Posted on Aug 14, 2024

Enabling Access Logs for AWS ELB (ALB) with Terraform

While attempting to enable access logs for an Application Load Balancer (ALB) in AWS, I encountered a permissions error due to insufficient S3 bucket permissions. The error highlighted the need for proper bucket policy settings, which I had initially overlooked.

│ Error: modifying ELBv2 Load Balancer (arn:aws:elasticloadbalancing:ap-northeast-1:************:loadbalancer/app/alb-prod/fbbd3f2304ff9285) attributes: InvalidConfigurationRequest: Access Denied for bucket: logs-prod. Please check S3 bucket permission

Upon reviewing the official documentation, I realized that I had missed configuring the bucket policy.

Official AWS Documentation on Enabling Access Logging

Here's how I resolved the error using Terraform, which might be helpful if you encounter a similar issue.

S3 Bucket Setup

I used the bucket name logs-prod and the prefix alb/alb-prod. The number 582318560864 represents the AWS account ID for ELB in the Tokyo region. Replace <account-id> with your own AWS account ID.

resource "aws_s3_bucket" "logs_prod" { bucket = "logs-prod" tags = { Environment = "prod" } } resource "aws_s3_bucket_policy" "logs_prod_policy" { bucket = aws_s3_bucket.logs_prod.id policy = <<POLICY { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::582318560864:root" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::logs-prod/alb/alb-prod/AWSLogs/<account-id>/*" } ] } POLICY }

ALB Configuration

I added an access_logs block to the ALB setup to enable logging, specify the bucket name, and set the prefix.

resource "aws_lb" "alb_prod" { name = "alb-prod" internal = false load balancer_type = "application" security_groups = [var.security_group_elb_sg_id] subnets = [var.subnet_public_1a_id, var.subnet_public_1c_id] enable_deletion_protection = true preserve_host_header = true access_logs { enabled = true bucket = "logs-prod" prefix = "alb/alb-prod" } tags = { Environment = "prod" } }