Not able to create AWS CloudTrail resource with advanced event selector

[naveen-amzn]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

Affected Resource(s)

• awscc_cloudtrail_trail

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "awscc_cloudtrail_trail" "main2" {
  trail_name                    = "example2"
  is_logging                    = true
  s3_bucket_name                = awscc_s3_bucket.main.id
  s3_key_prefix                 = "prefix"
  include_global_service_events = false
  advanced_event_selectors = [ {
    name = "Log all S3 objects events except for two S3 buckets"
    field_selectors = [ {
      field = "eventCategory"
      equals = ["Data"]
    },
    {
      field = "resources.ARN"
      not_starts_with = [awscc_s3_bucket.example_bucket_1.arn,awscc_s3_bucket.example_bucket_2.arn]
    },
    {
      field = "resources.type"
      equals = ["AWS::S3::Object"]
    } ]
  } ]
}

resource "awscc_s3_bucket" "main" {
  bucket_name = "sample-bucket-cloudtrail"
}

resource "awscc_s3_bucket" "example_bucket_1" {
  bucket_name = "example-bucket-1-random"
}

resource "awscc_s3_bucket" "example_bucket_2" {
  bucket_name = "example-bucket-2-random"
}

Debug Output

awscc_cloudtrail_trail.main2: Creating...
╷
│ Error: Provider returned invalid result object after apply
│ 
│ After the apply operation, the provider still indicated an unknown value for awscc_cloudtrail_trail.main2.advanced_event_selectors[...].field_selectors[...].ends_with. All values must be known after apply, so this is always a
│ bug in the provider and should be reported in the provider's own repository. Terraform will still save the other known object values in the state.
╵
╷
│ Error: Provider returned invalid result object after apply
│ 
│ After the apply operation, the provider still indicated an unknown value for awscc_cloudtrail_trail.main2.advanced_event_selectors[...].field_selectors[...].not_equals. All values must be known after apply, so this is always a
│ bug in the provider and should be reported in the provider's own repository. Terraform will still save the other known object values in the state.
╵
╷
│ Error: Provider returned invalid result object after apply
│ 
│ After the apply operation, the provider still indicated an unknown value for awscc_cloudtrail_trail.main2.advanced_event_selectors[...].field_selectors[...].not_starts_with. All values must be known after apply, so this is
│ always a bug in the provider and should be reported in the provider's own repository. Terraform will still save the other known object values in the state.
╵
╷
│ Error: Provider returned invalid result object after apply
│ 
│ After the apply operation, the provider still indicated an unknown value for awscc_cloudtrail_trail.main2.advanced_event_selectors[...].field_selectors[...].starts_with. All values must be known after apply, so this is always
│ a bug in the provider and should be reported in the provider's own repository. Terraform will still save the other known object values in the state.

Panic Output

I am able to create awscc_cloudtrail_trail with basic details. But when I try to create CloudTrail with advanced_event_selectors it fails with the above mentioned error. I tried to change value and provide static value for field resources.ARN but it still gives same error. Can you please help me if I am using the correct schema or its an issue with provider itself.

Expected Behavior

Actual Behavior

Steps to Reproduce

1. terraform apply

Important Factoids

References

• #0000

[kadrach]

Trying to reproduce this example (with random bucket names) I get

Waiting for Cloud Control API service CreateResource operation completion returned: waiter state transitioned to FAILED. StatusMessage: Invalid request provided: Incorrect S3 bucket policy is detected for bucket

[naveen-amzn]

@kadrach , Please find the below complete Terraform code. I have missed to attach the S3 bucket policy document earlier.

resource "awscc_cloudtrail_trail" "main2" {
  trail_name                    = "example2"
  is_logging                    = true
  s3_bucket_name                = awscc_s3_bucket.main.id
  s3_key_prefix                 = "prefix"
  include_global_service_events = false
  advanced_event_selectors = [ {
    name = "Log all S3 objects events except for two S3 buckets"
    field_selectors = [ {
      field = "eventCategory"
      equals = ["Data"]
    },
    {
      field = "resources.ARN"
      not_starts_with = ["arn:aws:s3"]
    },
    {
      field = "resources.type"
      equals = ["AWS::S3::Object"]
    } ]
  } ]
}

resource "awscc_s3_bucket" "main" {
  bucket_name = "sample-bucket-cloudtrail"
}

resource "awscc_s3_bucket" "example_bucket_1" {
  bucket_name = "example-bucket-1-random"
}

resource "awscc_s3_bucket" "example_bucket_2" {
  bucket_name = "example-bucket-2-random"
}

data "aws_iam_policy_document" "example" {
  statement {
    sid    = "AWSCloudTrailAclCheck"
    effect = "Allow"

    principals {
      type        = "Service"
      identifiers = ["cloudtrail.amazonaws.com"]
    }

    actions   = ["s3:GetBucketAcl"]
    resources = [awscc_s3_bucket.main.arn]
  }

  statement {
    sid    = "AWSCloudTrailWrite"
    effect = "Allow"

    principals {
      type        = "Service"
      identifiers = ["cloudtrail.amazonaws.com"]
    }

    actions   = ["s3:PutObject"]
    resources = ["${awscc_s3_bucket.main.arn}/prefix/AWSLogs/${data.aws_caller_identity.current.account_id}/*"]
  }
}
resource "aws_s3_bucket_policy" "example" {
  bucket = awscc_s3_bucket.main.id
  policy = data.aws_iam_policy_document.example.json
}

data "aws_caller_identity" "current" {}

data "aws_partition" "current" {}

data "aws_region" "current" {}