tedilabs
diff --git a/‎modules/cloudtrail-event-data-store/README.md‎
Lines changed: 7 additions & 5 deletions b/‎modules/cloudtrail-event-data-store/README.md‎
Lines changed: 7 additions & 5 deletions
diff --git a/‎modules/cloudtrail-event-data-store/main.tf‎
Lines changed: 47 additions & 23 deletions b/‎modules/cloudtrail-event-data-store/main.tf‎
Lines changed: 47 additions & 23 deletions
diff --git a/‎modules/cloudtrail-event-data-store/outputs.tf‎
Lines changed: 8 additions & 3 deletions b/‎modules/cloudtrail-event-data-store/outputs.tf‎
Lines changed: 8 additions & 3 deletions
@@ -12,14 +12,14 @@ This module creates following resources.
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.53 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.25 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.19.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.48.0 |
 
 ## Modules
 
@@ -40,9 +40,10 @@ This module creates following resources.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_management_event_selector"></a> [management\_event\_selector](#input\_management\_event\_selector) | (Optional) A configuration of management event selector to use to select the events for the event data store. Only used if `event_type` is `CLOUDTRAIL_EVENTS`. `management_event_selector` block as defined below.<br>    (Optional) `enabled` - Whether to capture management events. Defaults to `false`.<br>    (Optional) `scope` - The type of events to log. Valid values are `ALL`, `READ` and `WRITE`. Defaults to `ALL`.<br>    (Optional) `exclude_event_sources` - A set of event sources to exclude. Valid values are `kms.amazonaws.com` and `rdsdata.amazonaws.com`. `management_event_selector.enabled` must be set to true to allow this. | <pre>object({<br>    enabled               = optional(bool, false)<br>    scope                 = optional(string, "ALL")<br>    exclude_event_sources = optional(set(string), [])<br>  })</pre> | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | (Required) The name of the event data store. | `string` | n/a | yes |
+| <a name="input_data_event_selectors"></a> [data\_event\_selectors](#input\_data\_event\_selectors) | (Optional) A configuration of event selectors to use to select the data events for the event data store. Each item of `data_event_selectors` block as defined below.<br>    (Optional) `name` - A name of the advanced event selector.<br>    (Optional) `resource_type` - A resource type to log data events to log. Valid values are one of the following:<br>    - `AWS::DynamoDB::Table`<br>    - `AWS::Lambda::Function`<br>    - `AWS::S3::Object`<br>    - `AWS::AppConfig::Configuration`<br>    - `AWS::B2BI::Transformer`<br>    - `AWS::Bedrock::AgentAlias`<br>    - `AWS::Bedrock::KnowledgeBase`<br>    - `AWS::Cassandra::Table`<br>    - `AWS::CloudFront::KeyValueStore`<br>    - `AWS::CloudTrail::Channel`<br>    - `AWS::CodeWhisperer::Customization`<br>    - `AWS::CodeWhisperer::Profile`<br>    - `AWS::Cognito::IdentityPool`<br>    - `AWS::DynamoDB::Stream`<br>    - `AWS::EC2::Snapshot`<br>    - `AWS::EMRWAL::Workspace`<br>    - `AWS::FinSpace::Environment`<br>    - `AWS::Glue::Table`<br>    - `AWS::GreengrassV2::ComponentVersion`<br>    - `AWS::GreengrassV2::Deployment`<br>    - `AWS::GuardDuty::Detector`<br>    - `AWS::IoT::Certificate`<br>    - `AWS::IoT::Thing`<br>    - `AWS::IoTSiteWise::Asset`<br>    - `AWS::IoTSiteWise::TimeSeries`<br>    - `AWS::IoTTwinMaker::Entity`<br>    - `AWS::IoTTwinMaker::Workspace`<br>    - `AWS::KendraRanking::ExecutionPlan`<br>    - `AWS::KinesisVideo::Stream`<br>    - `AWS::ManagedBlockchain::Network`<br>    - `AWS::ManagedBlockchain::Node`<br>    - `AWS::MedicalImaging::Datastore`<br>    - `AWS::NeptuneGraph::Graph`<br>    - `AWS::PCAConnectorAD::Connector`<br>    - `AWS::QBusiness::Application`<br>    - `AWS::QBusiness::DataSource`<br>    - `AWS::QBusiness::Index`<br>    - `AWS::QBusiness::WebExperience`<br>    - `AWS::RDS::DBCluster`<br>    - `AWS::S3::AccessPoint`<br>    - `AWS::S3ObjectLambda::AccessPoint`<br>    - `AWS::S3Outposts::Object`<br>    - `AWS::SageMaker::Endpoint`<br>    - `AWS::SageMaker::ExperimentTrialComponent`<br>    - `AWS::SageMaker::FeatureGroup`<br>    - `AWS::ServiceDiscovery::Namespace`<br>    - `AWS::ServiceDiscovery::Service`<br>    - `AWS::SCN::Instance`<br>    - `AWS::SNS::PlatformEndpoint`<br>    - `AWS::SNS::Topic`<br>    - `AWS::SWF::Domain`<br>    - `AWS::SQS::Queue`<br>    - `AWS::SSMMessages::ControlChannel`<br>    - `AWS::ThinClient::Device`<br>    - `AWS::ThinClient::Environment`<br>    - `AWS::Timestream::Database`<br>    - `AWS::Timestream::Table`<br>    - `AWS::VerifiedPermissions::PolicyStore`<br>    (Optional) `scope` - The type of events to log. Valid values are `ALL`, `READ` and `WRITE`. Defaults to `WRITE`.<br>    (Optional) `conditions` - A configuration of field conditions to filter events by the ARN of resource and the event name. Each item of `conditions` as defined below.<br>      (Required) `field` - A field to compare by the field condition. Valid values are `event_name` and `resource_arn`.<br>      (Required) `operator` - An operator of the field condition. Valid values are `equals`, `not_equals`, `starts_with`, `not_starts_with`, `ends_with`, `not_ends_with`.<br>      (Required) `values` - A set of values of the field condition to compare. | <pre>list(object({<br>    name          = optional(string)<br>    resource_type = string<br>    scope         = optional(string, "WRITE")<br>    conditions = optional(list(object({<br>      field    = string<br>      operator = string<br>      values   = set(string)<br>    })), [])<br>  }))</pre> | `[]` | no |
 | <a name="input_encryption_kms_key"></a> [encryption\_kms\_key](#input\_encryption\_kms\_key) | (Optional) Specify the KMS key ID to use to encrypt the events delivered by CloudTrail. The value can be an alias name prefixed by 'alias/', a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier. By default, the event data store is encrypted with a KMS key that AWS owns and manages. | `string` | `null` | no |
-| <a name="input_event_selectors"></a> [event\_selectors](#input\_event\_selectors) | (Optional) A configuration of event selectors to use to select the events for the event data store. Only used if `event_type` is `CLOUDTRAIL_EVENTS`. Each item of `event_selectors` as defined below.<br>    (Required) `category` - A category of the event. Valid values are `DATA` and `MANAGEMENT`.<br>      - `DATA`: Log the resource operations performed on or within a resource.<br>      - `MANAGEMENT`: Capture management operations performed on your AWS resources.<br>    (Optional) `scope` - A scope of events to log. Valid values are `ALL`, `READ` and `WRITE`. Defaults to `ALL`.<br>    (Optional) `exclude_sources` - A set of event sources to exclude. Valid values are `kms.amazonaws.com` and `rdsdata.amazonaws.com`. Only used if `category` is `MANAGEMENT`.<br>    (Optional) `resource_type` - The resource type to log data events to log. Required if `category` is `DATA`. Valid values are one of the following:<br>      - `AWS::S3::Object`<br>      - `AWS::Lambda::Function`<br>      - `AWS::DynamoDB::Table`<br>      - `AWS::S3Outposts::Object`<br>      - `AWS::ManagedBlockchain::Node`<br>      - `AWS::S3ObjectLambda::AccessPoint`<br>      - `AWS::EC2::Snapshot`<br>      - `AWS::S3::AccessPoint`<br>      - `AWS::CloudTrail::Channe`l<br>      - `AWS::DynamoDB::Stream`<br>      - `AWS::Glue::Table`<br>      - `AWS::FinSpace::Environmen`t<br>      - `AWS::SageMaker::ExperimentTrialComponen`t<br>      - `AWS::SageMaker::FeatureGrou`p<br>    (Optional) `selectors` - A configuration of field selectors to filter events by the ARN of resource and the event name. Each item of `selectors` as defined below.<br>      (Required) `field` - A field to compare by the field selector. Valid values are `event_name` and `resource_arn`.<br>      (Required) `operator` - An operator of the field selector. Valid values are `equals`, `not_equals`, `starts_with`, `not_starts_with`, `ends_with`, `not_ends_with`.<br>      (Required) `values` - A set of values of the field selector to compare. | <pre>list(object({<br>    category        = string<br>    scope           = optional(string, "ALL")<br>    exclude_sources = optional(set(string), [])<br>    resource_type   = optional(string)<br>    selectors = optional(list(object({<br>      field    = string<br>      operator = string<br>      values   = set(string)<br>    })), [])<br>  }))</pre> | <pre>[<br>  {<br>    "category": "MANAGEMENT"<br>  }<br>]</pre> | no |
 | <a name="input_event_type"></a> [event\_type](#input\_event\_type) | (Required) A type of event to be collected by the event data store. Valid values are `CLOUDTRAIL_EVENTS`, `CONFIG_CONFIGURATION_ITEMS`. Defaults to `CLOUDTRAIL_EVENTS`. | `string` | `"CLOUDTRAIL_EVENTS"` | no |
 | <a name="input_import_trail_events_iam_role"></a> [import\_trail\_events\_iam\_role](#input\_import\_trail\_events\_iam\_role) | (Optional) A configuration of IAM Role for importing CloudTrail events from S3 Bucket. `import_trail_events_iam_role` as defined below.<br>    (Optional) `enabled` - Indicates whether you want to create IAM Role to import trail events. Defaults to `true`.<br>    (Optional) `source_s3_buckets` - A list of source S3 buckets to import events from. Each item of `source_s3_buckets` as defined below.<br>      (Required) `name` - A name of source S3 bucket.<br>      (Optional) `key_prefix` - A key prefix of source S3 bucket. | <pre>object({<br>    enabled = optional(bool, true)<br>    source_s3_buckets = optional(list(object({<br>      name       = string<br>      key_prefix = optional(string, "/")<br>    })), [])<br>  })</pre> | `{}` | no |
 | <a name="input_level"></a> [level](#input\_level) | (Optional) The level of the event data store to decide whether the event data store collects events logged for an organization in AWS Organizations. Can be created in the management account or delegated administrator account. Valid values are `ACCOUNT` and `ORGANIZATION`. Defaults to `ACCOUNT`. | `string` | `"ACCOUNT"` | no |
@@ -60,12 +61,13 @@ This module creates following resources.
 | Name | Description |
 |------|-------------|
 | <a name="output_arn"></a> [arn](#output\_arn) | The Amazon Resource Name (ARN) of the event data store. |
+| <a name="output_data_event_selectors"></a> [data\_event\_selectors](#output\_data\_event\_selectors) | The event selectors to use to select the data events for the event data store. |
 | <a name="output_encryption"></a> [encryption](#output\_encryption) | The configuration for the encryption of the event data store. |
-| <a name="output_event_selectors"></a> [event\_selectors](#output\_event\_selectors) | The event selectors to use to select the events for the event data store. |
 | <a name="output_event_type"></a> [event\_type](#output\_event\_type) | The type of event to be collected by the event data store. |
 | <a name="output_id"></a> [id](#output\_id) | The ID of the event data store. |
 | <a name="output_import_trail_events_iam_role"></a> [import\_trail\_events\_iam\_role](#output\_import\_trail\_events\_iam\_role) | A configuration of IAM Role for importing CloudTrail events from S3 Bucket. |
 | <a name="output_level"></a> [level](#output\_level) | The level of the event data store to decide whether the event data store collects events logged for an organization in AWS Organizations. |
+| <a name="output_management_event_selector"></a> [management\_event\_selector](#output\_management\_event\_selector) | The event selector to use to select the management events for the event data store. |
 | <a name="output_name"></a> [name](#output\_name) | The name of the event data store. |
 | <a name="output_retention_in_days"></a> [retention\_in\_days](#output\_retention\_in\_days) | The retention period of the event data store, in days. |
 | <a name="output_scope"></a> [scope](#output\_scope) | The scope of the event data store to decide whether the event data store includes events from all regions, or only from the region in which the event data store is created. |
 
@@ -24,7 +24,7 @@ locals {
     "READ"  = "ReadOnly"
     "WRITE" = "WriteOnly"
   }
-  event_selector_fields = {
+  condition_fields = {
     "event_name"   = "eventName"
     "resource_arn" = "resources.ARN"
   }
@@ -47,62 +47,86 @@ resource "aws_cloudtrail_event_data_store" "this" {
   # kms_key_id = var.encryption_kms_key
 
 
-  ## Event Selector - AWS CloudTrail Events
+  ## Event Selector - AWS CloudTrail Events (Management)
   dynamic "advanced_event_selector" {
-    for_each = var.event_type == "CLOUDTRAIL_EVENTS" ? var.event_selectors : []
-    iterator = event
+    for_each = var.event_type == "CLOUDTRAIL_EVENTS" && var.management_event_selector.enabled ? [var.management_event_selector] : []
+    iterator = selector
 
     content {
-      name = "AWS CloudTrail Events - ${local.event_categories[event.value.category]}"
+      name = "AWS CloudTrail Events - Management"
 
       field_selector {
         field  = "eventCategory"
-        equals = [local.event_categories[event.value.category]]
+        equals = ["Management"]
       }
 
       dynamic "field_selector" {
-        for_each = event.value.scope != "ALL" ? ["go"] : []
+        for_each = selector.value.scope != "ALL" ? ["go"] : []
 
         content {
           field = "readOnly"
           equals = [{
             "READ"  = "true"
             "WRITE" = "false"
-          }[event.value.scope]]
+          }[selector.value.scope]]
         }
       }
 
       dynamic "field_selector" {
-        for_each = (event.value.category == "MANAGEMENT" && length(event.value.exclude_sources) > 0) ? ["go"] : []
+        for_each = (length(selector.value.exclude_event_sources) > 0) ? ["go"] : []
 
         content {
           field      = "eventSource"
-          not_equals = event.value.exclude_sources
+          not_equals = selector.value.exclude_event_sources
         }
       }
+    }
+  }
+
+
+  ## Event Selector - AWS CloudTrail Events (Data)
+  dynamic "advanced_event_selector" {
+    for_each = var.event_type == "CLOUDTRAIL_EVENTS" ? var.data_event_selectors : []
+    iterator = selector
+
+    content {
+      name = coalesce(selector.value.name, "AWS CloudTrail Events - Data ${selector.key}")
+
+      field_selector {
+        field  = "eventCategory"
+        equals = ["Data"]
+      }
+
+      field_selector {
+        field  = "resources.type"
+        equals = [selector.value.resource_type]
+      }
 
       dynamic "field_selector" {
-        for_each = event.value.category == "DATA" ? ["go"] : []
+        for_each = selector.value.scope != "ALL" ? ["go"] : []
 
         content {
-          field  = "resources.type"
-          equals = [event.value.resource_type]
+          field = "readOnly"
+          equals = [{
+            "READ"  = "true"
+            "WRITE" = "false"
+          }[selector.value.scope]]
         }
       }
 
       dynamic "field_selector" {
-        for_each = length(event.value.selectors) > 0 ? event.value.selectors : []
-        iterator = selector
+        for_each = length(selector.value.conditions) > 0 ? selector.value.conditions : []
+        iterator = condition
 
         content {
-          field = local.event_selector_fields[selector.value.field]
-
-          equals          = selector.value.operator == "equals" ? selector.value.values : null
-          not_equals      = selector.value.operator == "not_equals" ? selector.value.values : null
-          starts_with     = selector.value.operator == "starts_with" ? selector.value.values : null
-          not_starts_with = selector.value.operator == "not_starts_with" ? selector.value.values : null
-          ends_with       = selector.value.operator == "ends_with" ? selector.value.values : null
-          not_ends_with   = selector.value.operator == "not_ends_with" ? selector.value.values : null
+          field = local.condition_fields[condition.value.field]
+
+          equals          = condition.value.operator == "equals" ? condition.value.values : null
+          not_equals      = condition.value.operator == "not_equals" ? condition.value.values : null
+          starts_with     = condition.value.operator == "starts_with" ? condition.value.values : null
+          not_starts_with = condition.value.operator == "not_starts_with" ? condition.value.values : null
+          ends_with       = condition.value.operator == "ends_with" ? condition.value.values : null
+          not_ends_with   = condition.value.operator == "not_ends_with" ? condition.value.values : null
         }
       }
     }
 
@@ -27,9 +27,14 @@ output "event_type" {
   value       = var.event_type
 }
 
-output "event_selectors" {
-  description = "The event selectors to use to select the events for the event data store."
-  value       = var.event_selectors
+output "management_event_selector" {
+  description = "The event selector to use to select the management events for the event data store."
+  value       = var.management_event_selector
+}
+
+output "data_event_selectors" {
+  description = "The event selectors to use to select the data events for the event data store."
+  value       = var.data_event_selectors
 }
 
 output "encryption" {