Skip to content

Access log bucket name truncation inconsistency  #185

New issue
New issue
Open
Open
Access log bucket name truncation inconsistency #185
Labels
bug🐛 An issue with the system
@correnarsprowls

Description

@correnarsprowls
correnarsprowls
opened on Oct 4, 2024

Describe the Bug

When using this module and having it create a access log bucket, if you use a module.app_label.id that is too long (in this case it was 48 characters) then it will truncate the access log bucket name. But the usage of this truncated name is inconstant. The issue that we have run into is with the bucket policy. In the ForceSSLOnlyAccess statement it is using the truncated/correct bucket name. In the other three statements it is using a non-truncated version of the bucket name that doesn't exist.

Expected Behavior

The correct bucket name gets used everywhere

Steps to Reproduce

Use this module with app label ID with a length of 48 characters or above an let it create an access log bucket for you.

Screenshots

resource "aws_s3_bucket_policy" "default" {
  + bucket = "root-us-east-2-production-app111-rails-project-4-alb-acce-b3c98"
  + id     = (known after apply)
  + policy = jsonencode(
        {
          + Statement = [
              + {
                  + Action    = "s3:*"
                  + Condition = {
                      + Bool = {
                          + "aws:SecureTransport" = "false"
                        }
                    }
                  + Effect    = "Deny"
                  + Principal = "*"
                  + Resource  = [
                      + "arn:aws:s3:::root-us-east-2-production-app111-rails-project-4-alb-acce-b3c98/*",
                      + "arn:aws:s3:::root-us-east-2-production-app111-rails-project-4-alb-acce-b3c98",
                    ]
                  + Sid       = "ForceSSLOnlyAccess"
                },
              + {
                  + Action    = "s3:PutObject"
                  + Effect    = "Allow"
                  + Principal = {
                      + AWS = "arn:aws:iam::XXXXXXXXXXXX:root"
                    }
                  + Resource  = "arn:aws:s3:::root-us-east-2-production-app111-rails-project-4-alb-access-logs/*"
                },
              + {
                  + Action    = "s3:PutObject"
                  + Condition = {
                      + StringEquals = {
                          + "s3:x-amz-acl" = "bucket-owner-full-control"
                        }
                    }
                  + Effect    = "Allow"
                  + Principal = {
                      + Service = "delivery.logs.amazonaws.com"
                    }
                  + Resource  = "arn:aws:s3:::root-us-east-2-production-app111-rails-project-4-alb-access-logs/*"
                },
              + {
                  + Action    = "s3:GetBucketAcl"
                  + Effect    = "Allow"
                  + Principal = {
                      + Service = "delivery.logs.amazonaws.com"
                    }
                  + Resource  = "arn:aws:s3:::root-us-east-2-production-app111-rails-project-4-alb-access-logs"
                },
            ]
          + Version   = "2012-10-17"
        }
    )
}

Trying to add the above policy results in the following error

│ Error: putting S3 Bucket (root-us-east-2-production-app111-rails-project-4-alb-acce-b3c98) Policy: operation error S3: PutBucketPolicy, https response error StatusCode: 400, RequestID: x, HostID: x, api error MalformedPolicy: Policy has invalid resource

Environment

module version: 1.11.1

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug🐛 An issue with the system

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions