Fix S3 permissions to allow CloudFront logging #410
Conversation
hectcastro
force-pushed
the
feature/hmc/fix-cloudfront-logs
branch
from
30a1949
to
f237dcb
Compare
| @@ -1,6 +1,6 @@ | |||
| provider "aws" { | |||
| region = var.aws_region | |||
| version = "~> 3.1.0" | |||
| version = "~> 3.6.0" | |||
There was a problem hiding this comment.
I made this change first to see if maybe it was a bug in the provider, but that didn't yield any change in behavior. I kept the change in the PR because no other resources seemed to be impacted by the upgrade.
| @@ -295,3 +295,8 @@ variable "aws_ecs_task_execution_role_policy_arn" { | |||
| default = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" | |||
| type = string | |||
| } | |||
|
|
|||
| variable "aws_cloudfront_canonical_user_id" { | |||
There was a problem hiding this comment.
Unfortunately, there isn't a data resource for this like there is for the aws_canonical_user_id. hashicorp/terraform-provider-aws#12512 exists to add it to the Terraform AWS provider.
There was a problem hiding this comment.
That'd be nice, hope that change gets worked in soon!
|
A heads up @colekettler because this PR doesn't show up on our board and may have slipped through the cracks. |
I think it does, but was hopeful there might be something a bit clearer out there. Thus far, I haven't found it.
I think it very well may be. I opened a few issues in other projects that have similar configurations. It would be better to fix sooner rather than later so that information is available in the event that we need to troubleshoot things. |
hectcastro
force-pushed
the
feature/hmc/fix-cloudfront-logs
branch
from
f237dcb
to
9fcca72
Compare
It appears as though something changed with Terraform's ability to detect out-of-band grants, or perhaps a CloudFront service level change led to different behaviors than before (they recently added real-time logs). When logging to S3 from CloudFront is configured via the AWS console, a specific set of grants that allow CloudFront to interact with an S3 bucket are added. These grants appear to get wiped away by Terraform unless they are explicitly defined in the Terraform configuration. The changes in this PR aim to persist the two grants (one is the AWS canonical user ID, and the other is the CloudFront canonical user ID) in the Terraform project.
hectcastro
force-pushed
the
feature/hmc/fix-cloudfront-logs
branch
from
9fcca72
to
d68719e
Compare
Overview
It appears as though something changed with Terraform's ability to detect out-of-band grants, or perhaps a CloudFront service level change led to different behaviors than before (they recently added real-time logs). That's left us with a handful of CloudFront logs in S3 from May, but nothing between May and now.
When logging to S3 from CloudFront is configured via the AWS console, a specific set of grants that allow CloudFront to interact with an S3 bucket are added. These grants appear to get wiped away by Terraform unless they are explicitly defined in the Terraform configuration.
The changes in this PR aim to persist the two grants (one is the AWS canonical user ID, and the other is the CloudFront canonical user ID) in the Terraform project.
Checklist
CHANGELOG.mdand grouped with similar changes, if possibleTesting Instructions
developand see that 2 grants are being removed from theaws_s3_bucket.logsresourceaws_s3_bucket.logsresource