stackoom
  简体   繁体   中英

Cloudtrail using terraform

 原文  2022-10-07 13:27:56       amazon-web-services/ amazon-s3/ terraform/ terraform-provider-aws/ amazon-cloudtrail

Question

I'm creating a cloudtrail using terraform. The problem is my source bucket keeps changing after 3 months. Now I want to give the dynamic S3 bucket value for field_selector. I'm doing something like this:

    resource "aws_cloudtrail" "test" {
        name = "test_trail"
        s3_bucket_name = bucket.id
        enable_logging = true
        include_global_service_events = true
        is_multi_region_trail = true
        enable_log_file_validation = true
    
        advanced_event_selector {
          name = "Log download event data"
          field_selector {
            field = "eventCategory"
            equals = ["Data"]
          }
          field_selector {
            field = "resources.type"
            equals = ["AWS::S3::Object"]
          }
          field_selector {
            field = "eventName"
            equals = ["GetObject"]
          }
          field_selector {
            field = "resources.ARN"
            **starts_with = ["aws_s3_bucket.sftp_file_upload_bucket.arn"]**
          }
        }

Here, I'm giving the arn but logs are not getting created this way but if I hard code the bucket name it's getting created.

2 answers

solution1
 1  2022-10-07 14:39:56

When you want to log the object events for a bucket, the ARN is not enough. As the AWS CLI documentation states [1]:

For example, if resources.type equals AWS::S3::Object, the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the StartsWith operator, and include only the bucket ARN as the matching value. The trailing slash is intentional; do not exclude it.

So in your case you would have to fix the last field selector to:

field_selector {
  field = "resources.ARN"
  starts_with = ["${aws_s3_bucket.sftp_file_upload_bucket.arn}/"]
}

[1] https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/put-event-selectors.html#id11

solution2
 1  2022-10-09 18:07:57

when using an attribute of a resource you should either specify it like

"${aws_s3_bucket.sftp_file_upload_bucket.arn}"

or without quotes like

aws_s3_bucket.sftp_file_upload_bucket.arn

so, the correct version would be

      field_selector {
        field = "resources.ARN"
        starts_with = [aws_s3_bucket.sftp_file_upload_bucket.arn]
      }

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Filter output of cloudtrail logs obtained using get_object from S3 Extract key values from CloudTrail Lookup-Events from AWS-CLI using jq Using terraform output in kitchen terraform tests Initial setup of terraform backend using terraform Set functionTimeout using terraform Need to create 3 ILB using terraform Using Terraform Provider in aws module Issue with Terraform apply [using CodePipeline] AWS Codepipeline using namespaces in Terraform terraform multiple NSG using csv
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM