Everytime I am trying to deploy my terraform code in Spacelift, I keep getting this error:
“Error: creating CloudTrail Trail: InsufficientS3BucketPolicyException: Incorrect S3 bucket policy is detected for bucket”
Could you please help me with this?
# Create S3 bucket policy allowing CloudTrail to write logs
resource "aws_s3_bucket_policy" "s3_log_bucket_policy" {
bucket = aws_s3_bucket.s3_cloudtrail.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = {
Service = "cloudtrail.amazonaws.com"
}
Action = "s3:PutObject"
Resource = "${aws_s3_bucket.s3_cloudtrail.arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/*"
Condition = {
StringEquals = {
"s3:x-amz-acl" = "bucket-owner-full-control"
}
}
},
{
Effect = "Allow"
Principal = {
Service = "cloudtrail.amazonaws.com"
}
Action = "s3:GetBucketAcl"
Resource = "${aws_s3_bucket.s3_cloudtrail.arn}"
},
{
Effect = "Allow"
Principal = {
Service = "cloudtrail.amazonaws.com"
}
Action = "s3:ListBucket"
Resource = "${aws_s3_bucket.s3_cloudtrail.arn}"
Condition = {
StringLike = {
"s3:prefix" = ["AWSLogs/${data.aws_caller_identity.current.account_id}/*"]
}
}
}
]
})
}
resource "aws_cloudtrail" "management_events" {
name = var.cloudtrail_trail_name
s3_bucket_name = aws_s3_bucket.s3_cloudtrail.id
s3_key_prefix = "cloudtrail-logs"
is_multi_region_trail = true
enable_logging = true
enable_log_file_validation = true
include_global_service_events = true
cloud_watch_logs_role_arn = aws_iam_role.cloudtrail_role.arn
cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.cloudtrail_logs.arn}:*"
kms_key_id = aws_kms_key.cloudtrail_key.arn
depends_on = [
aws_s3_bucket.s3_cloudtrail,
aws_s3_bucket_policy.s3_log_bucket_policy,
aws_iam_role_policy.cloudtrail_role_policy,
aws_kms_alias.cloudtrail_key_alias,
]
Thank you
I did try changing the depends on for the S3 Bucket Policy as well as Cloudtrail a few times to no avail
New contributor
Nithil04 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.