GithubHelp home page GithubHelp logo

cn-terraform / terraform-aws-logs-s3-bucket Goto Github PK

View Code? Open in Web Editor NEW
3.0 3.0 6.0 59 KB

AWS S3 bucket for logs delivery

Home Page: https://registry.terraform.io/modules/cn-terraform/logs-s3-bucket

License: Apache License 2.0

HCL 100.00%
amazon-web-services aws aws-s3 aws-s3-logs logs terraform terraform-module

terraform-aws-logs-s3-bucket's People

Contributors

bion avatar dchocoboo avatar jnonino avatar nbeloglazov avatar ptwohig avatar renovate[bot] avatar

Stargazers

avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

ptwohig nbeloglazov dchocoboo gkranasinghe civiform dav3r

terraform-aws-logs-s3-bucket's Issues

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

github-actions
.github/workflows/pipeline.yml
  • actions/checkout v4
  • actions/checkout v4
terraform
versions.tf
  • aws >= 4
  • hashicorp/terraform >= 0.13
  • Check this box to trigger a request for Renovate to run again on this repository

Error putting S3 policy: MalformedPolicy: Missing required field Principal cannot be empty!

So, it looks like the bug is more in this module than in the static website module.

cn-terraform/terraform-aws-s3-static-website#38

Getting this error trying to create a static web site.

Error: Error putting S3 policy: MalformedPolicy: Missing required field Principal cannot be empty!
 	status code: 400, request id: [redacted], host id: [redacted]
 
   with module.mainsite.module.main_static_site.module.s3_logs_bucket.aws_s3_bucket_policy.logs_access_policy,
   on .terraform/modules/mainsite.main_static_site.s3_logs_bucket/main.tf line 70, in resource "aws_s3_bucket_policy" "logs_access_policy":
   70: resource "aws_s3_bucket_policy" "logs_access_policy" {

This is the terraform code taht produces this issue:

module "main_static_site" {
  source  = "cn-terraform/s3-static-website/aws"
  version = "0.0.17"
  name_prefix=var.deployment_name
  website_domain_name=var.main_site_domain_name
  create_route53_hosted_zone = false
  route53_hosted_zone_id = aws_route53_zone.main.zone_id
  providers = {
    aws.main = aws
    aws.acm_provider = aws
  }
}

Where the following applies:
* var.main_deployment_name = "production"
* var.main_site_domain_name = "mydomain.com"

I'm creating a hosted zone manually and passing it in.

The line in the associated module shows this on line 70:

```hcl
resource "aws_s3_bucket_policy" "logs_access_policy" {
  bucket = aws_s3_bucket.logs.id
  policy = data.aws_iam_policy_document.logs_access_policy_document.json
}

I'm not sure which field is missing, but this is the result from AWS. Is there a known workaround for this?

ptwohig@ryzen:~/git/terraform-aws-logs-s3-bucket$ terraform version
Terraform v1.2.6
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v4.15.0
+ provider registry.terraform.io/hashicorp/random v3.2.0

Random value in bucket name triggers terraform error.

The error is:

Error: Provider produced inconsistent final plan
│
│ When expanding the plan for module.ecs_fargate_service.module.ecs-alb[0].module.lb_logs_s3[0].aws_s3_bucket.logs to include new values learned so far during apply, provider "registry.terraform.io/hashicorp/aws" produced an invalid new value for .tags_all: new element
│ "Name" has appeared.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵
╷
│ Error: Provider produced inconsistent final plan
│
│ When expanding the plan for module.ecs_fargate_service.module.ecs-alb[0].module.lb_logs_s3[0].aws_s3_bucket.logs to include new values learned so far during apply, provider "registry.terraform.io/hashicorp/aws" produced an invalid new value for .tags_all: new element
│ "Type" has appeared.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

It seems to be caused by using dynamic value in the tag: hashicorp/terraform-provider-aws#19583

Also curious why is the name of the generated bucket has random string while all other resources in ECS, load balancer and other modules are deterministic.

Overly permissive service permission

The AWS S3 console for the generated log bucket shows the following security warning:

Ln 15, Col 15 | Restrict Access To Service Principal: Granting  access to a service principal without specifying a source is overly  permissive. Use aws:SourceArn or aws:SourceAccount condition key to  grant fine-grained access.
-- | --

Referring to the getBucketAcl action for ELB log delivery. I agree, adding a variable for sourceArn or sourceAccount would be best.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.