New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix S3 permissions to allow CloudFront logging #410
Conversation
30a1949
to
f237dcb
Compare
@@ -1,6 +1,6 @@ | |||
provider "aws" { | |||
region = var.aws_region | |||
version = "~> 3.1.0" | |||
version = "~> 3.6.0" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I made this change first to see if maybe it was a bug in the provider, but that didn't yield any change in behavior. I kept the change in the PR because no other resources seemed to be impacted by the upgrade.
@@ -295,3 +295,8 @@ variable "aws_ecs_task_execution_role_policy_arn" { | |||
default = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" | |||
type = string | |||
} | |||
|
|||
variable "aws_cloudfront_canonical_user_id" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately, there isn't a data resource for this like there is for the aws_canonical_user_id
. hashicorp/terraform-provider-aws#12512 exists to add it to the Terraform AWS provider.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That'd be nice, hope that change gets worked in soon!
A heads up @colekettler because this PR doesn't show up on our board and may have slipped through the cracks. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wow, that's a subtle one. Looks like this fix works!
I feel like this should become part of our standard CloudFront config. Is it possible that this could be happening in other projects and we haven't noticed yet?
I think it does, but was hopeful there might be something a bit clearer out there. Thus far, I haven't found it.
I think it very well may be. I opened a few issues in other projects that have similar configurations. It would be better to fix sooner rather than later so that information is available in the event that we need to troubleshoot things. |
f237dcb
to
9fcca72
Compare
It appears as though something changed with Terraform's ability to detect out-of-band grants, or perhaps a CloudFront service level change led to different behaviors than before (they recently added real-time logs). When logging to S3 from CloudFront is configured via the AWS console, a specific set of grants that allow CloudFront to interact with an S3 bucket are added. These grants appear to get wiped away by Terraform unless they are explicitly defined in the Terraform configuration. The changes in this PR aim to persist the two grants (one is the AWS canonical user ID, and the other is the CloudFront canonical user ID) in the Terraform project.
9fcca72
to
d68719e
Compare
Overview
It appears as though something changed with Terraform's ability to detect out-of-band grants, or perhaps a CloudFront service level change led to different behaviors than before (they recently added real-time logs). That's left us with a handful of CloudFront logs in S3 from May, but nothing between May and now.
When logging to S3 from CloudFront is configured via the AWS console, a specific set of grants that allow CloudFront to interact with an S3 bucket are added. These grants appear to get wiped away by Terraform unless they are explicitly defined in the Terraform configuration.
The changes in this PR aim to persist the two grants (one is the AWS canonical user ID, and the other is the CloudFront canonical user ID) in the Terraform project.
Checklist
CHANGELOG.md
and grouped with similar changes, if possibleTesting Instructions
develop
and see that 2 grants are being removed from theaws_s3_bucket.logs
resourceaws_s3_bucket.logs
resource