fix(AWLS2-441): ensure S3 bucket exists before VPC flow log creation #150
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kirklandnuts
requested review from
marktabry,
aneesh-mysore,
aclacework and
leijin-lw
and removed request for
a team
wilderj
reviewed
Dec 12, 2024
main.tf
Outdated
| @@ -911,7 +911,7 @@ resource "aws_flow_log" "agentless_scan_vpc_flow_log" { | |||
|
|
|||
| # Send logs to manged S3 bucket. | |||
| log_destination_type = "s3" | |||
| log_destination = "arn:aws:s3:::${local.prefix}-bucket-${local.suffix}/sidekick/flow-logs/" | |||
| log_destination = aws_s3_bucket.agentless_scan_bucket[0].arn | |||
There was a problem hiding this comment.
probably still want to publish this to the sidekick/flow-logs path within the bucket for organization purposes.
There was a problem hiding this comment.
good catch dude — addressed in a7af82d
Adds depends_on to ensure S3 bucket is fully provisioned before flow log creation, addressing an intermittent "Access Denied" error. The direct resource reference alone wasn't sufficient to guarantee proper ordering.
- Add s3_bucket_arn to global module outputs - Add s3_bucket_arn field to global_module_reference variable type - Use global_module_reference.s3_bucket_arn for flow log destination
Signed-off-by: Lei Jin <[email protected]>
…k/terraform-aws-agentless-scanning into fix/AWLS2-441/flow-logs-creation Signed-off-by: Lei Jin <[email protected]>
Signed-off-by: Lei Jin <[email protected]>
leijin-lw
force-pushed
the
fix/AWLS2-441/flow-logs-creation
branch
from
581c807 to
614397f
Compare
leijin-lw
approved these changes
Dec 13, 2024
main.tf
Outdated
| @@ -911,7 +911,8 @@ resource "aws_flow_log" "agentless_scan_vpc_flow_log" { | |||
|
|
|||
| # Send logs to manged S3 bucket. | |||
| log_destination_type = "s3" | |||
| log_destination = "arn:aws:s3:::${local.prefix}-bucket-${local.suffix}/sidekick/flow-logs/" | |||
| log_destination = "${aws_s3_bucket.agentless_scan_bucket[0].arn}/sidekick/flow-logs/" | |||
There was a problem hiding this comment.
It won't work since VPC flow log is a regional resources and aws_s3_bucket.agentless_scan_bucket[0].arn only exists when global = true
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Updates
log_destinationparameter in thevpc_flow_logsresource to directly reference our S3 bucket resource, ensuring Terraform creates resources in the correct order.This fixes an intermittent "Access Denied" error that occurs when terraform tries to create the flow logs resource before the S3 bucket is fully provisioned.
Please refer to the linked Jira ticket for more details.
How did you test this change?
[WIP] Retried deployment a few times and stopped seeing intermittent failure due to permission error when creating the flow logs resource.
Issue
AWLS2-441