AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Can't set 'access_logs.s3.bucket' back to 'false' for ALB using CloudFormation

0

I'm trying to turn on ALB access logs conditionally using CloudFormation as follows:

  LoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: !Join ['-', [!Ref 'AWS::StackName', ALB]]
      Type: application
      IpAddressType: !If [DoEnableIPv6Support, dualstack, ipv4]
      Scheme: internet-facing
      Subnets:
        - !Ref PublicSubnet1
        - !Ref PublicSubnet2
        - !Ref PublicSubnet3
        - !Ref PublicSubnet4
        - !Ref PublicSubnet5
        - !Ref PublicSubnet6
      SecurityGroups:
        - !Ref ALBSecurityGroup
      LoadBalancerAttributes:
        - Key: access_logs.s3.enabled
          Value: !If [EnableLoadBalancerAccessLogs, "true", "false"]
        - Key: access_logs.s3.bucket
          Value: !If [EnableLoadBalancerAccessLogs, !Ref AccessLogsBucket, ""]
        - Key: access_logs.s3.prefix
          Value: !If [EnableLoadBalancerAccessLogs, !Sub "${AWS::StackName}-ALB", ""]
      Tags:
        - Key: 'Stack'
          Value: !Ref 'AWS::StackName'

However, when EnableLoadBalancerAccessLogs is false, I'm running into this error:

The value of 'access_logs.s3.bucket' cannot be empty (Service: AmazonElasticLoadBalancing; Status Code: 400; Error Code: ValidationError; Request ID: REDACTED; Proxy: null)

The condition EnableLoadBalancerAccessLogs was defined as follows:

EnableLoadBalancerAccessLogs: !Not [!Equals [AccessLogsBucket, ""]]

I've also tried some potential workarounds for LoadBalancerAttributes, like

      LoadBalancerAttributes:
        - Key: access_logs.s3.enabled
          Value: !If [EnableLoadBalancerAccessLogs, "true", "false"]
        - !If
          - EnableLoadBalancerAccessLogs
          - Key: access_logs.s3.bucket
            Value: !Ref AccessLogsBucket
          - !Ref AWS::NoValue
        - !If
          - EnableLoadBalancerAccessLogs
          - Key: access_logs.s3.prefix
            Value: !Sub "${AWS::StackName}-ALB"
          - !Ref AWS::NoValue

or

      LoadBalancerAttributes: !If
        - EnableLoadBalancerAccessLogs
        - - Key: access_logs.s3.enabled
            Value: "true"
          - Key: access_logs.s3.bucket
            Value: !Ref AccessLogsBucket
          - Key: access_logs.s3.prefix
            Value: !Sub "${AWS::StackName}-ALB"
        - !Ref AWS::NoValue

but none of them worked.

CloudFormation docs says

access_logs.s3.bucket - The name of the S3 bucket for the access logs. This attribute is required if access logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket.

Is this a bug in AWS API?

주제
관리 및 거버넌스네트워킹 및 콘텐츠 전송
태그
AWS CloudFormation탄력적 로드 밸런싱
언어
English
AWS-User-1495875
질문됨 2년 전1760회 조회
1개 답변
0

This is intended behavior from AWS. What you'll want to do is completely remove access_logs.s3.bucket as a property when not doing ALB logging as leaving the property empty will throw an error.

It looks like the nesting is weird, you may need to break out each property completely with using AWS::NoValue to ensure that if false, there is not an empty property. The bug you're seeing is because CloudFormation still has the access_logs.s3.bucket property somehow.

jsonc
답변함 2년 전
  • AWS-User-1495875
    2년 전

    Thanks @jsonc. Actually there was a bug in my template -- I forgot to call !Ref to get the parameter value. So instead of EnableLoadBalancerAccessLogs: !Not [!Equals [AccessLogsBucket, ""]], it should be EnableLoadBalancerAccessLogs: !Not [!Equals [!Ref AccessLogsBucket, ""]]

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠