Feature Request: Support CloudTrail EventSelectors #887
Comments
radeksimko
added
the
enhancement
|
So, how exactly would this look? Something like this perhaps? resource "aws_cloudtrail" "cloudtrail" {
name = "tf-trail-foobar"
s3_bucket_name = "${aws_s3_bucket.foo.id}"
s3_key_prefix = "prefix"
include_global_service_events = false
event_selectors { # max 5
data_resources = ["arn:aws:s3:::bucket-1"] # max 250
include_management_events = true
read_write_type = "ReadOnly"
}
}Another option is a separate resource, e.g.: resource "aws_cloudtrail" "cloudtrail" {
name = "tf-trail-foobar"
s3_bucket_name = "${aws_s3_bucket.foo.id}"
s3_key_prefix = "prefix"
include_global_service_events = false
}
resource "aws_event_selector" "foo_bucket_events" {
trail_name = "${aws_cloudtrail.cloudtrail.name}"
data_resources = ["arn:aws:s3:::bucket-1"] # max 250
include_management_events = true
read_write_type = "ReadOnly"
}Or maybe both? I'd like to give it a shot, but I need to know how it would be best implemented. |
|
I need this too. I think the first version you showed would suffice, @erikvanbrakel -- adding both would be even nicer but I don't think it's necessary for a first iteration. I don't think |
|
I need this as well for compliance. My ideal solution would be on the aws_s3_bucket resource. resource "aws_s3_bucket" "super_secrete_bucket" { Disabled would be [] |
|
I need this also for triggering a Lambda function from an object-level event via Event Bus (hence the need for the events to be in CloudTrail). |
|
I've started some implementation based on the first suggestion by @erikvanbrakel. I hope to finish the PR by next week. |
|
We need this to be implemented, what time is it ? |
|
Sorry for the delay here, we have quite a large backlog at the moment we're working through. There is currently an open PR for this functionality: #2258 I cannot guarantee a timeline for reviewing and accepting the PR, however I can tell you that it will likely not be looked at least until after we release a bugfix v1.7.1 of the provider, hopefully this week. |
bflad
added
the
service/cloudtrail
|
@bflad @radeksimko Great to see more transparency in the release process! |
|
Hi, I've just come across a need for this also. Any further update? Thanks. |
|
Hi guys, do you have any further update regarding this? |
|
Hi folks, Therefore it's more helpful for everyone to use reactions as we can then sort issues by the number of 👍 : The 👍 reactions do count and we're more than happy for people to use those and prefer over "+1" comments for the mentioned reasons. Thanks. |
|
Support for this feature has been merged into master via #2258 and will be released in v1.10.0 of the AWS provider, likely at the end of this week. Thanks for your patience! |
|
This has been released in version 1.10.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
|
Is there a way to define the event selector as a separate resource? I would like to add the data event configuration for a specific buckets when creating the bucket. As there is a cloudtrail created by another template I would like to reuse this (via remote_state data source) instead of creating a new trail. |
|
@JonasSaegesser not at the moment, but its probably worth noting that CloudTrail only lets you implement 5 event selectors (with up to 250 resources total across them). If it makes sense for your situation, its possible to log all S3 bucket object operations in an account via: resource "aws_cloudtrail" "example" {
# ... other configuration ...
event_selector {
read_write_type = "All"
include_management_events = true
data_resource {
type = "AWS::S3::Object"
values = ["arn:aws:s3:::"]
}
}
}I just merged an additional documentation PR (will release with v1.12.0 of the AWS provider next week) to help clarify some of the use cases: #3745 Also depending on your use case, it might make sense for something like a You may want to ask the terraform-tool Google Group or create a new issue so it gets more visibility than commenting on a closed PR though. 😄 |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
What
When setting up cloudtrail, if you want to track events on specific S3 Objects (rather than just bucket level events) you need to setup Data Events (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-and-data-events-with-cloudtrail.html?icmpid=docs_cloudtrail_console#logging-data-events)
There is an API for this (http://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_PutEventSelectors.html) however the docs don't appear to list any way to add these selectors in terraform.
Why
In higher compliance regimens (e.g. working with financial data) it may be necessary to log every action that takes place on a particular file for auditing purposes. This is especially true if the file has sensitive information in it.
Additional Info
Please also enforce limits in Terraform on the number of selectors per cloudtrail log. Deeply buried in the AWS documentation it says you can only have 5 selectors per cloudtrail (http://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_EventSelector.html)
The text was updated successfully, but these errors were encountered: