AWS ELB ModifyLoadBalancerAttributes omits required parameter "s3BucketPrefix" on modify #4361
Labels
bug
Addresses a defect in current functionality.
service/elb
Issues and PRs that pertain to the elb service.
Milestone
Comments
bflad
added
bug
jmcarp
added a commit
to jmcarp/terraform-provider-aws
that referenced
this issue
May 2, 2018
jmcarp
added a commit
to jmcarp/terraform-provider-aws
that referenced
this issue
May 2, 2018
|
The fix for this has been merged in via #4383 and will release with v1.19.0 of the AWS provider, likely middle of next week. |
|
This has been released in version 1.19.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
When configuring an Elastic Load Balancer to emit access logs to an S3 bucket, if you wish to emit the logs to the root of the target bucket, you specify the parameter bucket_prefix to be an empty string, or you do not specify the parameter as it is an optional parameter.
When a bucket is created using this configuration, everything work as expected, or if the load balancer does not currently have an access log configuration and you add it, it also works. The ELB is created with the CreateLoadBalancer API call (if a new elb), and then the bucket is modified with the ModifyLoadBalancerAttributes API call like with this information:
If however you are modifying a bucket that already exists, and already has an access log configuration to have this new access log configuration where the logs are to be stored in the root of the bucket, the subsequent ModifyLoadBalancerAttributes API call passes this information, because it thinks the bucket_prefix being empty means it does not need to be specified:
Because the
s3BucketPrefixkey is missing from the API call, the API thinks you are not wanting to change the s3BucketPrefix from the old value to EmptyString, and so given your new bucket configuration does not allow the writing of logs to the old prefix location, the Load Balancer rejects the configuration with the following message:Access Denied for bucket: <bucket_name>. Please check S3bucket permissionThis has been confirmed with the AWS ELB Service Team as a direct result of omitting the s3BucketPrefix key which is a required parameter if you are attempting to modify the prefix.
Terraform respects this requirement at Create time, or when adding a logging configuration but does not respect it at Modify time when changing an existing logging configuration.
If you don't specify the new prefix, you won't change the prefix, especially when you want to change the prefix to ""
Terraform Version
0.11.3
Provider Version
1.13.0
Affected Resource(s)
Terraform Configuration Files
OR
Debug Output
https://gist.github.com/Zordrak/e3cfaa83f2dcc486403304b5aa77d21d
Expected Behavior
{ "LoadBalancerAttributes": { "CrossZoneLoadBalancing": { "Enabled": true }, "ConnectionSettings": { "IdleTimeout": 400 }, "AccessLog": { "S3BucketPrefix": "", "EmitInterval": 5, "Enabled": true, "S3BucketName": "<bucket_name>" } }, "LoadBalancerName": "elb" }Actual Behavior
An error occurred (InvalidConfigurationRequest) when calling the ModifyLoadBalancerAttributes operation: Access Denied for bucket: <bucket_name>. Please check S3bucket permission
Steps to Reproduce
terraform applyterraform applyThe text was updated successfully, but these errors were encountered: