From df24ea441d5502f6bf55bd627e71138c7c24d34d Mon Sep 17 00:00:00 2001 From: Barry Morrison <689591+esacteksab@users.noreply.github.com> Date: Sat, 18 Jan 2025 10:11:17 -0600 Subject: [PATCH] fix: bucket policy for new AWS Regions (#322) * Fix bucket policy for new AWS Regions * chore additional regions --------- Co-authored-by: Alex V <3154932+alexandervasylev@users.noreply.github.com> --- .terraform.lock.hcl | 25 +++++++++++++++++++++++++ main.tf | 17 +++++++++++++---- 2 files changed, 38 insertions(+), 4 deletions(-) create mode 100644 .terraform.lock.hcl diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl new file mode 100644 index 0000000..1329a38 --- /dev/null +++ b/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.83.1" + constraints = ">= 3.75.0" + hashes = [ + "h1:vInFMDq9oMs53/i+7IU8hZgmTLhFfng8L8kbuALZxSI=", + "zh:0313253c78f195973752c4d1f62bfdd345a9c99c1bc7a612a8c1f1e27d51e49e", + "zh:108523f3e9ebc93f7d900c51681f6edbd3f3a56b8a62b0afc31d8214892f91e0", + "zh:175b9bf2a00bea6ac1c73796ad77b0e00dcbbde166235017c49377d7763861d8", + "zh:1c8bf55b8548bbad683cd6d7bdb03e8840a00b2422dc1529ffb9892820657130", + "zh:22338f09bae62d5ff646de00182417f992548da534fee7d98c5d0136d4bd5d7a", + "zh:92de1107ec43de60612be5f6255616f16a9cf82d88df1af1c0471b81f3a82c16", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9c7bfb7afea330e6d90e1466125a8cba3db1ed4043c5da52f737459c89290a6e", + "zh:ba59b374d477e5610674b70f5abfe0408e8f809390347372751384151440d3d0", + "zh:bd1c433966002f586d63cb1e3e16326991f238bc6beeb2352be36ec651917b0b", + "zh:ca2b4d1d02651c15261fffa4b142e45def9a22c6069353f0f663fd2046e268f8", + "zh:d8ed98c748f7a3f1a72277cfee9afe346aca39ab319d17402277852551d8f14a", + "zh:ed3d8bc89de5f35f3c5f4802ff7c749fda2e2be267f9af4a850694f099960a72", + "zh:f698732a4391c3f4d7079b4aaa52389da2a460cac5eed438ed688f147d603689", + "zh:f9f51b17f2978394954e9f6ab9ef293b8e11f1443117294ccf87f7f8212b3439", + ] +} diff --git a/main.tf b/main.tf index 39e6ac3..5dcde7c 100644 --- a/main.tf +++ b/main.tf @@ -1,6 +1,15 @@ +locals { + # The bucket policy that you'll use depends on the AWS Region of the bucket. Each expandable section in + # https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html#attach-bucket-policy + # contains a bucket policy and information about when to use that policy. + is_region_after_082022 = contains( + ["ap-south-2", "ap-southeast-4", "ap-southeast-5", "ap-southeast-7", "ca-west-1", "eu-south-2", "eu-central-2", "il-central-1", "me-central-1"], data.aws_region.current.name) +} + # Get the account id of the AWS ALB and ELB service account in a given region for the # purpose of whitelisting in a S3 bucket policy. data "aws_elb_service_account" "main" { + count = local.is_region_after_082022 == true ? 0 : 1 } # The AWS account id @@ -266,8 +275,8 @@ data "aws_iam_policy_document" "main" { sid = "elb-logs-put-object" effect = local.elb_effect principals { - type = "AWS" - identifiers = [data.aws_elb_service_account.main.arn] + type = local.is_region_after_082022 == true ? "Service" : "AWS" + identifiers = local.is_region_after_082022 == true ? ["logdelivery.elasticloadbalancing.amazonaws.com"] : [data.aws_elb_service_account.main.0.arn] } actions = ["s3:PutObject"] resources = local.elb_resources @@ -281,8 +290,8 @@ data "aws_iam_policy_document" "main" { sid = "alb-logs-put-object" effect = local.alb_effect principals { - type = "AWS" - identifiers = [data.aws_elb_service_account.main.arn] + type = local.is_region_after_082022 == true ? "Service" : "AWS" + identifiers = local.is_region_after_082022 == true ? ["logdelivery.elasticloadbalancing.amazonaws.com"] : [data.aws_elb_service_account.main.0.arn] } actions = ["s3:PutObject"] resources = local.alb_resources