Hi Everyone, Trying write a Terraform script to data events in DynamoDB in Cloud . . .

Terraform
#1

Balasubramanian Senthilkumar:
Hi Everyone,
Trying write a Terraform script to data events in DynamoDB in Cloudtrail. I’m able to get data events for individual tables when arn:aws:dynamodb:<region>:<account number>:table/<table name> for a specific DynamoDB table, but while using arn:aws:dynamodb for all DDB events for all tables within an account. below is the code block that i’m using.

  advanced_event_selector {
    field_selector {
      field   = "resources.ARN"
      equals  = ["arn:aws:dynamodb"]
    }
  }
}

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#data_resource

This input ARN is not recording any data events for any dynamoDB tables… I tried to pass multiple arn list in the equals and was able to get the all table events… If you all have some suggestions, please let me know. TIA

#2

Alistair Mackay:
Hi,
No table ARN equals arn:aws:dynamodb so of course you will get nothing!

I haven’t used this resource, but looking at the https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html|documentation, you can probably use starts_with and specify more of the ARN i.e

arn:aws:<region>:<account number>:table/

without a table name

#3

Balasubramanian Senthilkumar:
Hi @Alistair Mackay Thanks for inputs…
In terraform documentation, its mentioned that we can use quals = ["arn:aws:dynamodb"] for getting event logs all the tables in the AWS account.

And yes, I tried to use starts with, thing is all the tables name are not having common prefix.:(… We can use starts with selector only once… It didn’t help.

#4

Deepak Kumar:
here in field selector you have used field as resources.ARN may this could be the reason I think you should try
{
field: “resources.type”
equals: [
“AWS::DynamoDB::Table”
]
}

#5

Balasubramanian Senthilkumar:
Yeah, have this field selector in the code… Once you pass type, there should be ARN passed along with it.
arn:aws:dynamodb
or
arn:aws:dynamodb:<region>:<account number>:table/<table name>

field_selector {
      field  = "eventCategory"
      equals = ["Data"]
    }
    field_selector {
      field  = "eventName"
      equals = ["PutItem", "DeleteItem", "UpdateItem"]
    }
    field_selector {
      field  = "resources.type"
      equals = ["AWS::DynamoDB::Table"]
    }
    # field_selector {
    #   field = "resources.ARN"
    #   equals = var.ddb_tables_list[terraform.workspace]
    # }
#6

Deepak Kumar:
yes this seems to be fine as you commented the ARN part then it should work now.

#7

Balasubramanian Senthilkumar:
Thanks @Deepak Kumar