MalformedPolicy: Invalid principal in policy
Hi, Need help, I got this error on provisioning public-static-website to (ap-southeast-3 region) using terraform-aws-service-catalog version 0.100.0 ``` module.cloudfront.module.access_logs[0].aws_s3_bucket_policy.bucket_policy[0]: Creating... module.static_website.aws_s3_bucket_policy.website[0]: Modifying... [id=edo.xxxx.com] module.static_website.aws_s3_bucket_policy.website[0]: Modifications complete after 0s [id=edo.xxxx.com] module.cloudfront.module.access_logs[0].aws_s3_bucket_policy.bucket_policy[0]: Still creating... [10s elapsed] module.cloudfront.module.access_logs[0].aws_s3_bucket_policy.bucket_policy[0]: Still creating... [20s elapsed] module.cloudfront.module.access_logs[0].aws_s3_bucket_policy.bucket_policy[0]: Still creating... [30s elapsed] module.cloudfront.module.access_logs[0].aws_s3_bucket_policy.bucket_policy[0]: Still creating... [40s elapsed] module.cloudfront.module.access_logs[0].aws_s3_bucket_policy.bucket_policy[0]: Still creating... [50s elapsed] ╷ │ Error: Error putting S3 policy: MalformedPolicy: Invalid principal in policy │ status code: 400, request id: 1SW2NGZYREGCX0YP, host id: u2nGs1sUcy3uxBIkhLr9Yu2gAkdd3ngTZmIsYUg9Mnctb5xer+Y9r2Dcig0IqQ35obzqSunQBjg= │ │ with module.cloudfront.module.access_logs[0].aws_s3_bucket_policy.bucket_policy[0], │ on .terraform/modules/cloudfront.access_logs/modules/private-s3-bucket/main.tf line 429, in resource "aws_s3_bucket_policy" "bucket_policy": │ 429: resource "aws_s3_bucket_policy" "bucket_policy" { │ ╵ ERRO[0086] 1 error occurred: * exit status 1 ``` details input : ``` inputs = { restrict_bucket_access_to_cloudfront = true create_route53_entry = true base_domain_name = local.account_vars.locals.domain_name.name website_domain_name = "edo.${local.account_vars.locals.domain_name.name}" acm_certificate_domain_name = "${local.account_vars.locals.domain_name.name}" security_header_content_security_policy = "default-src 'self'; base-uri 'self'; block-all-mixed-content; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src 'self' blob:; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; upgrade-insecure-requests" error_responses = { 404 = { response_code = 200 response_page_path = "index.html" error_caching_min_ttl = 10 } } force_destroy = true } ``` --- <ins datetime="2023-01-30T12:15:33Z"> <p><a href="https://support.gruntwork.io/hc/requests/109848">Tracked in ticket #109848</a></p> </ins>
Hi @andi-pangeran, As discussed in other replies, CloudFront doesn't deliver standard logs to buckets in some regions, and for those cases, you need to use `var.disable_logging` which is now exposed to module public-static-website on the service catalog as of v0.100.5: https://github.com/gruntwork-io/terraform-aws-service-catalog/releases/tag/v0.100.5