Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Add China regions to elb_service_accounts #264

Merged

Conversation

bohnjamin
Copy link
Contributor

@bohnjamin bohnjamin commented Dec 2, 2023

Description

Fixes ELB log delivery in AWS China regions

Motivation and Context

In release 3.8.2, a fix was made to support newer AWS regions which use a different log delivery policy:
3c094b3

The method of the fix is essentially "if the old region exists in this list, use the old way, otherwise use the new way". Unfortunately, the China regions were left out of this list, so this module treats them as though they're new regions, and sets the Principal to Service": "logdelivery.elasticloadbalancing.amazonaws.com, when it should be the old format: "AWS": "arn:aws-cn:iam::638102146993:root" (example given is for cn-north-1)

Documentation here describes regions excluding China: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy

China regions are included here: https://docs.amazonaws.cn/en_us/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy

Breaking Changes

No, simply adds China regions to existing list

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
    Added examples/china-log-bucket-failure, which is similar to the complete example with some stuff removed for clarity.

  • I have tested and validated these changes using one or more of the provided examples/* projects

This is a very simple change. I tried to create an S3 bucket with ELB log permissions and get this error:
failure configuring LB attributes: InvalidConfigurationRequest: Access Denied for bucket: test-bucket-cn-elb-logs-cn-north-1. Please check S3bucket permission
I then changed the module source to my branch in github:

#  source  = "terraform-aws-modules/s3-bucket/aws"
#  version = "3.15.1"
  source = "git::https://github.com/bohnjamin/terraform-aws-s3-bucket.git?ref=add-china-regions"

and the bucket is deployed as expected

  • I have executed pre-commit run -a on my pull request
$ pre-commit run -a
Terraform fmt............................................................Passed
Terraform wrapper with for_each in module................................Passed
Terraform validate.......................................................Passed
Terraform docs...........................................................Passed
Terraform validate with tflint...........................................Passed
check for merge conflicts................................................Passed
fix end of files.........................................................Passed

@bohnjamin bohnjamin changed the title Adding China regions to elb_service_accounts Fix/Adding China regions to elb_service_accounts Dec 2, 2023
@bohnjamin bohnjamin changed the title Fix/Adding China regions to elb_service_accounts fix: Add China regions to elb_service_accounts Dec 2, 2023
Copy link

github-actions bot commented Jan 5, 2024

This PR has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this PR will be closed in 10 days

@github-actions github-actions bot added the stale label Jan 5, 2024
@antonbabenko
Copy link
Member

Thank you, @bohnjamin ! CI will be fixed in #268. It will be a major release.

@antonbabenko antonbabenko merged commit c6870d5 into terraform-aws-modules:master Jan 12, 2024
11 of 15 checks passed
antonbabenko pushed a commit that referenced this pull request Jan 12, 2024
### [3.15.2](v3.15.1...v3.15.2) (2024-01-12)

### Bug Fixes

* Add China regions to elb_service_accounts ([#264](#264)) ([c6870d5](c6870d5))
@antonbabenko
Copy link
Member

This PR is included in version 3.15.2 🎉

Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 12, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants