DEV Community

Atsushi Suzuki
Atsushi Suzuki

Posted on

Enabling Access Logs for AWS ELB (ALB) with Terraform

While attempting to enable access logs for an Application Load Balancer (ALB) in AWS, I encountered a permissions error due to insufficient S3 bucket permissions. The error highlighted the need for proper bucket policy settings, which I had initially overlooked.

│ Error: modifying ELBv2 Load Balancer (arn:aws:elasticloadbalancing:ap-northeast-1:************:loadbalancer/app/alb-prod/fbbd3f2304ff9285) attributes: InvalidConfigurationRequest: Access Denied for bucket: logs-prod. Please check S3 bucket permission
Enter fullscreen mode Exit fullscreen mode

Upon reviewing the official documentation, I realized that I had missed configuring the bucket policy.

Official AWS Documentation on Enabling Access Logging

Here's how I resolved the error using Terraform, which might be helpful if you encounter a similar issue.

S3 Bucket Setup

I used the bucket name logs-prod and the prefix alb/alb-prod. The number 582318560864 represents the AWS account ID for ELB in the Tokyo region. Replace <account-id> with your own AWS account ID.

resource "aws_s3_bucket" "logs_prod" {
  bucket = "logs-prod"

  tags = {
    Environment = "prod"
  }
}

resource "aws_s3_bucket_policy" "logs_prod_policy" {
  bucket = aws_s3_bucket.logs_prod.id

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::582318560864:root"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::logs-prod/alb/alb-prod/AWSLogs/<account-id>/*"
    }
  ]
}
POLICY
}
Enter fullscreen mode Exit fullscreen mode

ALB Configuration

I added an access_logs block to the ALB setup to enable logging, specify the bucket name, and set the prefix.

resource "aws_lb" "alb_prod" {
  name                       = "alb-prod"
  internal                   = false
  load balancer_type         = "application"
  security_groups            = [var.security_group_elb_sg_id]
  subnets                    = [var.subnet_public_1a_id, var.subnet_public_1c_id]
  enable_deletion_protection = true
  preserve_host_header       = true

  access_logs {
    enabled  = true
    bucket  = "logs-prod"
    prefix  = "alb/alb-prod"
  }

  tags = {
    Environment = "prod"
  }
}
Enter fullscreen mode Exit fullscreen mode

By applying these settings, I ensured correct and secure logging from the ALB to the specified S3 bucket.

Top comments (0)