r/cloudtrail: Add support CloudTrail EventSelector #2258
Conversation
radeksimko
added
enhancement
|
Link #887 |
aws/resource_aws_cloudtrail.go
Outdated
| "type": &schema.Schema{ | ||
| Type: schema.TypeString, | ||
| Required: true, | ||
| ValidateFunc: validation.StringInSlice([]string{"AWS::S3::Object"}, false), |
There was a problem hiding this comment.
CloudTrail as of recently also supports Lambda, so you might want to add "AWS::Lambda::Function" to the list of allowed types.
There was a problem hiding this comment.
Thanks comment!
I added Lambda.
|
What else should be done on this to get it into? |
radeksimko
added
the
service/cloudtrail
There was a problem hiding this comment.
@kjmkznr thanks so much for contributing this and sorry its taken so long to get a maintainer review. Please take a look at the feedback and let me know if you have any questions or when this can be reviewed again. Overall great job and we'll get this shipped soon! 😄
aws/resource_aws_cloudtrail.go
Outdated
| @@ -72,6 +73,46 @@ func resourceAwsCloudTrail() *schema.Resource { | |||
| Optional: true, | |||
| ValidateFunc: validateArn, | |||
| }, | |||
| "event_selector": &schema.Schema{ | |||
There was a problem hiding this comment.
Nitpick: the &schema.Schema for the attributes are unnecessary since Go 1.7 (except for the one with Elem: &schema.Schema below)
aws/resource_aws_cloudtrail.go
Outdated
| "read_write_type": &schema.Schema{ | ||
| Type: schema.TypeString, | ||
| Required: true, | ||
| ValidateFunc: validation.StringInSlice([]string{"All", "ReadOnly", "WriteOnly"}, false), |
There was a problem hiding this comment.
Nitpick: The AWS SDK provides constants for all of these:
"All":cloudtrail.ReadWriteTypeAll"ReadOnly":cloudtrail.ReadWriteTypeReadOnly"WriteOnly":cloudtrail.ReadWriteTypeWriteOnly
aws/resource_aws_cloudtrail.go
Outdated
| Schema: map[string]*schema.Schema{ | ||
| "read_write_type": &schema.Schema{ | ||
| Type: schema.TypeString, | ||
| Required: true, |
There was a problem hiding this comment.
This attribute should be:
Optional: true,
Default: cloudtrail.ReadWriteTypeAll,To match the CloudTrail API documentation
aws/resource_aws_cloudtrail.go
Outdated
| return err | ||
| } | ||
|
|
||
| d.Set("event_selector", flattenAwsCloudTrailEventSelector(eventSelectorsOut.EventSelectors)) |
There was a problem hiding this comment.
We should check and return for errors here since it is not a simple string attribute:
if err := d.Set("event_selector", flattenAwsCloudTrailEventSelector(eventSelectorsOut.EventSelectors)); err != nil {
return err
}
aws/resource_aws_cloudtrail.go
Outdated
| @@ -300,6 +358,13 @@ func resourceAwsCloudTrailUpdate(d *schema.ResourceData, meta interface{}) error | |||
| } | |||
| } | |||
|
|
|||
| if d.HasChange("event_selector") { | |||
There was a problem hiding this comment.
d.HasChange here will return true on resource creation (as resourceAwsCloudTrailCreate calls resourceAwsCloudTrailUpdate), so that means PutEventSelectors is called twice. You can use !d.IsNewResource() && d.HasChange("event_selector") to prevent that 👍
| #### Data Resource Arguments | ||
| For **data_resource** the following attributes are supported. | ||
|
|
||
| * `type` (Required) - The resource type in witch you want to log data events. You can specify only the follwing value: "AWS::S3::Object" |
There was a problem hiding this comment.
We support "AWS::Lambda::Function" in the validation function as well
| For **data_resource** the following attributes are supported. | ||
|
|
||
| * `type` (Required) - The resource type in witch you want to log data events. You can specify only the follwing value: "AWS::S3::Object" | ||
| * `values` (Required) - A list of ARN for the specified S3 buckets and object prefies.. |
aws/resource_aws_cloudtrail_test.go
Outdated
| Check: resource.ComposeTestCheckFunc( | ||
| resource.TestCheckResourceAttr("aws_cloudtrail.foobar", "event_selector.#", "1"), | ||
| resource.TestCheckResourceAttr("aws_cloudtrail.foobar", "event_selector.0.data_resource.#", "1"), | ||
| ), |
There was a problem hiding this comment.
This should check the other event_selector attributes as well:
resource.TestCheckResourceAttr("aws_cloudtrail.foobar", "event_selector.0.data_resource.0.type", "AWS::S3::Object")
resource.TestCheckResourceAttr("aws_cloudtrail.foobar", "event_selector.0.data_resource.0.values.#", "2")
resource.TestMatchResourceAttr("aws_cloudtrail.foobar", "event_selector.0.data_resource.0.values.0", regexp.MustCompile(`^arn:[^:]+:s3:::.+/foobar$`))
resource.TestMatchResourceAttr("aws_cloudtrail.foobar", "event_selector.0.data_resource.0.values.1", regexp.MustCompile(`^arn:[^:]+:s3:::.+/baz$`))
resource.TestCheckResourceAttr("aws_cloudtrail.foobar", "event_selector.0.include_management_events", "false"),
resource.TestCheckResourceAttr("aws_cloudtrail.foobar", "event_selector.0.read_write_type", "ReadOnly"),
aws/resource_aws_cloudtrail.go
Outdated
| }, | ||
|
|
||
| "data_resource": &schema.Schema{ | ||
| Type: schema.TypeSet, |
There was a problem hiding this comment.
This might be easier to work with as a schema.TypeList (especially for acceptance testing) unless there's a good reason to keep it a set.
aws/resource_aws_cloudtrail_test.go
Outdated
| resource.TestCheckResourceAttr("aws_cloudtrail.foobar", "event_selector.#", "2"), | ||
| resource.TestCheckResourceAttr("aws_cloudtrail.foobar", "event_selector.0.data_resource.#", "1"), | ||
| resource.TestCheckResourceAttr("aws_cloudtrail.foobar", "event_selector.1.data_resource.#", "2"), | ||
| ), |
There was a problem hiding this comment.
This should check the other event_selector attributes as well:
resource.TestCheckResourceAttr("aws_cloudtrail.foobar", "event_selector.0.data_resource.0.type", "AWS::S3::Object"),
resource.TestCheckResourceAttr("aws_cloudtrail.foobar", "event_selector.0.data_resource.0.values.#", "2"),
resource.TestMatchResourceAttr("aws_cloudtrail.foobar", "event_selector.0.data_resource.0.values.0", regexp.MustCompile(`^arn:[^:]+:s3:::.+/foobar$`)),
resource.TestMatchResourceAttr("aws_cloudtrail.foobar", "event_selector.0.data_resource.0.values.1", regexp.MustCompile(`^arn:[^:]+:s3:::.+/baz$`)),
resource.TestCheckResourceAttr("aws_cloudtrail.foobar", "event_selector.0.include_management_events", "true"),
resource.TestCheckResourceAttr("aws_cloudtrail.foobar", "event_selector.0.read_write_type", "ReadOnly"),
resource.TestCheckResourceAttr("aws_cloudtrail.foobar", "event_selector.1.data_resource.0.type", "AWS::S3::Object")
resource.TestCheckResourceAttr("aws_cloudtrail.foobar", "event_selector.1.data_resource.0.values.#", "1"),
resource.TestMatchResourceAttr("aws_cloudtrail.foobar", "event_selector.1.data_resource.0.values.0", regexp.MustCompile(`^arn:[^:]+:s3:::.+/tf1$`)),
resource.TestCheckResourceAttr("aws_cloudtrail.foobar", "event_selector.1.data_resource.1.type", "AWS::S3::Object"),
resource.TestCheckResourceAttr("aws_cloudtrail.foobar", "event_selector.1.data_resource.1.values.#", "1"),
resource.TestMatchResourceAttr("aws_cloudtrail.foobar", "event_selector.1.data_resource.1.values.0", regexp.MustCompile(`^arn:[^:]+:s3:::.+/tf2$`)),
resource.TestCheckResourceAttr("aws_cloudtrail.foobar", "event_selector.1.include_management_events", "false"),
resource.TestCheckResourceAttr("aws_cloudtrail.foobar", "event_selector.1.read_write_type", "All"),
bflad
added
the
waiting-response
|
Thanks for reviews! |
kjmkznr
force-pushed
the
f-aws-cloudtrail-event-selector-param
branch
from
e101c27 to
1ac5f16
Compare
|
@bflad |
bflad
removed
the
waiting-response
There was a problem hiding this comment.
Thanks so much @kjmkznr for your work here! LGTM! 🚀
=== RUN TestAccAWSCloudTrailServiceAccount_basic
--- PASS: TestAccAWSCloudTrailServiceAccount_basic (10.50s)
=== RUN TestAccAWSCloudTrail_include_global_service_events
--- PASS: TestAccAWSCloudTrail_include_global_service_events (18.55s)
=== RUN TestAccAWSCloudTrail_importBasic
--- PASS: TestAccAWSCloudTrail_importBasic (19.74s)
=== RUN TestAccAWSCloudTrail
=== RUN TestAccAWSCloudTrail/Trail
=== RUN TestAccAWSCloudTrail/Trail/basic
=== RUN TestAccAWSCloudTrail/Trail/cloudwatch
=== RUN TestAccAWSCloudTrail/Trail/enableLogging
=== RUN TestAccAWSCloudTrail/Trail/tags
=== RUN TestAccAWSCloudTrail/Trail/eventSelector
=== RUN TestAccAWSCloudTrail/Trail/isMultiRegion
=== RUN TestAccAWSCloudTrail/Trail/logValidation
=== RUN TestAccAWSCloudTrail/Trail/kmsKey
--- PASS: TestAccAWSCloudTrail (257.44s)
|
Thanks! |
|
This has been released in version 1.10.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
Closes #887
Add support
event_selectorparameter intoaws_cloudtrailresource.This feature supports settings to Amazon S3 object-level API operations logging.
AWS Documentations
Acceptance Test