Terragrunt: Access Logging setup causes logging loop.
After #645 being merged, Terragrunt is setting up Access_Logging on terraform state buckets, logging access to the prefix TFStateLogs/ in the same bucket. This causes an access logging loop causing there to be lots of logs. It's also against Amazon's recommendations:
https://aws.amazon.com/premiumsupport/knowledge-center/s3-server-access-logs-same-bucket/
https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html#server-access-logging-overview
I'd suggest the "skip_bucket_accesslogging" option should default to false on bucket creation.
If I PR'ed that change, would it be likely to be merged?
tony-harverson-moonpig
All 12 comments
So you're saying that if you send access logs for bucket X to bucket X, AWS gets in an infinite loop where it seems the access logs themselves as a new "access" and logs that too, and so on, infinitely?
brikis98
on 10 Sep 2020
According to Amazon, That's what happens.
Replication recipe:
Spin up a new bucket by running a terragrunt apply on any minimal terraform stack.
list the bucket in the aws console. No TFStateLogs will be present initially (not sure why this is, maybe there's a setup delay or something).
Inspect the bucket in an hour's time. We're seeing logs being continually written to that bucket, despite no additional access.
tony-harverson-moonpig
on 10 Sep 2020
Yikes 馃槷 Thanks for reporting.
I think then we'd want to change the logic to use a separate bucket for access logging. Perhaps we pick some name pattern by default (xxx-access-logs where xxx is the original bucket name?) and allow it to be overridden via config. A PR to fix this is VERY welcome.
brikis98
on 10 Sep 2020
With derived bucket names, there's an edge case around the lengths of bucket names (63 characters max), so long bucket names could result in illegally long log bucket names (which would assumedly fail creation), or would need to be truncated before adding the logging suffix (which would result in possibly non-unique names).
It might be better to have a single logs bucket with a predictable name, and a unique prefix (say /TFStateLogs/{tfstate-bucket-name}/) for each state bucket.
tony-harverson-moonpig
on 10 Sep 2020
Ah, that makes sense. In that case, let's make access logging off by default, and allow it to be turned with one config parameter, that also requires you to set the access logs bucket name in another param.
brikis98
on 10 Sep 2020
I'l try to get a PR in for that in the next couple of days.
tony-harverson-moonpig
on 10 Sep 2020
Thank you!
brikis98
on 10 Sep 2020
It would be good if access log is disabled by default 馃憤
michelzanini
on 20 Sep 2020
Hey @tony-harverson-moonpig @michelzanini Thought I'd give you a heads up that I'll be picking this up. I've read through the comments, so will be able to share some more details as I dive into this a bit more. 馃檪
ina-stoyanova
on 19 Oct 2020
Hello, first of all thanks for this improvement to the access logging setup. It would be handy to have an ability to specify also the target prefix to override targetPrefix := "TFStateLogs/" for example to be able to send access logs from multiple terraform state buckets to single logging bucket and not mix them together. Is there any chance to add such option?
dsecik
on 20 Nov 2020
@dsecik Please file a separate issue for that! PR to support it is welcome too.
brikis98
on 20 Nov 2020
Hi @brikis98, I created #1437. Sadly can't help with submitting PR as I have no experience with Go.
dsecik
on 24 Nov 2020
Related issues
brikis98
路
4Comments
antonbabenko
路
3Comments
dmlemos
路
3Comments
jeffdyke
路
3Comments
geekifier
路
3Comments