Terraform AWS CloudTrail 配置失敗
[英]Terraform AWS CloudTrail configurations fails
問題描述
我正在嘗試使用 terraform 配置 AWS CloudTrail,但在 CloudWatch 集成方面仍然失敗。 有人在某處看到錯誤嗎?
Terraform CLI 和 Terraform AWS 提供商版本
Terraform v0.13.5
- provider registry.terraform.io/hashicorp/aws v3.15.0
受影響的資源
- aws_cloudtrail
Terraform 配置文件
# Mendatory VARs
env
aws_region
access_key
secret_key
# Configure the AWS Provider
provider "aws" {
version = ">= 3.7.0"
region = var.aws_region
access_key = var.access_key
secret_key = var.secret_key
}
# Terraform backend to store current running configuration
terraform {
backend "remote" {
hostname = "app.terraform.io"
organization = "some_org"
workspaces {
name = "some_workspace"
}
}
}
resource "aws_cloudwatch_log_group" "backuping_cloudwatch_log_group" {
name = "backuping-${var.env}-cloudwatch-log_group"
tags = {
Name = "Cloudwatch for backuping CloudTrail"
Environment = var.env
}
depends_on = [aws_s3_bucket.bucket]
}
resource "aws_cloudwatch_log_stream" "backuping_cloudwatch_log_stream" {
log_group_name = aws_cloudwatch_log_group.backuping_cloudwatch_log_group.id
name = "backuping-${var.env}-cloudwatch-log_stream"
depends_on = [aws_cloudwatch_log_group.backuping_cloudwatch_log_group]
}
resource "aws_iam_policy" "backuping_cloudtrail_cloudwatch_policy" {
name = "backuping-${var.env}-cloudtrail_cloudwatch_policy"
description = "Policy to enable ClodTrail logging into CloudWatch on ${var.env}"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailCreateLogStream2014110${var.env}",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream"
],
"Resource": [
"${aws_cloudwatch_log_stream.backuping_cloudwatch_log_stream.arn}*"
]
},
{
"Sid": "AWSCloudTrailPutLogEvents20141101${var.env}",
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"${aws_cloudwatch_log_stream.backuping_cloudwatch_log_stream.arn}*"
]
}
]
}
POLICY
depends_on = [aws_cloudwatch_log_stream.backuping_cloudwatch_log_stream]
}
resource "aws_iam_role" "backuping_cloudtrail_cloudwatch_role" {
name = "backuping-${var.env}-cloudtrail_cloudwatch_role"
path = "/service-role/"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
tags = {
Name = "IAM Role for CloudTrail logging into CloudWatch"
Environment = var.env
}
depends_on = [aws_iam_policy.backuping_cloudtrail_cloudwatch_policy]
}
resource "aws_iam_role_policy_attachment" "backuping_cloudtrail_cloudwatch_role_policy_attachement" {
role = aws_iam_role.backuping_cloudtrail_cloudwatch_role.name
policy_arn = aws_iam_policy.backuping_cloudtrail_cloudwatch_policy.arn
depends_on = [aws_iam_role.backuping_cloudtrail_cloudwatch_role]
}
data "aws_caller_identity" "current" {}
locals {
backuping_logs_bucket_name = "backuping-${var.env}-logs"
}
resource "aws_s3_bucket" "backuping_logs_bucket" {
bucket = local.backuping_logs_bucket_name
acl = "private"
force_destroy = true
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::${local.backuping_logs_bucket_name}"
},
{
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::${local.backuping_logs_bucket_name}/AWSLogs/${data.aws_caller_identity.current.account_id}/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
POLICY
tags = {
Name = "Bucket for backuping logs"
Environment = var.env
}
}
resource "aws_s3_bucket_public_access_block" "s3_logs_bucket_public_access" {
bucket = aws_s3_bucket.backuping_logs_bucket.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_cloudtrail" "backuping_cloudtrail" {
name = "backuping-${var.env}-cloudtrail"
s3_bucket_name = aws_s3_bucket.backuping_logs_bucket.id
is_multi_region_trail = true
enable_log_file_validation = true
event_selector {
read_write_type = "All"
include_management_events = false
data_resource {
type = "AWS::S3::Object"
# Make sure to append a trailing '/' to your ARN if you want
# to monitor all objects in a bucket.
values = ["arn:aws:s3"]
}
}
tags = {
Name = "CloudTrail for backuping events"
Environment = var.env
}
cloud_watch_logs_role_arn = aws_iam_role.backuping_cloudtrail_cloudwatch_role.arn
cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.backuping_cloudwatch_log_group.arn}:*"
depends_on = [
aws_iam_role_policy_attachment.backuping_cloudtrail_cloudwatch_role_policy_attachement,
aws_s3_bucket.backuping_logs_bucket
]
}
調試輸出
[DEBUG] plugin.terraform-provider-aws_v3.15.0_x5: 2020/11/17 17:02:38
[DEBUG] [aws-sdk-go] DEBUG: Validate Response cloudtrail/CreateTrail failed, attempt 0/25, error InvalidCloudWatchLogsLogGroupArnException: Access denied. Check the permissions for your role.
預期行為
這應該創建 AWS CloudTrail 登錄到 S3 存儲桶並將日志發送到 CloudWatch
實際行為
S3 存儲桶沒問題,但 Cloudwatch 添加失敗並顯示InvalidCloudWatchLogsLogGroupArnException: Access denied. Check the permissions for your role InvalidCloudWatchLogsLogGroupArnException: Access denied. Check the permissions for your role 。 在沒有 CloudWatch 的情況下創建 Trail 時,一切正常。 也可以通過 AWS 控制台為現有跟蹤配置 CloudWatch。 如果我將通過 AWS 控制台創建的所有權限和角色與使用 Terraform 手動創建的權限和角色進行比較,它們是相同的,但 Terraform 以錯誤結束。 此外,使用 AWS 控制台將 CloudWatch 添加到跟蹤中,並使用現有的backuping_cloudtrail_cloudwatch_role和現有的backuping_cloudwatch_log_group效果很好。 相應的策略會自動創建並且日志記錄工作正常。 所以除了角色策略之外的所有步驟都有效。
重現步驟
terraform apply
1 個解決方案
解決方案1
1 2021-06-29 12:14:40
如果您仍然需要解決這個問題,我有一個類似的配置,並且遇到了同樣的問題。 問題在於CloudTrail 的命名約定。 日志流的名稱必須采用account_ID_CloudTrail_source_region格式。 我所做的是將日志流的名稱更改為
resource "aws_cloudwatch_log_stream" "test" {
name = "${data.aws_caller_identity.current.account_id}_CloudTrail_${data.aws_region.current.name}"
log_group_name = aws_cloudwatch_log_group.test.name
}
使用 caller_identity 和 aws_region 數據源:
data "aws_region" "current" {}
data "aws_caller_identity" "current" {}
問題是 CloudTrail 在策略中(盡管我們的配置)或在嘗試查找日志流時強制使用傳統名稱,並且由於名稱不相等,您會收到InvalidCloudWatchLogsLogGroupArnException錯誤。
Terraform 中 S3 存儲桶的 AWS Cloudtrail 事件
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.