fix: Add China regions to elb_service_accounts

bohnjamin commented 11 months ago

Description

Fixes ELB log delivery in AWS China regions

Motivation and Context

In release 3.8.2, a fix was made to support newer AWS regions which use a different log delivery policy: https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/commit/3c094b32333a177a07477c4079ef3bd8cc56eea8

The method of the fix is essentially "if the old region exists in this list, use the old way, otherwise use the new way". Unfortunately, the China regions were left out of this list, so this module treats them as though they're new regions, and sets the Principal to Service": "logdelivery.elasticloadbalancing.amazonaws.com, when it should be the old format: "AWS": "arn:aws-cn:iam::638102146993:root" (example given is for cn-north-1)

Documentation here describes regions excluding China: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy

China regions are included here: https://docs.amazonaws.cn/en_us/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy

Breaking Changes

No, simply adds China regions to existing list

How Has This Been Tested?

[x] I have updated at least one of the examples/* to demonstrate and validate my change(s) Added examples/china-log-bucket-failure, which is similar to the complete example with some stuff removed for clarity.
[x] I have tested and validated these changes using one or more of the provided examples/* projects

This is a very simple change. I tried to create an S3 bucket with ELB log permissions and get this error: failure configuring LB attributes: InvalidConfigurationRequest: Access Denied for bucket: test-bucket-cn-elb-logs-cn-north-1. Please check S3bucket permission I then changed the module source to my branch in github:

#  source  = "terraform-aws-modules/s3-bucket/aws"
#  version = "3.15.1"
  source = "git::https://github.com/bohnjamin/terraform-aws-s3-bucket.git?ref=add-china-regions"

and the bucket is deployed as expected

[x] I have executed pre-commit run -a on my pull request

$ pre-commit run -a
Terraform fmt............................................................Passed
Terraform wrapper with for_each in module................................Passed
Terraform validate.......................................................Passed
Terraform docs...........................................................Passed
Terraform validate with tflint...........................................Passed
check for merge conflicts................................................Passed
fix end of files.........................................................Passed

github-actions[bot] commented 10 months ago

This PR has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this PR will be closed in 10 days

antonbabenko commented 10 months ago

Thank you, @bohnjamin ! CI will be fixed in #268. It will be a major release.

antonbabenko commented 10 months ago

This PR is included in version 3.15.2 :tada:

github-actions[bot] commented 9 months ago

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

terraform-aws-modules / terraform-aws-s3-bucket