Pav*_*sar 5 amazon-web-services amazon-cloudwatch amazon-cloudtrail terraform
我尝试使用 terraform 配置 AWS CloudTrail,但 CloudWatch 集成仍然失败。有人看到某个地方有错误吗?
地形 v0.13.5
# Mendatory VARs
env
aws_region
access_key
secret_key
# Configure the AWS Provider
provider "aws" {
version = ">= 3.7.0"
region = var.aws_region
access_key = var.access_key
secret_key = var.secret_key
}
# Terraform backend to store current running configuration
terraform {
backend "remote" {
hostname = "app.terraform.io"
organization = "some_org"
workspaces {
name = "some_workspace"
}
}
}
resource "aws_cloudwatch_log_group" "backuping_cloudwatch_log_group" {
name = "backuping-${var.env}-cloudwatch-log_group"
tags = {
Name = "Cloudwatch for backuping CloudTrail"
Environment = var.env
}
depends_on = [aws_s3_bucket.bucket]
}
resource "aws_cloudwatch_log_stream" "backuping_cloudwatch_log_stream" {
log_group_name = aws_cloudwatch_log_group.backuping_cloudwatch_log_group.id
name = "backuping-${var.env}-cloudwatch-log_stream"
depends_on = [aws_cloudwatch_log_group.backuping_cloudwatch_log_group]
}
resource "aws_iam_policy" "backuping_cloudtrail_cloudwatch_policy" {
name = "backuping-${var.env}-cloudtrail_cloudwatch_policy"
description = "Policy to enable ClodTrail logging into CloudWatch on ${var.env}"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailCreateLogStream2014110${var.env}",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream"
],
"Resource": [
"${aws_cloudwatch_log_stream.backuping_cloudwatch_log_stream.arn}*"
]
},
{
"Sid": "AWSCloudTrailPutLogEvents20141101${var.env}",
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"${aws_cloudwatch_log_stream.backuping_cloudwatch_log_stream.arn}*"
]
}
]
}
POLICY
depends_on = [aws_cloudwatch_log_stream.backuping_cloudwatch_log_stream]
}
resource "aws_iam_role" "backuping_cloudtrail_cloudwatch_role" {
name = "backuping-${var.env}-cloudtrail_cloudwatch_role"
path = "/service-role/"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
tags = {
Name = "IAM Role for CloudTrail logging into CloudWatch"
Environment = var.env
}
depends_on = [aws_iam_policy.backuping_cloudtrail_cloudwatch_policy]
}
resource "aws_iam_role_policy_attachment" "backuping_cloudtrail_cloudwatch_role_policy_attachement" {
role = aws_iam_role.backuping_cloudtrail_cloudwatch_role.name
policy_arn = aws_iam_policy.backuping_cloudtrail_cloudwatch_policy.arn
depends_on = [aws_iam_role.backuping_cloudtrail_cloudwatch_role]
}
data "aws_caller_identity" "current" {}
locals {
backuping_logs_bucket_name = "backuping-${var.env}-logs"
}
resource "aws_s3_bucket" "backuping_logs_bucket" {
bucket = local.backuping_logs_bucket_name
acl = "private"
force_destroy = true
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::${local.backuping_logs_bucket_name}"
},
{
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::${local.backuping_logs_bucket_name}/AWSLogs/${data.aws_caller_identity.current.account_id}/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
POLICY
tags = {
Name = "Bucket for backuping logs"
Environment = var.env
}
}
resource "aws_s3_bucket_public_access_block" "s3_logs_bucket_public_access" {
bucket = aws_s3_bucket.backuping_logs_bucket.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_cloudtrail" "backuping_cloudtrail" {
name = "backuping-${var.env}-cloudtrail"
s3_bucket_name = aws_s3_bucket.backuping_logs_bucket.id
is_multi_region_trail = true
enable_log_file_validation = true
event_selector {
read_write_type = "All"
include_management_events = false
data_resource {
type = "AWS::S3::Object"
# Make sure to append a trailing '/' to your ARN if you want
# to monitor all objects in a bucket.
values = ["arn:aws:s3"]
}
}
tags = {
Name = "CloudTrail for backuping events"
Environment = var.env
}
cloud_watch_logs_role_arn = aws_iam_role.backuping_cloudtrail_cloudwatch_role.arn
cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.backuping_cloudwatch_log_group.arn}:*"
depends_on = [
aws_iam_role_policy_attachment.backuping_cloudtrail_cloudwatch_role_policy_attachement,
aws_s3_bucket.backuping_logs_bucket
]
}
[DEBUG] plugin.terraform-provider-aws_v3.15.0_x5: 2020/11/17 17:02:38
[DEBUG] [aws-sdk-go] DEBUG: Validate Response cloudtrail/CreateTrail failed, attempt 0/25, error InvalidCloudWatchLogsLogGroupArnException: Access denied. Check the permissions for your role.
这应该创建 AWS CloudTrail,并登录到 S3 存储桶并将日志发送到 CloudWatch
S3 存储桶正常,但 Cloudwatch 添加失败,并显示InvalidCloudWatchLogsLogGroupArnException: Access denied. Check the permissions for your role. 当在没有 CloudWatch 的情况下创建 Trail 时,一切正常。还可以通过 AWS 控制台为现有跟踪配置 CloudWatch。如果我将通过 AWS 控制台创建的所有权限和角色与使用 Terraform 手动创建的权限和角色进行比较,它们是相同的,但 Terraform 以错误结束。此外,使用 AWS 控制台将 CloudWatch 添加到 Trail 以及现有的backuping_cloudtrail_cloudwatch_role和现有的backuping_cloudwatch_log_group效果也很好。相应的策略会自动创建并且日志记录工作正常。因此,除了角色策略之外的所有步骤都有效。
terraform apply如果您仍然需要解决这个问题,我有类似的配置,并且遇到了同样的问题。问题在于CloudTrail 的命名约定。日志流的名称必须采用以下格式 account_ID_CloudTrail_source_region。我所做的是将日志流的名称更改为
resource "aws_cloudwatch_log_stream" "test" {
name = "${data.aws_caller_identity.current.account_id}_CloudTrail_${data.aws_region.current.name}"
log_group_name = aws_cloudwatch_log_group.test.name
}
使用 caller_identity 和 aws_region 数据源:
data "aws_region" "current" {}
data "aws_caller_identity" "current" {}
问题在于,CloudTrail 在策略中(尽管有我们的配置)或在尝试查找日志流时强制使用常规名称,并且由于名称不相等,因此您会收到错误InvalidCloudWatchLogsLogGroupArnException。
| 归档时间: |
|
| 查看次数: |
1682 次 |
| 最近记录: |