Cloudtrail InsufficientS3BucketPolicyException Error

ramimohammad commented 2 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.2.7 on linux_amd64 provider registry.terraform.io/hashicorp/aws v4.26.0

Affected Resource(s)

aws_cloudtrail , aws_s3_bucket

Terraform Configuration Files

resource "aws_cloudtrail" "k2k-cloudtrail" {
  name                          = "k2k-cloudtrail"
  s3_bucket_name                = aws_s3_bucket.cloudtrail.id
  s3_key_prefix                 = "cloudtrail"
  include_global_service_events = true
  is_multi_region_trail         = true
  is_organization_trail         = true
  enable_log_file_validation    = true
  cloud_watch_logs_group_arn    = "${aws_cloudwatch_log_group.cloudtrail-logs.arn}:*"
  cloud_watch_logs_role_arn     = aws_iam_role.cloudtrail_cloudwatch_role.arn
  kms_key_id                    = aws_kms_key.cloudtrail.arn
  enable_logging                = true

  event_selector {
    read_write_type           = "All"
    include_management_events = true
    data_resource {
      type = "AWS::S3::Object"
      values = ["arn:aws:s3"]
   }
  }
  depends_on = [
    "aws_s3_bucket.cloudtrial",
    "aws_kms_key.cloudtrail",
    "aws_kms_alias.cloudtrail",
    "aws_s3_bucket_policy.cloudtrail"
  ]
}

resource "aws_s3_bucket" "cloudtrail" {
  bucket = "cloudtrail"

}

resource "aws_s3_bucket_policy" "cloudtrail" {
  bucket = aws_s3_bucket.cloudtrail.id
  policy = <<POLICY
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailAclCheck20150319",
            "Effect": "Allow",
            "Principal": {"Service": "cloudtrail.amazonaws.com"},
            "Action": "s3:GetBucketAcl",
            "Resource": "${aws_s3_bucket.cloudtrail.arn}",
            "Condition": {
                 "StringEquals": {
                     "aws:SourceArn": "arn:aws:cloudtrail:${var.region}:${var.account_id}:trail/cloudtrail"
                 }
            }
        },
        {
            "Sid": "AWSCloudTrailWrite20150319",
            "Effect": "Allow",
            "Principal": {"Service": "cloudtrail.amazonaws.com"},
            "Action": "s3:PutObject",
            "Resource": "${aws_s3_bucket.cloudtrail.arn}/cloudtrail/AWSLogs/${var.account_id}/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control",
                    "AWS:SourceArn" : "arn:aws:cloudtrail:${var.region}:${var.account_id}:trail/cloudtrail"
                }
            }
        }
    ]
}
POLICY
}

Debug Output

│ Error: Error creating CloudTrail: InsufficientS3BucketPolicyException: Incorrect S3 bucket policy is detected for bucket: cloudtrail
│ 
│   with aws_cloudtrail.cloudtrail,
│   on logging.tf line 31, in resource "aws_cloudtrail" "cloudtrail":
│   31: resource "aws_cloudtrail" "cloudtrail" {

Expected Behavior

It should create the cloudtrail without issues

Actual Behavior

Error: Error creating CloudTrail: InsufficientS3BucketPolicyException: Incorrect S3 bucket policy is detected for bucket

Steps to Reproduce

terraform apply

Important Factoids

when trying to create cloudtrail directly from aws console without terraform it's created normally.

References

0000

rabidscorpio commented 2 years ago

@ramimohammad I came here because I had the same error but I was using a separate "aws_iam_policy_document" resource. It turns out, this comment explains that you need to add a "depends_on" to the cloudtrail resource for that to work correctly: https://github.com/hashicorp/terraform-provider-aws/issues/820#issuecomment-485593305.

In the code you pasted, you show an inline policy but I'm curious if you pasted that in from the providers docs and are actually using the separate policy document resource because the inline policy should work. I used the exact same policy to create the separate policy document and that worked with the "depends_on" in the "aws_cloudtrail" resource.

scalp42 commented 1 year ago

@rabidscorpio strange, it's not working for me unfortunately with the depends_on trick.

ramimohammad commented 1 year ago

it's been resolved by allowing ACL on the target S3 bucket as I remember after that try to apply again

hashicorp / terraform-provider-aws