存储桶策略Terraform AWS中的未知原理

Question

我正在学习如何使用terraform实现基础设施的自动化。目前，我有一个应用程序负载均衡器，我希望将日志发送到S3存储桶中。我创建了一个指定策略的json文件，但当我尝试应用terraform代码时，出现以下错误：

​

​

我已经检查了我的AWS账号，检查了我登录的用户的权限，但无法弄清楚为什么会发生这种情况。下面也是我的策略的代码，以及S3存储桶的创建。任何建议都将不胜感激。

政策

{
"Version": "2012-10-17",
"Id": "javahome-alb-policy",
"Statement": [
    {
        "Sid": "root-access",
        "Effect": "Allow",
        "Principle": {
            "Service": "arn:aws:iam::aws-account-id:root"
        },
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::${access_logs_bucket}/AWSLogs/aws-account-id/*"
    },
    {
        "Sid": "log-delivery",
        "Effect": "Allow",
        "Principle": {
            "Service": "delivery.logs.amazonaws.com"
        },
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::${access_logs_bucket}/AWSLogs/aws-account-id/*",
        "Condition": {
            "StringEquals": {
                "s3:x-amz-acl": "bucket-owner-full-control"
            }
        }
    },
    {
        "Sid": "log-delivery-access-check",
        "Effect": "Allow",
        "Principle": {
            "Service": "delivery.logs.amazonaws.com"
        },
        "Action": "s3:GetBucketAcl",
        "Resource": "arn:aws:s3:::${access_logs_bucket}"
    }
]

}

S3存储桶

resource "aws_s3_bucket" "alb_access_logs" {


bucket = var.alb_s3_logs
  policy = data.template_file.javahome.rendered
  acl    = "private"
  region = var.region
  tags = {
    Name        = "jalb-access-logs"
    Environment = terraform.workspace
  }
}

应用负载均衡器

resource "aws_lb_target_group" "javahome" {


name     = var.lb_tg_name
  port     = var.http_port
  protocol = "HTTP"
  vpc_id   = aws_vpc.my_app.id
}

resource "aws_lb_target_group_attachment" "javahome" {
  count            = var.web_ec2_count
  target_group_arn = aws_lb_target_group.javahome.arn
  target_id        = aws_instance.web.*.id[count.index]
  port             = var.http_port
}
resource "aws_lb" "javahome" {
  name               = var.alb_name
  internal           = false
  load_balancer_type = var.lb_type
  security_groups    = [aws_security_group.elb_sg.id]
  subnets            = local.pub_sub_ids

  access_logs {
    bucket  = aws_s3_bucket.alb_access_logs.bucket
    enabled = true
  }

  tags = {
    Environment = terraform.workspace
  }
}

resource "aws_lb_listener" "listener" {
  load_balancer_arn = aws_lb.javahome.arn
  port              = var.http_port
  protocol          = "HTTP"

  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.javahome.arn
  }
}

data "template_file" "javahome" {
  template = file("scripts/iam/alb-s3-access-logs.json")
  vars = {
    access_logs_bucket = var.alb_s3_logs
  }
}

Answer 1

这里的主要问题是拼写错误的Principle，正确的语法是Principal。此外，请查看文档中的日志来源，该日志来源是由AWS直接管理的AWS帐户。

下面是来自AWS Docs的一个示例：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::aws-account-id:root"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::bucket-name/prefix/*"
    }
  ]
}

https://docs.aws.amazon.com/en_us/elasticloadbalancing/latest/application/load-balancer-access-logs.html

启用访问日志记录

为负载均衡器启用访问日志记录时，必须指定负载均衡器将在其中存储日志的S3存储桶的名称。存储桶必须与您的负载均衡在同一地域，并且必须具有存储桶策略，该存储桶策略授予弹性负载均衡将访问日志写入存储桶的权限。存储桶的所有者可以不同于负载均衡器所属的账户。

另外，过帐帐户ID不是一种好的做法。