Merge pull request #25 from confusdcodr/event_selectors

Add ability to add multiple event selectors
plus3it · Nov 15, 2019 · 31080db · 31080db
2 parents da881d4 + e1ad9ee
commit 31080db
Show file tree

Hide file tree

Showing 13 changed files with 167 additions and 8 deletions.
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 1.0.4
+current_version = 2.0.0
 commit = True
 message = Bumps version to {new_version}
 tag = False

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
 
+### 2.0.0
+
+**Released**: 2019.11.12
+
+**Commit Delta**: [Change from 1.0.3 release](https://github.com/plus3it/terraform-aws-tardigrade-cloudtrail/compare/1.0.3...2.0.0)
+
+**Summary**:
+
+*   Add ability to define multiple event selectors
+
 ### 1.0.3
 
 **Released**: 2019.10.28

diff --git a/README.md b/README.md
@@ -9,6 +9,7 @@ Creates an AWS Cloudtrail
 | cloudtrail\_bucket | Name of S3 bucket to send CloudTrail logs; bucket must already exist | string | `"null"` | no |
 | cloudtrail\_name | Name of the trail to create | string | `"null"` | no |
 | create\_cloudtrail | Controls whether to create the CloudTrail | bool | `"true"` | no |
+| event\_selectors | List of maps specifying `read_write_type`, `include_management_events`, `type`, and `values`. See https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for more information regarding the map vales | list | `<list>` | no |
 | tags | A map of tags to add to the cloudtrail resource | map(string) | `<map>` | no |
 
 ## Outputs

diff --git a/main.tf b/main.tf
@@ -13,13 +13,21 @@ resource "aws_cloudtrail" "this" {
   is_multi_region_trail      = true
   tags                       = var.tags
 
-  event_selector {
-    read_write_type           = "All"
-    include_management_events = true
+  dynamic "event_selector" {
+    iterator = event_selectors
+    for_each = var.event_selectors
+    content {
+      read_write_type           = lookup(event_selectors.value, "read_write_type", "All")
+      include_management_events = lookup(event_selectors.value, "include_management_events", "true")
 
-    data_resource {
-      type   = "AWS::Lambda::Function"
-      values = ["arn:${data.aws_partition.current.partition}:lambda"]
+      dynamic "data_resource" {
+        iterator = data_resources
+        for_each = lookup(event_selectors.value, "data_resources", [])
+        content {
+          type   = lookup(data_resources.value, "type", null)
+          values = lookup(data_resources.value, "values", [])
+        }
+      }
     }
   }
 }
diff --git a/tests/baseline/main.tf b/tests/baseline/main.tf
@@ -21,7 +21,7 @@ resource "aws_s3_bucket" "this" {
 data "template_file" "this" {
   count = local.create_cloudtrail ? 1 : 0
 
-  template = file("${path.module}/templates/cloudtrail-bucket-policy.json")
+  template = file("${path.module}/../templates/cloudtrail-bucket-policy.json")
 
   vars = {
     bucket    = random_id.name.hex

diff --git a/tests/event_selector/README.md b/tests/event_selector/README.md
@@ -0,0 +1,3 @@
+# Event Selector Test
+
+
diff --git a/tests/event_selector/_docs/MAIN.md b/tests/event_selector/_docs/MAIN.md
@@ -0,0 +1 @@
+# Event Selector Test
diff --git a/tests/event_selector/main.tf b/tests/event_selector/main.tf
@@ -0,0 +1,54 @@
+provider "aws" {
+  region = "us-east-1"
+}
+
+data "aws_partition" "current" {
+}
+
+locals {
+  create_cloudtrail = true
+  partition         = "aws"
+}
+
+resource "random_id" "name" {
+  byte_length = 6
+  prefix      = "tardigrade-cloudtrail-"
+}
+
+resource "aws_s3_bucket" "this" {
+  bucket        = random_id.name.hex
+  policy        = join("", data.template_file.this.*.rendered)
+  force_destroy = true
+}
+
+data "template_file" "this" {
+  count = local.create_cloudtrail ? 1 : 0
+
+  template = file("${path.module}/../templates/cloudtrail-bucket-policy.json")
+
+  vars = {
+    bucket    = random_id.name.hex
+    partition = local.partition
+  }
+}
+
+module "baseline" {
+  source = "../../"
+
+  providers = {
+    aws = aws
+  }
+
+  create_cloudtrail = local.create_cloudtrail
+  cloudtrail_name   = random_id.name.hex
+  cloudtrail_bucket = aws_s3_bucket.this.id
+
+  event_selectors = [{
+    "read_write_type"           = "All"
+    "include_management_events" = true
+    "data_resources" = [{
+      "type"   = "AWS::Lambda::Function"
+      "values" = ["arn:${data.aws_partition.current.partition}:lambda"]
+    }]
+  }]
+}
diff --git a/tests/multiple_event_selectors/README.md b/tests/multiple_event_selectors/README.md
@@ -0,0 +1,3 @@
+# Multiple Event Selector Test
+
+
diff --git a/tests/multiple_event_selectors/_docs/MAIN.md b/tests/multiple_event_selectors/_docs/MAIN.md
@@ -0,0 +1 @@
+# Multiple Event Selector Test
diff --git a/tests/multiple_event_selectors/main.tf b/tests/multiple_event_selectors/main.tf
@@ -0,0 +1,72 @@
+provider "aws" {
+  region = "us-east-1"
+}
+
+data "aws_partition" "current" {
+}
+
+locals {
+  create_cloudtrail = true
+  partition         = "aws"
+}
+
+resource "random_id" "name" {
+  byte_length = 6
+  prefix      = "tardigrade-cloudtrail-"
+}
+
+resource "aws_s3_bucket" "this" {
+  bucket        = random_id.name.hex
+  policy        = join("", data.template_file.this.*.rendered)
+  force_destroy = true
+}
+
+data "template_file" "this" {
+  count = local.create_cloudtrail ? 1 : 0
+
+  template = file("${path.module}/../templates/cloudtrail-bucket-policy.json")
+
+  vars = {
+    bucket    = random_id.name.hex
+    partition = local.partition
+  }
+}
+
+module "baseline" {
+  source = "../../"
+
+  providers = {
+    aws = aws
+  }
+
+  create_cloudtrail = local.create_cloudtrail
+  cloudtrail_name   = random_id.name.hex
+  cloudtrail_bucket = aws_s3_bucket.this.id
+
+  event_selectors = [
+    {
+      "read_write_type"           = "All"
+      "include_management_events" = true
+      "data_resources" = [
+        {
+          "type"   = "AWS::Lambda::Function"
+          "values" = ["arn:${data.aws_partition.current.partition}:lambda"]
+        },
+        {
+          type   = "AWS::S3::Object"
+          values = ["arn:aws:s3:::"]
+        }
+      ]
+    },
+    {
+      "read_write_type"           = "WriteOnly"
+      "include_management_events" = false
+      "data_resources" = [
+        {
+          type   = "AWS::S3::Object"
+          values = ["${aws_s3_bucket.this.arn}/"]
+        }
+      ]
+    }
+  ]
+}
diff --git a/...e/templates/cloudtrail-bucket-policy.json → ...s/templates/cloudtrail-bucket-policy.json b/...e/templates/cloudtrail-bucket-policy.json → ...s/templates/cloudtrail-bucket-policy.json
diff --git a/variables.tf b/variables.tf
@@ -16,6 +16,12 @@ variable "cloudtrail_bucket" {
   default     = null
 }
 
+variable "event_selectors" {
+  description = "List of maps specifying `read_write_type`, `include_management_events`, `type`, and `values`. See https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for more information regarding the map vales"
+  type        = list
+  default     = []
+}
+
 variable "tags" {
   description = "A map of tags to add to the cloudtrail resource"
   type        = map(string)