Revert "Revert "[u] Fix: S3 server access logs are inherently incompl…

…ete (#5043, PR #5230)"" This reverts commit 75a01ee.
DataBiosphere · Jun 8, 2023 · df27ec5 · df27ec5
1 parent 629fe05
commit df27ec5
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/UPGRADING.rst b/UPGRADING.rst
@@ -103,6 +103,16 @@ a deployment just before pushing the merge commit to the GitLab instance in that
 deployment.
 
 
+#5043 S3 server access logs are inherently incomplete
+=====================================================
+
+Operator
+~~~~~~~~
+
+Manually deploy the ``shared`` component of any main deployment just before
+pushing the merge commit to the GitLab instance in that deployment.
+
+
 #5133 Trigger an alarm on absence of logs
 =========================================
 

diff --git a/terraform/shared/shared.tf.json.template.py b/terraform/shared/shared.tf.json.template.py
@@ -373,7 +373,15 @@ def conformance_pack(name: str) -> str:
                 'enable_log_file_validation': True,
                 'is_multi_region_trail': True,
                 'cloud_watch_logs_group_arn': '${aws_cloudwatch_log_group.trail.arn}:*',
-                'cloud_watch_logs_role_arn': '${aws_iam_role.trail.arn}'
+                'cloud_watch_logs_role_arn': '${aws_iam_role.trail.arn}',
+                'event_selector': {
+                    'read_write_type': 'All',
+                    'include_management_events': True,
+                    'data_resource': {
+                        'type': 'AWS::S3::Object',
+                        'values': ['arn:aws:s3']
+                    }
+                }
             }
         },
         'aws_cloudwatch_log_group': {