search

lacework / terraform-provisioning

Lacework provisioning with Terraform
Apache License 2.0
7 stars 8 forks source link

AWS: Add logic to deal with trailing slashes in the bucket ARN within the `aws_cloudtrail` module #102

Closed dm4r closed 3 years ago

dm4r commented 3 years ago

When defining the bucket ARN, it is easy to copy/paste it out of the AWS Console with a trailing slash included: arn:aws:s3:::aws-cloudtrail-logs/AWSLogs/999999999999/

image

This results in the aws_cloudtrail Terraform module using the provided ARN and appending an additional trailing slash: ` + resources = [

Which in turn results in malformed policy values captured in the lacework_iam_role, S3 Permissions:

GetObject
ObjectPath | string like | AWSLogs/999999999999//*, BucketName | string like | aws-cloudtrail-logs-999999999999-0abe6e44

Note the double-slash as part of the generated policy value.

This malformed policy value results in a permissions issue error in the Lacework UI, CloudTrail Settings integration section (as per attached screenshot). image

afiune commented 3 years ago

Thank you for reporting this issue, this could be solved super quick with https://www.terraform.io/docs/configuration/functions/trimsuffix.html

cc @scottford-lw