search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.73k stars 9.09k forks source link

[Docs]: CloudTrail example fails with incorrect policy #38463

Closed speedenator closed 2 weeks ago

speedenator commented 1 month ago

Documentation Link

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail

Description

The example doesn't work, it gives an error like:

Error: creating CloudTrail Trail (cloudtrail): operation error CloudTrail: CreateTrail, https response error StatusCode: 400, RequestID: 8aa03ebe-9a38-4ab6-bb3d-6ef825faa7e4, InsufficientS3BucketPolicyException: Incorrect S3 bucket policy is detected for bucket:

The reason is that in the Source ARNs, capitalization matters, and should be AWS:SourceArn and not aws:SourceArn. Quick fix but will save everyone a lot of grief.

References

No response

Would you like to implement a fix?

None

github-actions[bot] commented 1 month ago

Community Note

Voting for Prioritization

Volunteering to Work on This Issue

stefanfreitag commented 1 month ago

Hi @speedenator,

could you please provide more details, e.g. the relevant code snippet and error message?

I took the example from the link you provided ( Section "Example usage"/ "Basic") and gave it a try - no issue when running terraform apply

stefan@stefan-IdeaPad-5-Pro-16ACH6:~/temp$ terraform apply 
data.aws_region.current: Reading...
data.aws_caller_identity.current: Reading...
data.aws_partition.current: Reading...
data.aws_region.current: Read complete after 0s [id=eu-central-1]
data.aws_partition.current: Read complete after 0s [id=aws]
data.aws_caller_identity.current: Read complete after 0s [id=<redacted>]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)

[...]
Plan: 3 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_s3_bucket.example: Creating...
aws_s3_bucket.example: Creation complete after 2s [id=tf-test-trail-sf]
data.aws_iam_policy_document.example: Reading...
data.aws_iam_policy_document.example: Read complete after 0s [id=27032974]
aws_s3_bucket_policy.example: Creating...
aws_s3_bucket_policy.example: Creation complete after 0s [id=tf-test-trail-sf]
aws_cloudtrail.example: Creating...
aws_cloudtrail.example: Creation complete after 1s [id=arn:aws:cloudtrail:eu-central-1:<redacted>:trail/example]

In the official AWS documentation there are also examples using aws:SourceArn. Just quoting from that page

As a security best practice, add an aws:SourceArn condition key to the Amazon S3 bucket policy. The IAM global condition key aws:SourceArn helps ensure that CloudTrail writes to the S3 bucket only for a specific trail or trails. The value of aws:SourceArn is always the ARN of the trail (or array of trail ARNs) that is using the bucket to store logs. Be sure to add the aws:SourceArn condition key to S3 bucket policies for existing trails.

Cheers Stefan

justinretzolk commented 2 weeks ago

Since we weren't able to reproduce this, and haven't heard back, I'm going to close this issue for now. If you still feel there are issues to be addressed, please open a new issue so that we can triage it appropriately.

github-actions[bot] commented 2 weeks ago

[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.