Open ghost opened 5 years ago
Related: #8654
I had the same error message with aws_config_delivery_channel and it turned out that it was caused by a missing permission in the s3 bucket policy.
Hi henrikpingelallcloud,
Could you share the s3 bucket policy?
I use the same bucket policy which works in Singapore region but not in HK region
Reference :https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html
@henrikpingelallcloud Can you please share the modifications to your s3 bucket policy? I'm running into the same issue.
This s3 bucket policy was missing in my case:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSConfigBucketPermissionsCheck", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::${bucket_name}" }, { "Sid": " AWSConfigBucketDelivery", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:PutObject", "Resource": [ ${aws_config_ressources} ], "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ] }
I'm running into the same issue I tried using: https://registry.terraform.io/modules/trussworks/config/aws/latest. When I ran apply I got Error: Creating Delivery Channel failed: InsufficientDeliveryPolicyException: Insufficient delivery policy to s3 bucket: my-aws-logs, unable to write to bucket, provided s3 key prefix is 'config'.
Has anyone been able to get this to work the policy from @henrikpingelallcloud did not work for me.
This example works
resource "aws_config_delivery_channel" "foo" {
name = "example"
s3_bucket_name = aws_s3_bucket.b.bucket
depends_on = [aws_config_configuration_recorder.foo]
}
resource "aws_s3_bucket" "b" {
bucket = "example-awsconfig1234567788"
force_destroy = true
}
resource "aws_config_configuration_recorder" "foo" {
name = "example"
role_arn = aws_iam_role.r.arn
}
resource "aws_iam_role" "r" {
name = "awsconfig-example"
assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "config.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
POLICY
}
resource "aws_iam_role_policy" "p" {
name = "awsconfig-example"
role = aws_iam_role.r.id
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"${aws_s3_bucket.b.arn}",
"${aws_s3_bucket.b.arn}/*"
]
}
]
}
POLICY
}
I would change your code to match this. My guess is that the policy statement isn't being parsed properly. I might look more into this later.
I was getting the error: Creating Delivery Channel failed: InsufficientDeliveryPolicyException: Insufficient delivery policy to s3 bucket: config-recorder-XXXX, unable to write to bucket, provided s3 key prefix is 'null', provided kms key is 'null'.
Similar to @EvanGertis 👍, I did:
resource "aws_iam_service_linked_role" "config_recorder" {
aws_service_name = "config.amazonaws.com"
}
resource "aws_config_configuration_recorder" "config_recorder" {
name = "config-recorder"
role_arn = aws_iam_service_linked_role.config_recorder.arn
recording_group {
include_global_resource_types = true
}
}
resource "aws_config_delivery_channel" "config_recorder_delivery_channel" {
depends_on = [aws_config_configuration_recorder.config_recorder]
name = "config-delivery-channel"
s3_bucket_name = aws_s3_bucket.config_recorder.id
sns_topic_arn = aws_sns_topic.config_recorder.arn
snapshot_delivery_properties {
delivery_frequency = "TwentyFour_Hours"
}
}
resource "aws_s3_bucket" "config_recorder" {
bucket = "config-recorder"
acl = "log-delivery-write"
lifecycle {
prevent_destroy = true
}
lifecycle_rule {
id = "log"
enabled = true
transition {
days = 90
storage_class = "GLACIER"
}
}
}
resource "aws_s3_bucket_policy" "config" {
bucket = aws_s3_bucket.config_recorder.id
policy = data.aws_iam_policy_document.config_recorder.json
}
resource "aws_sns_topic" "config_recorder" {
name = "config-recorder"
}
data "aws_iam_policy_document" "config_recorder" {
statement {
sid = "DenyUnsecuredTransport"
effect = "Allow"
actions = [
"s3:*",
]
condition {
test = "Bool"
variable = "aws:SecureTransport"
values = [
"true",
]
}
principals {
type = "Service"
identifiers = [aws_iam_service_linked_role.config_recorder.aws_service_name]
}
resources = [
aws_s3_bucket.config_recorder.arn,
"${aws_s3_bucket.config_recorder.arn}/*",
]
}
}
Which worked a treat 💯
For me It was solved by adding s3_bucket_name
in code:
resource "aws_config_delivery_channel" "f" {
name = "config-to-s3"
s3_bucket_name = aws_s3_bucket.s3-for-config.bucket
snapshot_delivery_properties {
delivery_frequency = var.snapshot_frequency
}
depends_on = [aws_config_configuration_recorder.f]
}
I'm still not able to send the AWS Config logs from Account A to an S3 Bucket in Account B.
This is the policy of my S3 Bucket in Account B:
data "aws_iam_policy_document" "config" {
statement {
sid = "AWSConfigBucketPermissionsCheck"
effect = "Allow"
resources = ["${aws_s3_bucket.config.arn}"]
actions = ["s3:GetBucketAcl"]
condition {
test = "StringEquals"
variable = "AWS:SourceAccount"
values = [
"xxxxxxx"
]
}
principals {
type = "Service"
identifiers = ["config.amazonaws.com"]
}
}
statement {
sid = "AWSConfigBucketExistenceCheck"
effect = "Allow"
resources = ["${aws_s3_bucket.config.arn}"]
actions = ["s3:ListBucket"]
condition {
test = "StringEquals"
variable = "AWS:SourceAccount"
values = [
"xxxxxxx"
]
}
principals {
type = "Service"
identifiers = ["config.amazonaws.com"]
}
}
statement {
sid = "AWSConfigBucketDelivery"
effect = "Allow"
resources = [
format("%s/AWSLogs/ACCOUNT_ID/Config/*}", aws_s3_bucket.config.arn)
]
actions = ["s3:PutObject", "s3:PutObjectACL"]
condition {
test = "StringEquals"
variable = "AWS:SourceAccount"
values = [
xxxxx
]
}
condition {
test = "StringEquals"
variable = "s3:x-amz-acl"
values = ["bucket-owner-full-control"]
}
principals {
type = "Service"
identifiers = ["config.amazonaws.com"]
}
}
}
And this is the policy of the IAM Role used by AWS Config in Account A:
data "aws_iam_policy_document" "this" {
statement {
effect = "Allow"
actions = ["s3:PutObject", "s3:PutObjectAcl"]
resources = [
format("arn:aws:s3:::%s/AWSLogs/%s/*", var.aws_config_s3_bucket_name, data.aws_caller_identity.current.account_id)
]
condition {
test = "StringEquals"
variable = "s3:x-amz-acl"
values = ["bucket-owner-full-control"]
}
}
statement {
effect = "Allow"
actions = ["s3:GetBucketAcl"]
resources = [
format("arn:aws:s3:::%s", var.aws_config_s3_bucket_name)
]
}
statement {
effect = "Allow"
actions = ["s3:ListBucket"]
resources = [
format("arn:aws:s3:::%s", var.aws_config_s3_bucket_name)
]
}
}
The error that I get from Cloudtrail logs is always InsufficientDeliveryPolicyException
. Any hints?
Thanks
This issue was originally opened by @stsraymond as hashicorp/terraform#21325. It was migrated here as a result of the provider split. The original body of the issue is below.
Terraform Version
Terraform Configuration Files
Debug Output
Crash Output