Difference between revisions of "Terraform resource: aws cloudtrail"

From wikieduonline
Jump to navigation Jump to search
 
(9 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
* https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail
 
* https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail
 +
 +
[[s3_bucket_name]]
 +
[[event_selector]]
 +
 +
* https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#event_selector
 +
 +
== Official examples ==
 +
* [[Enable CloudTrail to capture all compatible management events in region]]
 +
* [[Logging All Lambda Function Invocations By Using Basic Event Selectors]]: <code>[[AWS::Lambda::Function]]</code>
 +
* [[Logging All S3 Object Events By Using Basic Event Selectors]]
 +
 +
 +
 +
resource "aws_cloudtrail" "example" {
 +
  depends_on = [aws_s3_bucket_policy.example]
 +
 +
  name                          = "example"
 +
  [[s3_bucket_name]]                = aws_s3_bucket.example.id
 +
  s3_key_prefix                = "prefix"
 +
  [[include_global_service_events]] = false
 +
}
 +
<pre>
 +
resource "aws_s3_bucket" "example" {
 +
  bucket        = "tf-test-trail"
 +
  force_destroy = true
 +
}
 +
 +
data "aws_iam_policy_document" "example" {
 +
  statement {
 +
    sid    = "AWSCloudTrailAclCheck"
 +
    effect = "Allow"
 +
 +
    principals {
 +
      type        = "Service"
 +
      identifiers = ["cloudtrail.amazonaws.com"]
 +
    }
 +
 +
    actions  = ["s3:GetBucketAcl"]
 +
    resources = [aws_s3_bucket.example.arn]
 +
    condition {
 +
      test    = "StringEquals"
 +
      variable = "aws:SourceArn"
 +
      values  = ["arn:${data.aws_partition.current.partition}:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/example"]
 +
    }
 +
  }
 +
 +
  statement {
 +
    sid    = "AWSCloudTrailWrite"
 +
    effect = "Allow"
 +
 +
    principals {
 +
      type        = "Service"
 +
      identifiers = ["cloudtrail.amazonaws.com"]
 +
    }
 +
 +
    actions  = ["s3:PutObject"]
 +
    resources = ["${aws_s3_bucket.example.arn}/prefix/AWSLogs/${data.aws_caller_identity.current.account_id}/*"]
 +
 +
    condition {
 +
      test    = "StringEquals"
 +
      variable = "s3:x-amz-acl"
 +
      values  = ["bucket-owner-full-control"]
 +
    }
 +
    condition {
 +
      test    = "StringEquals"
 +
      variable = "aws:SourceArn"
 +
      values  = ["arn:${data.aws_partition.current.partition}:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/example"]
 +
    }
 +
  }
 +
}
 +
 +
resource "aws_s3_bucket_policy" "example" {
 +
  bucket = aws_s3_bucket.example.id
 +
  policy = data.aws_iam_policy_document.example.json
 +
}
 +
 +
data "aws_caller_identity" "current" {}
 +
 +
data "aws_partition" "current" {}
 +
 +
data "aws_region" "current" {}
 +
</pre>
  
 
== Related ==
 
== Related ==
* <code>[[aws cloudtrail]]</code>
+
* <code>[[aws cloudtrail create-trail]]</code>
  
 
== See also ==
 
== See also ==

Latest revision as of 15:39, 24 September 2024

s3_bucket_name
event_selector

Official examples[edit]


resource "aws_cloudtrail" "example" {
  depends_on = [aws_s3_bucket_policy.example] 

  name                          = "example"
  s3_bucket_name                = aws_s3_bucket.example.id
  s3_key_prefix                 = "prefix"
  include_global_service_events = false
}
resource "aws_s3_bucket" "example" {
  bucket        = "tf-test-trail"
  force_destroy = true
}

data "aws_iam_policy_document" "example" {
  statement {
    sid    = "AWSCloudTrailAclCheck"
    effect = "Allow"

    principals {
      type        = "Service"
      identifiers = ["cloudtrail.amazonaws.com"]
    }

    actions   = ["s3:GetBucketAcl"]
    resources = [aws_s3_bucket.example.arn]
    condition {
      test     = "StringEquals"
      variable = "aws:SourceArn"
      values   = ["arn:${data.aws_partition.current.partition}:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/example"]
    }
  }

  statement {
    sid    = "AWSCloudTrailWrite"
    effect = "Allow"

    principals {
      type        = "Service"
      identifiers = ["cloudtrail.amazonaws.com"]
    }

    actions   = ["s3:PutObject"]
    resources = ["${aws_s3_bucket.example.arn}/prefix/AWSLogs/${data.aws_caller_identity.current.account_id}/*"]

    condition {
      test     = "StringEquals"
      variable = "s3:x-amz-acl"
      values   = ["bucket-owner-full-control"]
    }
    condition {
      test     = "StringEquals"
      variable = "aws:SourceArn"
      values   = ["arn:${data.aws_partition.current.partition}:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/example"]
    }
  }
}

resource "aws_s3_bucket_policy" "example" {
  bucket = aws_s3_bucket.example.id
  policy = data.aws_iam_policy_document.example.json
}

data "aws_caller_identity" "current" {}

data "aws_partition" "current" {}

data "aws_region" "current" {}

Related[edit]

See also[edit]

Advertising: