経緯
CloudFormationでALBのログをS3に出力したく、
クラスメソッドの記事を読んだり、リファレンスを読んだりしていたが、ハマってしまったので、記事にかく。
パーミッション適応させているはずなので、なんでパーミッションがないんだとつまづいていた。
エラー
Access Denied for bucket:{{バケット名}}. Please check S3bucket permission (Service: AmazonElasticLoadBalancing; Status Code: 400; Error Code: InvalidConfigurationRequest; Request ID: xxxxx; Proxy: null)
原因
DependsOn 指定が必要だった
FYI :https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html
Resources:
############################################
## S3
############################################
LogBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Join [ "-", [ !Ref EnvTagPrefix, !Ref ProjTagPrefix, !Ref SubProjTagPrefix, alb-logs ] ]
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
LifecycleConfiguration:
Rules:
- ExpirationInDays: 30
Status: Enabled
LogBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref LogBucket
PolicyDocument:
Statement:
- Action:
- s3:PutObject
Effect: Allow
Resource:
- !Sub arn:aws:s3:::${LogBucket}/*
Principal:
AWS: arn:aws:iam::582318560864:root
############################################
## ALB Setting
############################################
ALB01:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
DependsOn: LogBucketPolicy
Properties:
Name: !Join [ "-", [ !Ref EnvTagPrefix, !Ref ProjTagPrefix, !Ref SubProjTagPrefix, alb01 ] ]
Scheme: internet-facing
LoadBalancerAttributes:
- Key: "deletion_protection.enabled"
Value: false
- Key: "idle_timeout.timeout_seconds"
Value: 300
- Key: "access_logs.s3.enabled"
Value: true
- Key: "access_logs.s3.bucket"
Value: !Ref LogBucket
SecurityGroups:
- { "Fn::ImportValue": !Join [ "-", [ !Ref EnvTagPrefix, !Ref ProjTagPrefix, alb-sg-public ]] }
- { "Fn::ImportValue": !Join [ "-", [ !Ref EnvTagPrefix, !Ref ProjTagPrefix, alb-sg-stakeholders ]] }
- { "Fn::ImportValue": !Join [ "-", [ !Ref EnvTagPrefix, !Ref ProjTagPrefix, alb-sg-unilabo ]] } # for blue/green check
Subnets:
- { "Fn::ImportValue": !Join [ "-", [ "Ref":"EnvTagPrefix", "sub-public-01"]] }
- { "Fn::ImportValue": !Join [ "-", [ "Ref":"EnvTagPrefix", "sub-public-02"]] }
- { "Fn::ImportValue": !Join [ "-", [ "Ref":"EnvTagPrefix", "sub-public-03"]] }
Tags:
- Key: Name
Value: !Join [ "-", [ !Ref EnvTagPrefix, !Ref ProjTagPrefix, front, alb01 ] ]