Question 95367 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Cloudtrail using terraform – Amazon web services

I’m creating a cloudtrail using terraform. The problem is my source bucket keeps changing after 3 months. Now I want to give the dynamic S3 bucket value for field_selector.
I’m doing something like this:

    resource "aws_cloudtrail" "test" {
        name = "test_trail"
        s3_bucket_name = bucket.id
        enable_logging = true
        include_global_service_events = true
        is_multi_region_trail = true
        enable_log_file_validation = true
    
        advanced_event_selector {
          name = "Log download event data"
          field_selector {
            field = "eventCategory"
            equals = ["Data"]
          }
          field_selector {
            field = "resources.type"
            equals = ["AWS::S3::Object"]
          }
          field_selector {
            field = "eventName"
            equals = ["GetObject"]
          }
          field_selector {
            field = "resources.ARN"
            **starts_with = ["aws_s3_bucket.sftp_file_upload_bucket.arn"]**
          }
        }

Here, I’m giving the arn but logs are not getting created this way but if I hard code the bucket name it’s getting created.

Tags:

2

Answers


  1. 0

    When you want to log the object events for a bucket, the ARN is not enough. As the AWS CLI documentation states [1]:

    For example, if resources.type equals AWS::S3::Object , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the StartsWith operator, and include only the bucket ARN as the matching value. The trailing slash is intentional; do not exclude it.

    So in your case you would have to fix the last field selector to:

    field_selector {
  field = "resources.ARN"
  starts_with = ["${aws_s3_bucket.sftp_file_upload_bucket.arn}/"]
}

    [1] https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/put-event-selectors.html#id11

    Login or Signup to reply.
  2. 0

    when using an attribute of a resource you should either specify it like

    "${aws_s3_bucket.sftp_file_upload_bucket.arn}"

    or without quotes like

    aws_s3_bucket.sftp_file_upload_bucket.arn

    so, the correct version would be

          field_selector {
        field = "resources.ARN"
        starts_with = [aws_s3_bucket.sftp_file_upload_bucket.arn]
      }
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search