I'm creating a cloudtrail using terraform. The problem is my source bucket keeps changing after 3 months. Now I want to give the dynamic S3 bucket value for field_selector. I'm doing something like this:
resource "aws_cloudtrail" "test" {
name = "test_trail"
s3_bucket_name = bucket.id
enable_logging = true
include_global_service_events = true
is_multi_region_trail = true
enable_log_file_validation = true
advanced_event_selector {
name = "Log download event data"
field_selector {
field = "eventCategory"
equals = ["Data"]
}
field_selector {
field = "resources.type"
equals = ["AWS::S3::Object"]
}
field_selector {
field = "eventName"
equals = ["GetObject"]
}
field_selector {
field = "resources.ARN"
**starts_with = ["aws_s3_bucket.sftp_file_upload_bucket.arn"]**
}
}
Here, I'm giving the arn but logs are not getting created this way but if I hard code the bucket name it's getting created.
CodePudding user response:
When you want to log the object events for a bucket, the ARN is not enough. As the AWS CLI documentation states [1]:
For example, if resources.type equals AWS::S3::Object , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the StartsWith operator, and include only the bucket ARN as the matching value. The trailing slash is intentional; do not exclude it.
So in your case you would have to fix the last field selector to:
field_selector {
field = "resources.ARN"
starts_with = ["${aws_s3_bucket.sftp_file_upload_bucket.arn}/"]
}
CodePudding user response:
when using an attribute of a resource you should either specify it like
"${aws_s3_bucket.sftp_file_upload_bucket.arn}"
or without quotes like
aws_s3_bucket.sftp_file_upload_bucket.arn
so, the correct version would be
field_selector {
field = "resources.ARN"
starts_with = [aws_s3_bucket.sftp_file_upload_bucket.arn]
}