Terraform ELB S3 Permissions Issue

Question

I am having an issue using Terraform (v0.9.2) adding services to an ELB (I\'m using: https://github.com/segmentio/stack/blob/master/s3-logs/main.tf).

When I run

Answer 1

In the bucket policy, the account number must be NOT yours. Instead it belongs to AWS, and for each region, the account numbers you should use in your bucket policy are listed at: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html#attach-bucket-policy

For instance, for us-east-1 region the account number is 127311923021.

Although the question is about Terraform, I post CloudFormation snippet created a bucket for ELB's access logs its Bucket policy:

    MyAccessLogsBucket:
        Type: AWS::S3::Bucket
        DeletionPolicy: Retain


    MyAllowELBAccessBucketPolicy:
        Type: AWS::S3::BucketPolicy
        Properties: 
            Bucket: !Ref MyAccessLogsBucket
            PolicyDocument: 
                Version: "2012-10-17"
                Statement: 
                    - Effect: "Allow"
                      Principal: 
                          AWS: "arn:aws:iam::127311923021:root"
                      Action: 
                          - "s3:PutObject"
                      Resource: !Sub "arn:aws:s3:::${MyAccessLogsBucket}/AWSLogs/*"

In the principle, 127311923021 is used as this is AWS account number which should be used for account number in us-east-1.