From 59623058e64f26e476ea1ae6de3e02f9324c0f96 Mon Sep 17 00:00:00 2001
From: Barry Morrison <689591+esacteksab@users.noreply.github.com>
Date: Sun, 12 Jan 2025 20:17:26 -0600
Subject: [PATCH] feat: advanced event selectors (#251)

* Support Advanced Field Selectors

Allow the caller to provide [advanced event selectors](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html) to e.g. log S3 data plane events (GetObject, etc).

* style: tfsort

---------

Co-authored-by: Dan Russell <dan.russell@popstroke.com>
---
 README.md    |  1 +
 main.tf      | 20 ++++++++++++
 variables.tf | 89 +++++++++++++++++++++++++++++++---------------------
 3 files changed, 74 insertions(+), 36 deletions(-)

diff --git a/README.md b/README.md
index 600d98e..417ddb4 100644
--- a/README.md
+++ b/README.md
@@ -58,6 +58,7 @@ previous invocations of the module prior to upgrading the version.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | s3_bucket_name | The name of the AWS S3 bucket. | `string` | n/a | yes |
+| advanced_event_selectors | A list of advanced event selectors for the trail. | ```list(object({ name = string field_selectors = list(object({ field = string equals = optional(list(string)) starts_with = optional(list(string)) ends_with = optional(list(string)) not_equals = optional(list(string)) not_starts_with = optional(list(string)) not_ends_with = optional(list(string)) })) }))``` | `[]` | no |
 | api_call_rate_insight | A measurement of write-only management API calls that occur per minute against a baseline API call volume. | `bool` | `false` | no |
 | api_error_rate_insight | A measurement of management API calls that result in error codes. The error is shown if the API call is unsuccessful. | `bool` | `false` | no |
 | cloudwatch_log_group_name | The name of the CloudWatch Log Group that receives CloudTrail events. | `string` | `"cloudtrail-events"` | no |
diff --git a/main.tf b/main.tf
index 64d406a..560408d 100644
--- a/main.tf
+++ b/main.tf
@@ -300,6 +300,26 @@ resource "aws_cloudtrail" "main" {
     }
   }
 
+  dynamic "advanced_event_selector" {
+    for_each = var.advanced_event_selectors
+    content {
+      name = advanced_event_selector.value.name
+
+      dynamic "field_selector" {
+        for_each = advanced_event_selector.value.field_selectors
+        content {
+          field           = field_selector.value.field
+          equals          = field_selector.value.equals
+          starts_with     = field_selector.value.starts_with
+          ends_with       = field_selector.value.ends_with
+          not_equals      = field_selector.value.not_equals
+          not_starts_with = field_selector.value.not_starts_with
+          not_ends_with   = field_selector.value.not_ends_with
+        }
+      }
+    }
+  }
+
   tags = var.tags
 
   depends_on = [
diff --git a/variables.tf b/variables.tf
index 2464489..241f50a 100644
--- a/variables.tf
+++ b/variables.tf
@@ -1,3 +1,32 @@
+variable "advanced_event_selectors" {
+  description = "A list of advanced event selectors for the trail."
+  default     = []
+  type = list(object({
+    name = string
+    field_selectors = list(object({
+      field           = string
+      equals          = optional(list(string))
+      starts_with     = optional(list(string))
+      ends_with       = optional(list(string))
+      not_equals      = optional(list(string))
+      not_starts_with = optional(list(string))
+      not_ends_with   = optional(list(string))
+    }))
+  }))
+}
+
+variable "api_call_rate_insight" {
+  description = "A measurement of write-only management API calls that occur per minute against a baseline API call volume."
+  default     = false
+  type        = bool
+}
+
+variable "api_error_rate_insight" {
+  description = "A measurement of management API calls that result in error codes. The error is shown if the API call is unsuccessful."
+  default     = false
+  type        = bool
+}
+
 variable "cloudwatch_log_group_name" {
   description = "The name of the CloudWatch Log Group that receives CloudTrail events."
   default     = "cloudtrail-events"
@@ -10,26 +39,15 @@ variable "enabled" {
   type        = bool
 }
 
-variable "log_retention_days" {
-  description = "Number of days to keep AWS logs around in specific log group."
-  default     = 90
-  type        = string
-}
-
-variable "s3_bucket_name" {
-  description = "The name of the AWS S3 bucket."
-  type        = string
-}
-
-variable "s3_bucket_account_id" {
-  description = "(optional) The AWS account ID which owns the S3 bucket. Only include if the S3 bucket is in a different account than the CloudTrail."
-  default     = null
+variable "iam_policy_name" {
+  description = "Name for the CloudTrail IAM policy"
+  default     = "cloudtrail-cloudwatch-logs-policy"
   type        = string
 }
 
-variable "org_trail" {
-  description = "Whether or not this is an organization trail. Only valid in master account."
-  default     = "false"
+variable "iam_role_name" {
+  description = "Name for the CloudTrail IAM role"
+  default     = "cloudtrail-cloudwatch-logs-role"
   type        = string
 }
 
@@ -39,21 +57,26 @@ variable "key_deletion_window_in_days" {
   type        = string
 }
 
-variable "trail_name" {
-  description = "Name for the Cloudtrail"
-  default     = "cloudtrail"
+variable "log_retention_days" {
+  description = "Number of days to keep AWS logs around in specific log group."
+  default     = 90
   type        = string
 }
 
-variable "iam_role_name" {
-  description = "Name for the CloudTrail IAM role"
-  default     = "cloudtrail-cloudwatch-logs-role"
+variable "org_trail" {
+  description = "Whether or not this is an organization trail. Only valid in master account."
+  default     = "false"
   type        = string
 }
 
-variable "iam_policy_name" {
-  description = "Name for the CloudTrail IAM policy"
-  default     = "cloudtrail-cloudwatch-logs-policy"
+variable "s3_bucket_account_id" {
+  description = "(optional) The AWS account ID which owns the S3 bucket. Only include if the S3 bucket is in a different account than the CloudTrail."
+  default     = null
+  type        = string
+}
+
+variable "s3_bucket_name" {
+  description = "The name of the AWS S3 bucket."
   type        = string
 }
 
@@ -75,14 +98,8 @@ variable "tags" {
   type        = map(string)
 }
 
-variable "api_call_rate_insight" {
-  description = "A measurement of write-only management API calls that occur per minute against a baseline API call volume."
-  default     = false
-  type        = bool
-}
-
-variable "api_error_rate_insight" {
-  description = "A measurement of management API calls that result in error codes. The error is shown if the API call is unsuccessful."
-  default     = false
-  type        = bool
+variable "trail_name" {
+  description = "Name for the Cloudtrail"
+  default     = "cloudtrail"
+  type        = string
 }