Addding more permissions to ELB to write logs to S3

thisisqubika · Apr 10, 2024 · da63315 · da63315
1 parent 8ad5d8c
commit da63315
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 39 deletions.
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -113,7 +113,7 @@ resource "aws_lb" "vectorstore_nlb" {
 
   access_logs {
     bucket  = module.alb_logging.bucket_name
-    prefix  = "logs"
+    prefix  = "logs/AWSLogs" // The prefix goes here
     enabled = true
   }
 

diff --git a/terraform/modules/alb_logging/main.tf b/terraform/modules/alb_logging/main.tf
@@ -1,52 +1,23 @@
-# resource "aws_s3_bucket" "logging_bucket" {
-#   bucket = var.bucket_name
-# }
-
-# resource "aws_s3_bucket_server_side_encryption_configuration" "logging_bucket_encryption" {
-#   bucket = aws_s3_bucket.logging_bucket.id
-
-#   rule {
-#     apply_server_side_encryption_by_default {
-#       sse_algorithm = "AES256"
-#     }
-#   }
-# }
-
-
-
-# data "aws_iam_policy_document" "bucket_policy" {
-#  statement {
-#     actions   = ["s3:PutObject"]
-#     resources = ["${aws_s3_bucket.logging_bucket.arn}/*"]
-
-#     principals {
-#       type        = "AWS"
-#       identifiers = ["arn:aws:iam::127311923021:root"] // ELB service account for US East (N. Virginia)
-#     }
-#  }
-
-#  // Add any additional statements here if needed
-# }
-
-# resource "aws_s3_bucket_policy" "logging_bucket_policy" {
-#  bucket = aws_s3_bucket.logging_bucket.id
-#  policy = data.aws_iam_policy_document.bucket_policy.json
-# }
-
 resource "aws_s3_bucket" "logging_bucket" {
  bucket = var.bucket_name
 }
 
 data "aws_iam_policy_document" "bucket_policy" {
  statement {
-    actions   = ["s3:PutObject"]
+    actions   = ["s3:*"]
     resources = ["${aws_s3_bucket.logging_bucket.arn}/*"]
 
+    # principals {
+    #   type        = "AWS"
+    #   identifiers = ["arn:aws:iam::127311923021:root"] // ELB service account for US East (N. Virginia)
+    # }
+
     principals {
-      type        = "AWS"
-      identifiers = ["arn:aws:iam::127311923021:root"] // ELB service account for US East (N. Virginia)
+    type        = "Service"
+    identifiers = ["elasticloadbalancing.amazonaws.com"]
     }
 
+
     condition {
       test     = "Null"
       variable = "s3:x-amz-server-side-encryption"

diff --git a/terraform/modules/alb_logging/variables.tf b/terraform/modules/alb_logging/variables.tf
@@ -3,3 +3,18 @@ variable "bucket_name" {
   type        = string
   default     = "milvus-api-alb-logs" 
 }
+
+
+# Define other variables expected by the module here. For example:
+
+ variable "region" {
+   description = "The AWS region where logs will be stored."
+   type        = string
+   default     = "us-east-1"
+ }
+
+ variable "alb_log_prefix" {
+   description = "The prefix for ALB log files."
+   type        = string
+   default     = "logs/AWSLogs/"
+ }
diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -25,3 +25,5 @@ variable "key_name" {
   # No default provided; should be specified at runtime or via terraform.tfvars for security reasons
 }
 
+
+
Original file line number	Diff line number	Diff line change
Expand Up		@@ -25,3 +25,5 @@ variable "key_name" {
		# No default provided; should be specified at runtime or via terraform.tfvars for security reasons
		}