Terraform: InsufficientS3BucketPolicyException -- aws_cloudtrail aws_s3_bucket
Hi
This is on terraform 0.6.15, it also happens on 0.6.14.
When I run a simple terraform file such as :
provider "aws" {
profile = "${var.profile}"
region = "${var.region}"
}
resource "aws_s3_bucket" "cloudtrail" {
bucket = "cloudtrail"
acl = "private"
force_destroy = false
policy = "${file("policies/cloudtrail/cloudtrail.json")}"
}
resource "aws_cloudtrail" cloudtrail" {
name = "cloudtrail"
s3_bucket_name = "${aws_s3_bucket.cloudtrail.id}"
is_multi_region_trail = false
enable_logging = true
include_global_service_events = true
}
Policy file : policies/cloudtrail/cloudtrail.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20160318",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::cloudtrail"
},
{
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::cloudtrail/AWSLogs/xxxxxxxx/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
The plan applies correctly but every time I get the following error:
Error applying plan:
1 error(s) occurred:
* aws_cloudtrail.cloudtrail: InsufficientS3BucketPolicyException: Incorrect S3 bucket policy is detected for bucket: cloudtrail
status code: 400, request id: 2d999060-0d1d-11e6-a110-37662631b878
Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
The interesting part is : The changes apply. So updating the policy the changes are taken in but still I get that error.
rainmanh
All 11 comments
The issue is down to the AWS Accounts specified in the Policies if ever used.
I created the S3 Bucket in a XXXX AWS account and at the same time creating an AWS_cloudtrail definition in the same account against that bucket.
I forgot to include in the policy the AWS account for this scenario so I got the right error for it.
rainmanh
on 28 Apr 2016
@rainmanh i didnt understand your solution here.
I tried both the following policies and still got the same error:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20131101",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::XXX:root",
"arn:aws:iam::YYY:root",
"arn:aws:iam::ZZZ:root"
]
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::${ct_bucket_name}"
},
{
"Sid": "AWSCloudTrailWrite20131101",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::XXX:root",
"arn:aws:iam::YYY:root",
"arn:aws:iam::ZZZ:root"
]
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::${ct_bucket_name}/AWSLogs/XXX/",
"arn:aws:s3:::${ct_bucket_name}/AWSLogs/YYY/",
"arn:aws:s3:::${ct_bucket_name}/AWSLogs/ZZZ/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
And
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::${ct_bucket_name}"
},
{
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::${ct_bucket_name}/AWSLogs/XXX/",
"arn:aws:s3:::${ct_bucket_name}/AWSLogs/YYY/",
"arn:aws:s3:::${ct_bucket_name}/AWSLogs/ZZZ/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
nathaniela
on 7 Jun 2017
This is the sort of Policy I have applied:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::bucket_name"
},
{
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::bucket_name/AWSLog_dir/account_id/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
Bear in mind who is the principal as that might be your issue.
Cloudtrail is the system user accessing those buckets and not your AWS users.
rainmanh
on 7 Jun 2017
Having similar problem. Any luck sorting this out?
pulpfree
on 27 Jun 2017
Hey @pulpfree,
Actually yes, i figured out what was the problem i had.
So my bucket policy was looking something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20150319",
"Effect": "Allow",
"Principal": {"Service": "cloudtrail.amazonaws.com"},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::${ct_bucket_name}"
},
{
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {"Service": "cloudtrail.amazonaws.com"},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::${ct_bucket_name}/**${prefix}**/AWSLogs/myAccountID/*",
"Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}}
}
]
}
Now i wanted to leave the ${prefix} empty so i was sending prefix = "/"
This caused the error as a valid prefix should not include "/".
If you do not wish to have a prefix then send prefix = "".
If you do wish to include a prefix, make sure to send without "/", for example: prefix = 'pulpfree'
Hope this help.
Good luck.
nathaniela
on 28 Jun 2017
These all seem like edge cases and the 'solutions' provided don't make sense.
I'm also getting the same error and this is the first google result.
Here's the cloudtrail bucket:
resource "aws_s3_bucket" "CloudTrailS3Bucket" {
bucket = "${var.CloudTrailBucketName}"
}
Here's the bucket policy:
esource "aws_s3_bucket_policy" "CloudTrailS3Bucket" {
bucket = "${aws_s3_bucket.CloudTrailS3Bucket.id}"
depends_on = ["aws_s3_bucket.CloudTrailS3Bucket"]
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": { "Service": "cloudtrail.amazonaws.com" },
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::${var.CloudTrailBucketName}"
},
{
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": { "Service": "cloudtrail.amazonaws.com" },
"Action": "s3:PutObject",
"Resource": ["arn:aws:s3:::${var.CloudTrailBucketName}/AWSLogs/${data.aws_caller_identity.current.account_id}/*"],
"Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } }
}]
}
POLICY
}
and here's the cloudtrail:
resource "aws_cloudtrail" "autotag-CloudTrail" {
name = "autotag-CloudTrail"
s3_key_prefix = ""
s3_bucket_name = "${aws_s3_bucket.CloudTrailS3Bucket.id}"
include_global_service_events = false
enable_logging = true
include_global_service_events = true
is_multi_region_trail = true
}
Here's the error after running terraform apply
* aws_cloudtrail.autotag-CloudTrail: InsufficientS3BucketPolicyException: Incorrect S3 bucket policy is detected for bucket: my-cloudtrail-bucket21-nick
status code: 400, request id: 076a5e66-5dd8-11e7-8297-0f6303ddf4df
nskitch
on 30 Jun 2017
@nskitch make sure that the bucket policy is being created _before_ the CloudTrail resource. You can look at the dependency graph with terraform graph:
terraform graph > graph.dot
dot -Tpdf graph.dot -out graph.pdf
open graph.pdf
In our case, we had to add the equivalent of
depends_on = ["aws_s3_bucket_policy.CloudTrailS3Bucket"]
to the CloudTrail resource.
rwiggins
on 5 Jul 2017
@rwiggins Funny, I actually did that last Friday before heading out for the weekend and it did solve the problem. Thanks for the info!
nskitch
on 5 Jul 2017
The depends_on part solved it for me. This should definitely be in the documentation!
AndreLouisCaron
on 4 Oct 2018
I had the same exact use case listed as above. The issue for me did relate to the depends_on as well. But at first, even after adding it there were still errors. What ended up solving the issue for me was I had to add a * to the policy after the account number.
mardinyadegar
on 30 Sep 2019
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 1 Oct 2019
Related issues
rjinski
ยท
3Comments
larstobi
ยท
3Comments
franklinwise
ยท
3Comments
jrnt30
ยท
3Comments
rjinski
ยท
3Comments
Most helpful comment
@nskitch make sure that the bucket policy is being created _before_ the CloudTrail resource. You can look at the dependency graph with
terraform graph:In our case, we had to add the equivalent of
to the CloudTrail resource.