fix: Fixed ELB log delivery policy for old and new regions (#219)

terraform-aws-modules · Mar 10, 2023 · 3c094b3 · 3c094b3
1 parent cc34d1d
commit 3c094b3
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 18 deletions.
diff --git a/README.md b/README.md
@@ -155,13 +155,13 @@ No modules.
 | [aws_s3_bucket_website_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_website_configuration) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_canonical_user_id.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/canonical_user_id) | data source |
-| [aws_elb_service_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account) | data source |
 | [aws_iam_policy_document.combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.deny_insecure_transport](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.elb_log_delivery](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.inventory_and_analytics_destination_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.lb_log_delivery](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.require_latest_tls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -13,7 +13,6 @@ locals {
   region      = "eu-west-1"
 }
 
-
 data "aws_caller_identity" "current" {}
 
 data "aws_canonical_user_id" "current" {}

diff --git a/main.tf b/main.tf
@@ -1,3 +1,5 @@
+data "aws_region" "current" {}
+
 data "aws_canonical_user_id" "this" {}
 
 data "aws_caller_identity" "current" {}
@@ -527,31 +529,61 @@ data "aws_iam_policy_document" "combined" {
 }
 
 # AWS Load Balancer access log delivery policy
-data "aws_elb_service_account" "this" {
-  count = local.create_bucket && var.attach_elb_log_delivery_policy ? 1 : 0
+locals {
+  # List of AWS regions where permissions should be granted to the specified Elastic Load Balancing account ID ( https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy )
+  elb_service_accounts = {
+    us-east-1      = "127311923021"
+    us-east-2      = "033677994240"
+    us-west-1      = "027434742980"
+    us-west-2      = "797873946194"
+    af-south-1     = "098369216593"
+    ap-east-1      = "754344448648"
+    ap-south-1     = "718504428378"
+    ap-northeast-1 = "582318560864"
+    ap-northeast-2 = "600734575887"
+    ap-northeast-3 = "383597477331"
+    ap-southeast-1 = "114774131450"
+    ap-southeast-2 = "783225319266"
+    ap-southeast-3 = "589379963580"
+    ca-central-1   = "985666609251"
+    eu-central-1   = "054676820928"
+    eu-west-1      = "156460612806"
+    eu-west-2      = "652711504416"
+    eu-west-3      = "009996457667"
+    eu-south-1     = "635631232127"
+    eu-north-1     = "897822967062"
+    me-south-1     = "076674570225"
+    sa-east-1      = "507241528517"
+    us-gov-west-1  = "048591011584"
+    us-gov-east-1  = "190560391635"
+  }
 }
 
 data "aws_iam_policy_document" "elb_log_delivery" {
   count = local.create_bucket && var.attach_elb_log_delivery_policy ? 1 : 0
 
   # Policy for AWS Regions created before August 2022 (e.g. US East (N. Virginia), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Europe (Ireland))
-  statement {
-    sid = ""
+  dynamic "statement" {
+    for_each = { for k, v in local.elb_service_accounts : k => v if k == data.aws_region.current.name }
 
-    principals {
-      type        = "AWS"
-      identifiers = data.aws_elb_service_account.this[*].arn
-    }
+    content {
+      sid = format("ELBRegion%s", title(statement.key))
 
-    effect = "Allow"
+      principals {
+        type        = "AWS"
+        identifiers = [format("arn:aws:iam::%s:root", statement.value)]
+      }
 
-    actions = [
-      "s3:PutObject",
-    ]
+      effect = "Allow"
 
-    resources = [
-      "${aws_s3_bucket.this[0].arn}/*",
-    ]
+      actions = [
+        "s3:PutObject",
+      ]
+
+      resources = [
+        "${aws_s3_bucket.this[0].arn}/*",
+      ]
+    }
   }
 
   # Policy for AWS Regions created after August 2022 (e.g. Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Europe (Spain), Europe (Zurich), Middle East (UAE))
@@ -576,7 +608,6 @@ data "aws_iam_policy_document" "elb_log_delivery" {
 }
 
 # ALB/NLB
-
 data "aws_iam_policy_document" "lb_log_delivery" {
   count = local.create_bucket && var.attach_lb_log_delivery_policy ? 1 : 0