Difference between revisions of "Terraform resource: aws cloudtrail"
Jump to navigation
Jump to search
(9 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
* https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail | * https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail | ||
+ | |||
+ | [[s3_bucket_name]] | ||
+ | [[event_selector]] | ||
+ | |||
+ | * https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#event_selector | ||
+ | |||
+ | == Official examples == | ||
+ | * [[Enable CloudTrail to capture all compatible management events in region]] | ||
+ | * [[Logging All Lambda Function Invocations By Using Basic Event Selectors]]: <code>[[AWS::Lambda::Function]]</code> | ||
+ | * [[Logging All S3 Object Events By Using Basic Event Selectors]] | ||
+ | |||
+ | |||
+ | |||
+ | resource "aws_cloudtrail" "example" { | ||
+ | depends_on = [aws_s3_bucket_policy.example] | ||
+ | |||
+ | name = "example" | ||
+ | [[s3_bucket_name]] = aws_s3_bucket.example.id | ||
+ | s3_key_prefix = "prefix" | ||
+ | [[include_global_service_events]] = false | ||
+ | } | ||
+ | <pre> | ||
+ | resource "aws_s3_bucket" "example" { | ||
+ | bucket = "tf-test-trail" | ||
+ | force_destroy = true | ||
+ | } | ||
+ | |||
+ | data "aws_iam_policy_document" "example" { | ||
+ | statement { | ||
+ | sid = "AWSCloudTrailAclCheck" | ||
+ | effect = "Allow" | ||
+ | |||
+ | principals { | ||
+ | type = "Service" | ||
+ | identifiers = ["cloudtrail.amazonaws.com"] | ||
+ | } | ||
+ | |||
+ | actions = ["s3:GetBucketAcl"] | ||
+ | resources = [aws_s3_bucket.example.arn] | ||
+ | condition { | ||
+ | test = "StringEquals" | ||
+ | variable = "aws:SourceArn" | ||
+ | values = ["arn:${data.aws_partition.current.partition}:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/example"] | ||
+ | } | ||
+ | } | ||
+ | |||
+ | statement { | ||
+ | sid = "AWSCloudTrailWrite" | ||
+ | effect = "Allow" | ||
+ | |||
+ | principals { | ||
+ | type = "Service" | ||
+ | identifiers = ["cloudtrail.amazonaws.com"] | ||
+ | } | ||
+ | |||
+ | actions = ["s3:PutObject"] | ||
+ | resources = ["${aws_s3_bucket.example.arn}/prefix/AWSLogs/${data.aws_caller_identity.current.account_id}/*"] | ||
+ | |||
+ | condition { | ||
+ | test = "StringEquals" | ||
+ | variable = "s3:x-amz-acl" | ||
+ | values = ["bucket-owner-full-control"] | ||
+ | } | ||
+ | condition { | ||
+ | test = "StringEquals" | ||
+ | variable = "aws:SourceArn" | ||
+ | values = ["arn:${data.aws_partition.current.partition}:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/example"] | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | |||
+ | resource "aws_s3_bucket_policy" "example" { | ||
+ | bucket = aws_s3_bucket.example.id | ||
+ | policy = data.aws_iam_policy_document.example.json | ||
+ | } | ||
+ | |||
+ | data "aws_caller_identity" "current" {} | ||
+ | |||
+ | data "aws_partition" "current" {} | ||
+ | |||
+ | data "aws_region" "current" {} | ||
+ | </pre> | ||
== Related == | == Related == | ||
− | * <code>[[aws cloudtrail]]</code> | + | * <code>[[aws cloudtrail create-trail]]</code> |
== See also == | == See also == |
Latest revision as of 15:39, 24 September 2024
s3_bucket_name event_selector
Official examples[edit]
- Enable CloudTrail to capture all compatible management events in region
- Logging All Lambda Function Invocations By Using Basic Event Selectors:
AWS::Lambda::Function
- Logging All S3 Object Events By Using Basic Event Selectors
resource "aws_cloudtrail" "example" { depends_on = [aws_s3_bucket_policy.example] name = "example" s3_bucket_name = aws_s3_bucket.example.id s3_key_prefix = "prefix" include_global_service_events = false }
resource "aws_s3_bucket" "example" { bucket = "tf-test-trail" force_destroy = true } data "aws_iam_policy_document" "example" { statement { sid = "AWSCloudTrailAclCheck" effect = "Allow" principals { type = "Service" identifiers = ["cloudtrail.amazonaws.com"] } actions = ["s3:GetBucketAcl"] resources = [aws_s3_bucket.example.arn] condition { test = "StringEquals" variable = "aws:SourceArn" values = ["arn:${data.aws_partition.current.partition}:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/example"] } } statement { sid = "AWSCloudTrailWrite" effect = "Allow" principals { type = "Service" identifiers = ["cloudtrail.amazonaws.com"] } actions = ["s3:PutObject"] resources = ["${aws_s3_bucket.example.arn}/prefix/AWSLogs/${data.aws_caller_identity.current.account_id}/*"] condition { test = "StringEquals" variable = "s3:x-amz-acl" values = ["bucket-owner-full-control"] } condition { test = "StringEquals" variable = "aws:SourceArn" values = ["arn:${data.aws_partition.current.partition}:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/example"] } } } resource "aws_s3_bucket_policy" "example" { bucket = aws_s3_bucket.example.id policy = data.aws_iam_policy_document.example.json } data "aws_caller_identity" "current" {} data "aws_partition" "current" {} data "aws_region" "current" {}
Related[edit]
See also[edit]
Advertising: