如何 link 在 CDK 中通过部分名称跟踪函数?

How to link a trail to functions by partial name in CDK?

The original code 在每个部署的单个堆栈中创建了一个存储桶和跟踪,并将它们链接到同一堆栈中的一个函数:

trail_bucket = aws_s3.Bucket(
    self,
    "cloudtrail-bucket",
    access_control=aws_s3.BucketAccessControl.PRIVATE,
    block_public_access=aws_s3.BlockPublicAccess.BLOCK_ALL,
    auto_delete_objects=True,
    removal_policy=RemovalPolicy.DESTROY,
)
trail = aws_cloudtrail.Trail(
    self,
    "cloudtrail",
    send_to_cloud_watch_logs=True,
    bucket=trail_bucket,
    cloud_watch_log_group=aws_logs.LogGroup(self, "api-user-log"),
    removal_policy=RemovalPolicy.DESTROY,
)
trail.add_lambda_event_selector(
    [import_status_endpoint_lambda],
    include_management_events=False,
)

这已成为 CI 的问题,因为我们经常达到每个帐户五个跟踪的限制(所有 CI 部署都针对同一帐户)。因此,我正在研究将踪迹拉入其自己的堆栈并通过通配符将其链接到相关函数的可能性。基本上,我想记录来自匹配 arn:aws:lambda:*:*:function:*import-status 的 ARN 的所有事件。这可能吗?

Trail.add_event_selector speaks of the data resource values as being specifically ARNs, and DataResource 的文档似乎表明我唯一的选择是

CloudTrail 使用 Advanced Event SelectorsEndsWith 来过滤 ARN。这适合您的用例,您希望所有以 import-status.

结尾的 Lambda ARN 共享 Trail

好的,但是如何使用 CDK 设置高级事件选择器?不幸的是,CloudFormation AWS::CloudTrail::Trail resource (= CDK L1 CfnTrail construct, which underlies the L2 Trail) appears not to support them in the eventSelectors prop. Fortunately, CDK (and CloudFormation) has Custom Resources 填补了这些空白。

在您的新 trail_stack 中,创建一个 Trail 并在您的 Trail 上创建一个 AWSCustomResource construct, which makes arbitrary SDK calls. It will call the PutEventsSelectors API,设置高级事件选择器。它将在资源创建时被调用一次:

# trail_stack.py
aws_custom = cr.AwsCustomResource(self, "aws-custom-advanced-selectors",
    on_create=cr.AwsSdkCall(
        service="CloudTrail",
        action="putEventSelectors",
        parameters= parameters: {
          TrailName: my_trail.trail_arn,
          AdvancedEventSelectors: [
            {
              Name: 'Log import-status lambdas only',
              FieldSelectors: [
                { Field: 'eventCategory', Equals: ['Data'] },
                { Field: 'resources.type', Equals: ['AWS::Lambda::Function'] },
                {
                  Field: 'resources.ARN',
                  EndsWith: ['import-status'],
                },
              ],
            },
          ],
        },
        physical_resource_id=cr.PhysicalResourceId.of("aws-custom-advanced-selectors")
    ),
    policy=cr.AwsCustomResourcePolicy.from_sdk_calls(
        resources=my_trail.trail_arn
    )
)