r/aws_cloudtrail - add support for advanced event selectors

[phplucas]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Closes #18867

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccAWSCloudTrail_serial/Trail/advancedEventSelector'
              --- PASS: TestAccAWSCloudTrail_serial/Trail/advancedEventSelector (94.83s)


$ make testacc TESTARGS='-run=TestAccAWSCloudTrail_serial/Trail/basic
              --- PASS: TestAccAWSCloudTrail_serial/Trail/basic (167.76s)

[github-actions]

Welcome @phplucas 👋

It looks like this is your first Pull Request submission to the Terraform AWS Provider! If you haven’t already done so please make sure you have checked out our CONTRIBUTING guide and FAQ to make sure your contribution is adhering to best practice and has all the necessary elements in place for a successful approval.

Also take a look at our FAQ which details how we prioritize Pull Requests for inclusion.

Thanks again, and welcome to the community! 😃

[phplucas]

Note:
During the tests I noticed that if the field_selector is not in a certain order, Terraform identifies it as a change. The gif best illustrates this scenario.

The expected sequence is always as follows:

1. eventCategory
2. eventName
3. resources.ARN
4. readOnly
5. resources.type

Regardless of the order, the AWS API always returns in this sequence:

What can we do in this case?

[DrFaust92]

Hi @phplucas if order is not important you can use TypeSet instead of TypeList (see other examples in the provider)

[phplucas]

Hi @DrFaust92. Thanks for the tip. I made the change and ran the tests again.

$ make testacc TESTARGS='-run=TestAccAWSCloudTrail_serial/Trail/advancedEventSelector'
              --- PASS: TestAccAWSCloudTrail_serial/Trail/advancedEventSelector (91.68s)


$ make testacc TESTARGS='-run=TestAccAWSCloudTrail_serial/Trail/basic
              --- PASS: TestAccAWSCloudTrail_serial/Trail/basic (160.85s)

[christophetd]

@DrFaust92 Any blocker for this PR? Looking forward to it, will be super useful

[lukBaszak]

Hi @DrFaust92 any changes on that? Can we expect this functionality in closer future?

[sufiyanghori]

Hi @DrFaust92 , is this going to be merged and released anytime soon?

[stevefranchak]

I'm joining in to also say that I hope this will be merged and released soon. This is a potential blocker for me. I appreciate the work!

[hkak03key]

@YakDriver
Hello, I hope this PR will be merged.
Could you review and merge this PR?

(I found you created and merged r/aws_cloudtrail PR, so I may be wrong but I think you can review and merge this PR. )

[hkak03key]

@YakDriver
Hi, I haven't received a reply so I'll ask other person. Thank you.

@breathingdust
Hello, I hope this PR will be merged.
Could you review and merge this PR?

[ewbankkit]

LGTM 🚀.

Commercial

% make testacc TESTARGS='-run=TestAccAWSCloudTrail_serial'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSCloudTrail_serial -timeout 180m
=== RUN   TestAccAWSCloudTrail_serial
=== RUN   TestAccAWSCloudTrail_serial/Trail
=== RUN   TestAccAWSCloudTrail_serial/Trail/advancedEventSelector
=== RUN   TestAccAWSCloudTrail_serial/Trail/cloudwatch
=== RUN   TestAccAWSCloudTrail_serial/Trail/enableLogging        
=== RUN   TestAccAWSCloudTrail_serial/Trail/multiRegion
=== RUN   TestAccAWSCloudTrail_serial/Trail/kmsKey
=== RUN   TestAccAWSCloudTrail_serial/Trail/eventSelector
=== RUN   TestAccAWSCloudTrail_serial/Trail/eventSelectorDynamoDB
=== RUN   TestAccAWSCloudTrail_serial/Trail/insightSelector
=== RUN   TestAccAWSCloudTrail_serial/Trail/basic        
=== RUN   TestAccAWSCloudTrail_serial/Trail/globalServiceEvents
=== RUN   TestAccAWSCloudTrail_serial/Trail/organization
    provider_test.go:794: skipping tests; this AWS account must not be an existing member of an AWS Organization
=== RUN   TestAccAWSCloudTrail_serial/Trail/logValidation
=== RUN   TestAccAWSCloudTrail_serial/Trail/tags
--- PASS: TestAccAWSCloudTrail_serial (761.14s)
    --- PASS: TestAccAWSCloudTrail_serial/Trail (761.14s)
        --- PASS: TestAccAWSCloudTrail_serial/Trail/advancedEventSelector (43.25s)
        --- PASS: TestAccAWSCloudTrail_serial/Trail/cloudwatch (101.70s)
        --- PASS: TestAccAWSCloudTrail_serial/Trail/enableLogging (92.42s)
        --- PASS: TestAccAWSCloudTrail_serial/Trail/multiRegion (91.18s)
        --- PASS: TestAccAWSCloudTrail_serial/Trail/kmsKey (36.20s)
        --- PASS: TestAccAWSCloudTrail_serial/Trail/eventSelector (134.21s)
        --- PASS: TestAccAWSCloudTrail_serial/Trail/eventSelectorDynamoDB (35.20s)
        --- PASS: TestAccAWSCloudTrail_serial/Trail/insightSelector (37.65s)
        --- PASS: TestAccAWSCloudTrail_serial/Trail/basic (59.35s)
        --- PASS: TestAccAWSCloudTrail_serial/Trail/globalServiceEvents (34.92s)
        --- SKIP: TestAccAWSCloudTrail_serial/Trail/organization (0.17s)
        --- PASS: TestAccAWSCloudTrail_serial/Trail/logValidation (62.81s)
        --- PASS: TestAccAWSCloudTrail_serial/Trail/tags (88.23s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	764.289s

GovCloud

% make testacc TESTARGS='-run=TestAccAWSCloudTrail_serial' 
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSCloudTrail_serial -timeout 180m
=== RUN   TestAccAWSCloudTrail_serial
=== RUN   TestAccAWSCloudTrail_serial/Trail
=== RUN   TestAccAWSCloudTrail_serial/Trail/basic
=== RUN   TestAccAWSCloudTrail_serial/Trail/enableLogging
=== RUN   TestAccAWSCloudTrail_serial/Trail/logValidation
=== RUN   TestAccAWSCloudTrail_serial/Trail/tags
=== RUN   TestAccAWSCloudTrail_serial/Trail/eventSelector
=== RUN   TestAccAWSCloudTrail_serial/Trail/insightSelector
=== RUN   TestAccAWSCloudTrail_serial/Trail/advancedEventSelector
    provider_test.go:1166: skipping test for aws-us-gov/us-gov-west-1: Error running apply: exit status 1
        
        Error: Error set advanced event selector on CloudTrail (tf-acc-test-6941446915302626813): UnsupportedOperationException: The AWS::DynamoDB::Table data resource type is not supported.
        
          with aws_cloudtrail.test,
          on terraform_plugin_test.tf line 2, in resource "aws_cloudtrail" "test":
           2: resource "aws_cloudtrail" "test" {
        
=== RUN   TestAccAWSCloudTrail_serial/Trail/cloudwatch
=== RUN   TestAccAWSCloudTrail_serial/Trail/globalServiceEvents
=== RUN   TestAccAWSCloudTrail_serial/Trail/multiRegion
=== RUN   TestAccAWSCloudTrail_serial/Trail/organization
    provider_test.go:794: skipping tests; this AWS account must not be an existing member of an AWS Organization
=== RUN   TestAccAWSCloudTrail_serial/Trail/kmsKey
=== RUN   TestAccAWSCloudTrail_serial/Trail/eventSelectorDynamoDB
    provider_test.go:1166: skipping test for aws-us-gov/us-gov-west-1: Error running apply: exit status 1
        
        Error: Error set event selector on CloudTrail (tf-acc-test-8098917304723635288): UnsupportedOperationException: The operation requested is not supported in the region.
        
          with aws_cloudtrail.test,
          on terraform_plugin_test.tf line 34, in resource "aws_cloudtrail" "test":
          34: resource "aws_cloudtrail" "test" {
        
--- PASS: TestAccAWSCloudTrail_serial (810.01s)
    --- PASS: TestAccAWSCloudTrail_serial/Trail (810.01s)
        --- PASS: TestAccAWSCloudTrail_serial/Trail/basic (68.85s)
        --- PASS: TestAccAWSCloudTrail_serial/Trail/enableLogging (98.34s)
        --- PASS: TestAccAWSCloudTrail_serial/Trail/logValidation (70.11s)
        --- PASS: TestAccAWSCloudTrail_serial/Trail/tags (97.27s)
        --- PASS: TestAccAWSCloudTrail_serial/Trail/eventSelector (139.30s)
        --- PASS: TestAccAWSCloudTrail_serial/Trail/insightSelector (40.85s)
        --- SKIP: TestAccAWSCloudTrail_serial/Trail/advancedEventSelector (19.43s)
        --- PASS: TestAccAWSCloudTrail_serial/Trail/cloudwatch (76.14s)
        --- PASS: TestAccAWSCloudTrail_serial/Trail/globalServiceEvents (37.91s)
        --- PASS: TestAccAWSCloudTrail_serial/Trail/multiRegion (96.24s)
        --- SKIP: TestAccAWSCloudTrail_serial/Trail/organization (0.80s)
        --- PASS: TestAccAWSCloudTrail_serial/Trail/kmsKey (38.57s)
        --- SKIP: TestAccAWSCloudTrail_serial/Trail/eventSelectorDynamoDB (26.21s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	813.461s

[christophetd]

Very nice, when's the next release planned so we can start using it? 🔥

[github-actions]

This functionality has been released in v3.59.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[hkak03key]

Hi @ewbankkit ,
Thank you for taking over the task!
This feature has been released so I'll use it!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.