Skip to content

Depend on bucket and policy before configuring ELB logging #1633

New issue
Jump to bottom
New issue
Jump to bottom
Closed
#2221
MechanicalRock/account-reaper
#6
Closed
Depend on bucket and policy before configuring ELB logging#1633
#2221
MechanicalRock/account-reaper
#6
Assignees
eladb
Labels
@aws-cdk/aws-elasticloadbalancingRelated to Amazon Elastic Load BalancingbugThis issue is a bug.effort/smallSmall work item – less than a day of effortpr/blockedThis PR cannot be merged or reviewed, because it is blocked for some reason.
@schof

Description

@schof
schof
opened on Jan 29, 2019

I tried adding logging support to my VPC using the following:

    const alb = new Alb.ApplicationLoadBalancer(this, 'LB', {
      vpc,
      internetFacing: true
    })

    const bucket = new Bucket(this, 'Bucket', {
      encryption: BucketEncryption.KmsManaged
    })
    alb.logAccessLogs(bucket)

When running cdk deploy I got an expected warning about IAM changes and the permission looks to be correct.

+ │ ${Bucket.Arn}/* │ Allow │ s3:PutObject │ AWS:arn:${AWS::Partition}:iam::127311923021:root

It appears that there is a bug in the CF template which is not waiting on the bucket policy to finish completion before it attempts to add the logging in the VPC.

Access Denied for bucket: [BUCKET NAME]. Please check S3bucket permission (Service: AmazonElasticLoadBalancingV2; Status Code: 400; Error Code: InvalidConfigurationRequest; Request ID: 657ff61c-23dd-11e9-94e9-c57251c19c33)

I confirmed this was the case by checking the CF events in the console.

Metadata

Assignees

Labels

@aws-cdk/aws-elasticloadbalancingRelated to Amazon Elastic Load BalancingbugThis issue is a bug.effort/smallSmall work item – less than a day of effortpr/blockedThis PR cannot be merged or reviewed, because it is blocked for some reason.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions