Terraform-provider-aws: Feature Request: Support CloudTrail EventSelectors

So, how exactly would this look? Something like this perhaps?

resource "aws_cloudtrail" "cloudtrail" {
  name                          = "tf-trail-foobar"
  s3_bucket_name                = "${aws_s3_bucket.foo.id}"
  s3_key_prefix                 = "prefix"
  include_global_service_events = false

  event_selectors { # max 5
    data_resources            = ["arn:aws:s3:::bucket-1"] # max 250
    include_management_events = true
    read_write_type           = "ReadOnly"
  }

}

Another option is a separate resource, e.g.:

resource "aws_cloudtrail" "cloudtrail" {
  name                          = "tf-trail-foobar"
  s3_bucket_name                = "${aws_s3_bucket.foo.id}"
  s3_key_prefix                 = "prefix"
  include_global_service_events = false
}

resource "aws_event_selector" "foo_bucket_events" {
  trail_name = "${aws_cloudtrail.cloudtrail.name}"

  data_resources            = ["arn:aws:s3:::bucket-1"] # max 250
  include_management_events = true
  read_write_type           = "ReadOnly"
}

Or maybe both? I'd like to give it a shot, but I need to know how it would be best implemented.

I need this too. I think the first version you showed would suffice, @erikvanbrakel -- adding both would be even nicer but I don't think it's necessary for a first iteration. I don't think include_management_events makes sense there, though. My understanding is that management events is separate from the concept of S3 data events, and that in fact is already implemented in include_global_service_events; i.e. I think "global service events" == "management events".

I need this as well for compliance. My ideal solution would be on the aws_s3_bucket resource.

resource "aws_s3_bucket" "super_secrete_bucket" {
bucket = "secrete_bucket"
cloudtrail_event_logging = [ "read", "write" ]
}

Disabled would be []

I need this also for triggering a Lambda function from an object-level event via Event Bus (hence the need for the events to be in CloudTrail).

I've started some implementation based on the first suggestion by @erikvanbrakel. I hope to finish the PR by next week.

We need this to be implemented, what time is it ?

Sorry for the delay here, we have quite a large backlog at the moment we're working through. There is currently an open PR for this functionality: #2258

I cannot guarantee a timeline for reviewing and accepting the PR, however I can tell you that it will likely not be looked at least until after we release a bugfix v1.7.1 of the provider, hopefully this week.

@bflad @radeksimko Great to see more transparency in the release process!

Hi, I've just come across a need for this also. Any further update? Thanks.

Hi guys, do you have any further update regarding this?
Waiting for this feature.
Thanks!

Hi folks,
we do appreciate the +1's if these don't generate notifications. 😅

Therefore it's more helpful for everyone to use reactions as we can then sort issues by the number of 👍 :
https://github.com/hashicorp/terraform/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc+label%3Aprovider%2Faws

The 👍 _reactions_ do count and we're more than happy for people to use those and prefer over "+1" comments for the mentioned reasons.

Thanks.

Support for this feature has been merged into master via #2258 and will be released in v1.10.0 of the AWS provider, likely at the end of this week. Thanks for your patience!

This has been released in version 1.10.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

Is there a way to define the event selector as a separate resource? I would like to add the data event configuration for a specific buckets when creating the bucket. As there is a cloudtrail created by another template I would like to reuse this (via remote_state data source) instead of creating a new trail.
I did not find anything in the doc on how to do this.

@JonasSaegesser not at the moment, but its probably worth noting that CloudTrail only lets you implement 5 event selectors (with up to 250 resources total across them).

If it makes sense for your situation, its possible to log all S3 bucket object operations in an account via:

resource "aws_cloudtrail" "example" {
  # ... other configuration ...

  event_selector {
    read_write_type = "All"
    include_management_events = true

    data_resource {
      type   = "AWS::S3::Object"
      values = ["arn:aws:s3:::"]
    }
  }
}

I just merged an additional documentation PR (will release with v1.12.0 of the AWS provider next week) to help clarify some of the use cases: #3745

Also depending on your use case, it might make sense for something like a aws_s3_buckets (plural) data source.

You may want to ask the terraform-tool Google Group or create a new issue so it gets more visibility than commenting on a closed PR though. 😄

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!