Terraform aws_cloudtrail advanced_event_selector is not working

yolch-yolchyan · July 28, 2022, 12:44pm

Trying to define aws_cloudtrail, but having a problem when adding a block advanced_event_selector

Receiving the below error:
Blocks of type "advanced_event_selector" are not expected here.

Tried to execute with different terraform versions 1.13.x, 1.1.x and 1.2.x still the same result.

would appreciate any help!

Here is the code:

resource "aws_cloudtrail" "as_cloudtrail" {
  name                          = "up-cloudtrail-events"
  s3_bucket_name                = aws_s3_bucket.cloudtrail_logs.id
  s3_key_prefix                 = "trails"
  enable_log_file_validation    = true
  include_global_service_events = true

  advanced_event_selector {
    name = "Log PutObject and DeleteObject events for bucket"

    field_selector {
      field  = "eventName"
      equals = ["PutObject", "DeleteObject"]
    }

    field_selector {
      field = "resources.ARN"

      equals = ["any-s3-bucket-arn"]
    }

    field_selector {
      field  = "readOnly"
      equals = ["false"]
    }

    field_selector {
      field  = "resources.type"
      equals = ["AWS::S3::Object"]
    }
  }
}

yolch-yolchyan · August 1, 2022, 12:43pm

Anyone could help with this? This seems a bit critical as we basically can’t create cloud trail with advanced selectors.

Would really appreciate any response.

nb1016 · October 7, 2022, 2:07pm

Hey mate,

It looks like this is currently not a supported feature on the aws_cloudtrail resource.
You can use a null resource and a local-exec to implement this using the AWS cli, but for now you can only use normal event_selector, not advanced_event_selector.

something along these lines,


resource "null_resource" "advanced_event_selector" {
  provisioner "local-exec" {
      command = <<-EOT
      aws cloudtrail put-event-selectors --trail-name ${aws_cloudtrail.cloudtrail.id} --advanced-event-selectors\
      '[
        {
          "Name": "Do not log high volume S3 bucket reads",
          "FieldSelectors": [
              {"Field": "resources.type", "Equals": ["AWS::S3::Object"]},
              {"Field": "eventCategory", "Equals": ["Data"]},
              {"Field": "readOnly", "Equals": ["true"]},
            ]
        }
     ]'

Topic		Replies	Views
Event target not getting created Terraform	0	202	October 13, 2021
Object-level events on s3 buckets without new aws_cloudtrail AWS	1	555	April 20, 2020
Enable S3 Object-level logging AWS	0	600	April 22, 2020
For_Each, Pass in multiple json files Terraform	5	2980	August 18, 2023
Trying to set the AWS CLoudWatch Alerting to my RDS module in our local Stash/Bitbucket Terraform	0	458	July 11, 2019

Terraform aws_cloudtrail advanced_event_selector is not working

Related topics