_lb.lb.arn
  port              = "80"
  protocol          = "HTTP"

  default_action {
    type = "redirect"

    redirect {
      port        = "443"
      protocol    = "HTTPS"
      status_code = "HTTP_301"
    }
  }
}


####################################################
# Listener Rule
####################################################

resource "aws_lb_listener_rule" "static" {
  listener_arn = aws_lb_listener.front_end.arn
  priority     = 100

  action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.lb_tg.arn

  }

  condition {
    path_pattern {
      values = ["/var/www/html/index.html"]
    }
  }
}

data.tf

# Get user 
data "aws_caller_identity" "current" {}

# Get Account 
data "aws_elb_service_account" "main" {}

Unfortunately, I am getting errors like the below:

│ Error: failure configuring LB attributes: InvalidConfigurationRequest: Access Denied for bucket: s3-bucket-master-20220713135033356400000002. Please check S3bucket permission
│       status code: 400, request id: 9fd134e0-693e-4e99-a7d2-30c90fcdd1cf
│
│   with aws_lb.lb,
│   on alb.tf line 27, in resource "aws_lb" "lb":
│   27: resource "aws_lb" "lb" {
│
╵
╷
│ Error: Error putting S3 policy: MalformedPolicy: Policy has invalid resource
│       status code: 400, request id: 7SA30AY442BHE6HN, host id: yFchGmFFo35lLUM/FqyOgmyEH+IHAY47FI8+mLaY9eRY6nZs+ZwQnjNARnkN7TKkH/kOtsLgBz8=
│
│   with aws_s3_bucket_policy.s3_bucket_master_alb_put_policy,
│   on s3.tf line 93, in resource "aws_s3_bucket_policy" "s3_bucket_master_alb_put_policy":
│   93: resource "aws_s3_bucket_policy" "s3_bucket_master_alb_put_policy" {
│
╵

I followed the article from Terraform ELB S3 Permissions Issue

I am struggling to understand what exactly is the issue!?

Leave a Comment