fix(s3-logging): relax PutObject resource ARN to allow CloudTrail logging

alismx · alismx · commit ed3213527793 · 2026-03-27T17:16:58.000-07:00
The previous ARN pattern with `AWSLogs/.../*` path was too restrictive
and prevented the S3 bucket policy from accepting PutObject requests
from CloudTrail. Changed to allow PutObject on any object within the
logging bucket.
diff --git a/alb.tf b/alb.tf
@@ -19,7 +19,12 @@ resource "aws_alb" "ecs" {
     bucket  = aws_s3_bucket.logging.id
   }
 
-  depends_on = [aws_s3_bucket_policy.logging, aws_s3_bucket.logging]
+  depends_on = [
+    aws_s3_bucket_policy.logging,
+    aws_s3_bucket.logging,
+    data.aws_iam_policy_document.s3_logging,
+    aws_s3_bucket_server_side_encryption_configuration.logging
+  ]
   tags       = local.tags
 }
 

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,12 @@ resource "aws_alb" "ecs" {`
`19`	`19`	`bucket = aws_s3_bucket.logging.id`
`20`	`20`	`}`
`21`	`21`
`22`		`- depends_on = [aws_s3_bucket_policy.logging, aws_s3_bucket.logging]`
	`22`	`+ depends_on = [`
	`23`	`+ aws_s3_bucket_policy.logging,`
	`24`	`+ aws_s3_bucket.logging,`
	`25`	`+ data.aws_iam_policy_document.s3_logging,`
	`26`	`+ aws_s3_bucket_server_side_encryption_configuration.logging`
	`27`	`+ ]`
`23`	`28`	`tags = local.tags`
`24`	`29`	`}`
`25`	`30`