9
votes

I am trying to setup a cloudfront dist and s3 bucket with terraform. When I run terraform apply it is returning the following error:

  • aws_s3_bucket.app: Error putting S3 logging: InvalidTargetBucketForLogging: You must give the log-delivery group WRITE and READ_ACP permissions to the target bucket

my S3.tf file:

data "aws_iam_policy_document" "s3_policy" {
  policy_id = "PolicyForCloudFrontPrivateContent"

  statement {
    sid       = "1"
    actions   = ["s3:GetObject"]
    resources = ["arn:aws:s3:::${local.name_env}/*"]

    principals {
      type        = "AWS"
      identifiers = ["${aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn}"]
    }
  }
}

resource "aws_s3_bucket" "app" {
  bucket = "${local.name_env}"
  policy = "${data.aws_iam_policy_document.s3_policy.json}"

  logging {
    target_bucket = "${local.logs_bucket}"
    target_prefix = "app-${var.environment}"
  }

  versioning {
    enabled = true
  }

  tags = "${local.tags}"
}
2
@BMW Thanks for the response. I came across those two resources also. In the first link, I'm unsure which "property field" the final answer is referring to, and in the second link is talking about managing it with java sdk or .net so I wasn't sure how that applied to my current terraform/cloudformationuser3648969
realised, this feature doesn't ready in terraform, the PR is not merged: github.com/terraform-providers/terraform-provider-aws/pull/3757BMW
Yeah, my question @ydaetskcoR is how exactly do I add the necessary permissions to allow logging.user3648969

2 Answers

17
votes

You need to add an acl attribute to your aws_s3_bucket with a value of "log-delivery-write".

resource "aws_s3_bucket" "app" {
  bucket = "${local.name_env}"
  acl = "log-delivery-write"
  ...
}
-1
votes

UPDATE: terraform now supports custom bucket acls natively. What follows is a workaround for older versions where the predefined acls would not suffice.

Here's how to achieve this via terraform using a null resource and the AWS CLI.

resource "aws_s3_bucket" "files_bucket" {
  # ...

  logging {
    target_bucket = "${aws_s3_bucket.logs_bucket.bucket}"
  }

  depends_on = [
    "null_resource.logs_bucket_acl_workaround"
  ]
}


resource "aws_s3_bucket" "logs_bucket" {
  # ...
  acl    = "private"
}


locals {
  put_bucket_acl_cmd = "s3api put-bucket-acl --bucket ${aws_s3_bucket.logs_bucket.bucket} --grant-write 'uri=\"http://acs.amazonaws.com/groups/s3/LogDelivery\"' --grant-read-acp 'uri=\"http://acs.amazonaws.com/groups/s3/LogDelivery\"'"
}

resource "null_resource" "logs_bucket_acl_workaround" {
  # cannot set bucket ACLs via terraform yet
  # https://github.com/terraform-providers/terraform-provider-aws/issues/989
  depends_on = [
    "aws_s3_bucket.logs_bucket",
  ]

  triggers = {
    bucket = "${aws_s3_bucket.logs_bucket.bucket}"
    command = "${local.put_bucket_acl_cmd}"
  }

  provisioner "local-exec" {
    command = "aws ${local.put_bucket_acl_cmd}"
  }
}

Note that ACLs in this way are only added but never removed.