How to give the target bucket log-delivery group WRITE and READ_ACP permissions?

Question 1

How to give the target bucket log-delivery group WRITE and READ_ACP permissions?

amazon-s3 terraform amazon-cloudfront terraform-provider-aws

user3648969 · Apr 9, 2019 · Viewed 8.2k times · Source

Answer

Answer

You need to add an acl attribute to your aws_s3_bucket with a value of "log-delivery-write".

resource "aws_s3_bucket" "app" {
  bucket = "${local.name_env}"
  acl = "log-delivery-write"
  ...
}

Question 2

I am trying to setup a cloudfront dist and s3 bucket with terraform. When I run terraform apply it is returning the following error:

aws_s3_bucket.app: Error putting S3 logging: InvalidTargetBucketForLogging: You must give the log-delivery group WRITE and READ_ACP permissions to the target bucket

my S3.tf file:

data "aws_iam_policy_document" "s3_policy" {
  policy_id = "PolicyForCloudFrontPrivateContent"

  statement {
    sid       = "1"
    actions   = ["s3:GetObject"]
    resources = ["arn:aws:s3:::${local.name_env}/*"]

    principals {
      type        = "AWS"
      identifiers = ["${aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn}"]
    }
  }
}

resource "aws_s3_bucket" "app" {
  bucket = "${local.name_env}"
  policy = "${data.aws_iam_policy_document.s3_policy.json}"

  logging {
    target_bucket = "${local.logs_bucket}"
    target_prefix = "app-${var.environment}"
  }

  versioning {
    enabled = true
  }

  tags = "${local.tags}"
}

How to give the target bucket log-delivery group WRITE and READ_ACP permissions?

Answer

Related questions