Skip to content

attach_lb_log_delivery_policy Does Not Include aws:SourceAccount and aws:SourceArn Checks #324

New issue
New issue
Open
#330
Open
attach_lb_log_delivery_policy Does Not Include aws:SourceAccount and aws:SourceArn Checks#324
#330
@stewartcampbell

Description

@stewartcampbell
stewartcampbell
opened on Apr 24, 2025

Description

When using attach_lb_log_delivery_policy, the full policy shown at https://docs.aws.amazon.com/elasticloadbalancing/latest/network/enable-access-logs.html is not used.

The conditions specifying aws:SourceAccount and aws:SourceArn are not included.

See

terraform-aws-s3-bucket/main.tf

Line 665 in 4c7f358

data "aws_iam_policy_document" "lb_log_delivery" {

I see we can lock down a bit more using lb_log_delivery_policy_source_organizations, however ideally, we should be able to lock down to a single or multiple accounts.

Is this intentional? Or is it a missing variable that could be added, e.g., lb_log_delivery_policy_source_accounts?

  • ✋ I have searched the open/closed issues and my issue is not listed.

Versions

  • Module version [Required]: latest

  • Terraform version: latest

  • Provider version(s): latest

Reproduction Code [Required]

See above

Expected behavior

We should be able to enforce only allowing logs from a single or multiple accounts.

Actual behavior

Terminal Output Screenshot(s)

Additional context

Activity

github-actions

github-actions commented on May 25, 2025

@github-actions
github-actionsbot
on May 25, 2025

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

github-actions
added
stale
on May 25, 2025
stewartcampbell

stewartcampbell commented on May 26, 2025

@stewartcampbell
stewartcampbell
on May 26, 2025
Author

Not stale. I'm happy to contribute a PR but need guidance first from a maintainer on what the required approach would be.

github-actions
removed
stale
on May 27, 2025
szubersk
linked a pull request that will close this issue on Jun 9, 2025
szubersk
added a commit that references this issue on Jun 9, 2025

feat: Add `elb_log_delivery_policy_source_organizations` variable

4570fd3
github-actions

github-actions commented on Jun 26, 2025

@github-actions
github-actionsbot
on Jun 26, 2025

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

github-actions
added
stale
on Jun 26, 2025
stewartcampbell

stewartcampbell commented on Jun 26, 2025

@stewartcampbell
stewartcampbell
on Jun 26, 2025
Author

@antonbabenko any feedback on this? I am happy to create PR but need some guidance from you guys.

antonbabenko

antonbabenko commented on Jun 26, 2025

@antonbabenko
antonbabenko
on Jun 26, 2025
Member

@stewartcampbell Bryant has already left a review on PR #330. Please improve that PR.

github-actions
removed
stale
on Jun 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      Participants

      @antonbabenko@stewartcampbell

      Issue actions
        attach_lb_log_delivery_policy Does Not Include aws:SourceAccount and aws:SourceArn Checks · Issue #324 · terraform-aws-modules/terraform-aws-s3-bucket