fix: Access denied from forwarder when using s3_log_bucket_arns - Githubissues

terraform-aws-modules / terraform-aws-datadog-forwarders

Terraform module to create resources on AWS to forward logs/metrics to Datadog 🇺🇦

https://registry.terraform.io/modules/terraform-aws-modules/datadog-forwarders/aws

Apache License 2.0

55 stars 41 forks source link

fix: Access denied from forwarder when using s3_log_bucket_arns #20

Closed lukedoesinfra closed 2 years ago

lukedoesinfra commented 2 years ago

Description

The lambda forwarder needs permissions to GetObject inside the bucket, much like the Datadog S3 bucket

Motivation and Context

While leveraging the s3_log_bucket_arns variable we get an Access Denied error from the lambda log forwarder due to the lack of permissions.

An error occurred (AccessDenied) when calling the GetObject operation.

Breaking Changes

None.

How Has This Been Tested?

> jsonencode(concat(formatlist("%s/*", ["arn:aws:s3:::example-bucket", "arn:aws:s3:::example-log-bucket"]), ["arn:aws:s3:::example-bucket", "arn:aws:s3:::example-log-bucket"]))
"[\"arn:aws:s3:::example-bucket/*\",\"arn:aws:s3:::example-log-bucket/*\",\"arn:aws:s3:::example-bucket\",\"arn:aws:s3:::example-log-bucket\"]"

I'll try and get time to complete the below soon

[ ] I have updated at least one of the examples/* to demonstrate and validate my change(s)
[ ] I have tested and validated these changes using one or more of the provided examples/* projects
[x] I have executed pre-commit run -a on my pull request

github-actions[bot] commented 1 year ago

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.