search

cloudposse / terraform-aws-alb

Terraform module to provision a standard ALB for HTTP/HTTP traffic
https://cloudposse.com/accelerate
Apache License 2.0
113 stars 122 forks source link

Access log bucket name truncation inconsistency #185

Open correnarsprowls opened 3 weeks ago

correnarsprowls commented 3 weeks ago

Describe the Bug

When using this module and having it create a access log bucket, if you use a module.app_label.id that is too long (in this case it was 48 characters) then it will truncate the access log bucket name. But the usage of this truncated name is inconstant. The issue that we have run into is with the bucket policy. In the ForceSSLOnlyAccess statement it is using the truncated/correct bucket name. In the other three statements it is using a non-truncated version of the bucket name that doesn't exist.

Expected Behavior

The correct bucket name gets used everywhere

Steps to Reproduce

Use this module with app label ID with a length of 48 characters or above an let it create an access log bucket for you.

Screenshots

resource "aws_s3_bucket_policy" "default" {
  + bucket = "root-us-east-2-production-app111-rails-project-4-alb-acce-b3c98"
  + id     = (known after apply)
  + policy = jsonencode(
        {
          + Statement = [
              + {
                  + Action    = "s3:*"
                  + Condition = {
                      + Bool = {
                          + "aws:SecureTransport" = "false"
                        }
                    }
                  + Effect    = "Deny"
                  + Principal = "*"
                  + Resource  = [
                      + "arn:aws:s3:::root-us-east-2-production-app111-rails-project-4-alb-acce-b3c98/*",
                      + "arn:aws:s3:::root-us-east-2-production-app111-rails-project-4-alb-acce-b3c98",
                    ]
                  + Sid       = "ForceSSLOnlyAccess"
                },
              + {
                  + Action    = "s3:PutObject"
                  + Effect    = "Allow"
                  + Principal = {
                      + AWS = "arn:aws:iam::XXXXXXXXXXXX:root"
                    }
                  + Resource  = "arn:aws:s3:::root-us-east-2-production-app111-rails-project-4-alb-access-logs/*"
                },
              + {
                  + Action    = "s3:PutObject"
                  + Condition = {
                      + StringEquals = {
                          + "s3:x-amz-acl" = "bucket-owner-full-control"
                        }
                    }
                  + Effect    = "Allow"
                  + Principal = {
                      + Service = "delivery.logs.amazonaws.com"
                    }
                  + Resource  = "arn:aws:s3:::root-us-east-2-production-app111-rails-project-4-alb-access-logs/*"
                },
              + {
                  + Action    = "s3:GetBucketAcl"
                  + Effect    = "Allow"
                  + Principal = {
                      + Service = "delivery.logs.amazonaws.com"
                    }
                  + Resource  = "arn:aws:s3:::root-us-east-2-production-app111-rails-project-4-alb-access-logs"
                },
            ]
          + Version   = "2012-10-17"
        }
    )
}

Trying to add the above policy results in the following error

│ Error: putting S3 Bucket (root-us-east-2-production-app111-rails-project-4-alb-acce-b3c98) Policy: operation error S3: PutBucketPolicy, https response error StatusCode: 400, RequestID: x, HostID: x, api error MalformedPolicy: Policy has invalid resource

Environment

module version: 1.11.1

Additional Context

No response