diff --git a/.bumpversion.cfg b/.bumpversion.cfg index 221c171..abcc8f4 100644 --- a/.bumpversion.cfg +++ b/.bumpversion.cfg @@ -1,5 +1,5 @@ [bumpversion] -current_version = 1.0.4 +current_version = 2.0.0 commit = True message = Bumps version to {new_version} tag = False diff --git a/CHANGELOG.md b/CHANGELOG.md index 60b519a..8cf5103 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). +### 2.0.0 + +**Released**: 2019.11.12 + +**Commit Delta**: [Change from 1.0.3 release](https://github.com/plus3it/terraform-aws-tardigrade-cloudtrail/compare/1.0.3...2.0.0) + +**Summary**: + +* Add ability to define multiple event selectors + ### 1.0.3 **Released**: 2019.10.28 diff --git a/README.md b/README.md index 3e50f63..3e06934 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,7 @@ Creates an AWS Cloudtrail | cloudtrail\_bucket | Name of S3 bucket to send CloudTrail logs; bucket must already exist | string | `"null"` | no | | cloudtrail\_name | Name of the trail to create | string | `"null"` | no | | create\_cloudtrail | Controls whether to create the CloudTrail | bool | `"true"` | no | +| event\_selectors | List of maps specifying `read_write_type`, `include_management_events`, `type`, and `values`. See https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for more information regarding the map vales | list | `` | no | | tags | A map of tags to add to the cloudtrail resource | map(string) | `` | no | ## Outputs diff --git a/main.tf b/main.tf index 8832c2b..6efa437 100644 --- a/main.tf +++ b/main.tf @@ -13,13 +13,21 @@ resource "aws_cloudtrail" "this" { is_multi_region_trail = true tags = var.tags - event_selector { - read_write_type = "All" - include_management_events = true + dynamic "event_selector" { + iterator = event_selectors + for_each = var.event_selectors + content { + read_write_type = lookup(event_selectors.value, "read_write_type", "All") + include_management_events = lookup(event_selectors.value, "include_management_events", "true") - data_resource { - type = "AWS::Lambda::Function" - values = ["arn:${data.aws_partition.current.partition}:lambda"] + dynamic "data_resource" { + iterator = data_resources + for_each = lookup(event_selectors.value, "data_resources", []) + content { + type = lookup(data_resources.value, "type", null) + values = lookup(data_resources.value, "values", []) + } + } } } } diff --git a/tests/baseline/main.tf b/tests/baseline/main.tf index 680b01d..c9d607f 100644 --- a/tests/baseline/main.tf +++ b/tests/baseline/main.tf @@ -21,7 +21,7 @@ resource "aws_s3_bucket" "this" { data "template_file" "this" { count = local.create_cloudtrail ? 1 : 0 - template = file("${path.module}/templates/cloudtrail-bucket-policy.json") + template = file("${path.module}/../templates/cloudtrail-bucket-policy.json") vars = { bucket = random_id.name.hex diff --git a/tests/event_selector/README.md b/tests/event_selector/README.md new file mode 100644 index 0000000..5406db2 --- /dev/null +++ b/tests/event_selector/README.md @@ -0,0 +1,3 @@ +# Event Selector Test + + diff --git a/tests/event_selector/_docs/MAIN.md b/tests/event_selector/_docs/MAIN.md new file mode 100644 index 0000000..9729815 --- /dev/null +++ b/tests/event_selector/_docs/MAIN.md @@ -0,0 +1 @@ +# Event Selector Test diff --git a/tests/event_selector/main.tf b/tests/event_selector/main.tf new file mode 100644 index 0000000..e576cf5 --- /dev/null +++ b/tests/event_selector/main.tf @@ -0,0 +1,54 @@ +provider "aws" { + region = "us-east-1" +} + +data "aws_partition" "current" { +} + +locals { + create_cloudtrail = true + partition = "aws" +} + +resource "random_id" "name" { + byte_length = 6 + prefix = "tardigrade-cloudtrail-" +} + +resource "aws_s3_bucket" "this" { + bucket = random_id.name.hex + policy = join("", data.template_file.this.*.rendered) + force_destroy = true +} + +data "template_file" "this" { + count = local.create_cloudtrail ? 1 : 0 + + template = file("${path.module}/../templates/cloudtrail-bucket-policy.json") + + vars = { + bucket = random_id.name.hex + partition = local.partition + } +} + +module "baseline" { + source = "../../" + + providers = { + aws = aws + } + + create_cloudtrail = local.create_cloudtrail + cloudtrail_name = random_id.name.hex + cloudtrail_bucket = aws_s3_bucket.this.id + + event_selectors = [{ + "read_write_type" = "All" + "include_management_events" = true + "data_resources" = [{ + "type" = "AWS::Lambda::Function" + "values" = ["arn:${data.aws_partition.current.partition}:lambda"] + }] + }] +} diff --git a/tests/multiple_event_selectors/README.md b/tests/multiple_event_selectors/README.md new file mode 100644 index 0000000..140a518 --- /dev/null +++ b/tests/multiple_event_selectors/README.md @@ -0,0 +1,3 @@ +# Multiple Event Selector Test + + diff --git a/tests/multiple_event_selectors/_docs/MAIN.md b/tests/multiple_event_selectors/_docs/MAIN.md new file mode 100644 index 0000000..4cc9c07 --- /dev/null +++ b/tests/multiple_event_selectors/_docs/MAIN.md @@ -0,0 +1 @@ +# Multiple Event Selector Test diff --git a/tests/multiple_event_selectors/main.tf b/tests/multiple_event_selectors/main.tf new file mode 100644 index 0000000..7f760ac --- /dev/null +++ b/tests/multiple_event_selectors/main.tf @@ -0,0 +1,72 @@ +provider "aws" { + region = "us-east-1" +} + +data "aws_partition" "current" { +} + +locals { + create_cloudtrail = true + partition = "aws" +} + +resource "random_id" "name" { + byte_length = 6 + prefix = "tardigrade-cloudtrail-" +} + +resource "aws_s3_bucket" "this" { + bucket = random_id.name.hex + policy = join("", data.template_file.this.*.rendered) + force_destroy = true +} + +data "template_file" "this" { + count = local.create_cloudtrail ? 1 : 0 + + template = file("${path.module}/../templates/cloudtrail-bucket-policy.json") + + vars = { + bucket = random_id.name.hex + partition = local.partition + } +} + +module "baseline" { + source = "../../" + + providers = { + aws = aws + } + + create_cloudtrail = local.create_cloudtrail + cloudtrail_name = random_id.name.hex + cloudtrail_bucket = aws_s3_bucket.this.id + + event_selectors = [ + { + "read_write_type" = "All" + "include_management_events" = true + "data_resources" = [ + { + "type" = "AWS::Lambda::Function" + "values" = ["arn:${data.aws_partition.current.partition}:lambda"] + }, + { + type = "AWS::S3::Object" + values = ["arn:aws:s3:::"] + } + ] + }, + { + "read_write_type" = "WriteOnly" + "include_management_events" = false + "data_resources" = [ + { + type = "AWS::S3::Object" + values = ["${aws_s3_bucket.this.arn}/"] + } + ] + } + ] +} diff --git a/tests/baseline/templates/cloudtrail-bucket-policy.json b/tests/templates/cloudtrail-bucket-policy.json similarity index 100% rename from tests/baseline/templates/cloudtrail-bucket-policy.json rename to tests/templates/cloudtrail-bucket-policy.json diff --git a/variables.tf b/variables.tf index d290259..4fa49ae 100644 --- a/variables.tf +++ b/variables.tf @@ -16,6 +16,12 @@ variable "cloudtrail_bucket" { default = null } +variable "event_selectors" { + description = "List of maps specifying `read_write_type`, `include_management_events`, `type`, and `values`. See https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for more information regarding the map vales" + type = list + default = [] +} + variable "tags" { description = "A map of tags to add to the cloudtrail resource" type = map(string)