Merge pull request #146 from plus3it/Allow-Cloudwatch-logs-to-not-be-…

…used Allow-Cloudwatch-logs-to-not-be-used
plus3it · Aug 22, 2022 · 5217a05 · 5217a05
2 parents 00e39a3 + 181659f
commit 5217a05
Show file tree

Hide file tree

Showing 6 changed files with 64 additions and 7 deletions.
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 6.0.0
+current_version = 6.1.0
 commit = True
 message = Bumps version to {new_version}
 tag = False

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
 
+### 6.1.0
+
+**Released**: 2022.08.18
+
+**Commit Delta**: [Change from 6.0.0 release](https://github.com/plus3it/terraform-aws-tardigrade-cloudtrail/compare/6.0.0...6.1.0)
+
+**Summary**:
+
+*   Add feature to be able to set whether to use CloudWatch logs
+
 ### 3.0.0
 
 **Released**: 2020.05.18

diff --git a/README.md b/README.md
@@ -47,13 +47,15 @@ AWS_PROFILE=xxx make terraform/pytest PYTEST_ARGS="-v --nomock"
 | <a name="input_cloudtrail_name"></a> [cloudtrail\_name](#input\_cloudtrail\_name) | Name of the trail to create | `string` | `null` | no |
 | <a name="input_create_kms_key"></a> [create\_kms\_key](#input\_create\_kms\_key) | Controls whether to create a kms key that Cloudtrail will use to encrypt the logs | `bool` | `true` | no |
 | <a name="input_enable_log_file_validation"></a> [enable\_log\_file\_validation](#input\_enable\_log\_file\_validation) | Specifies whether log file integrity validation is enabled | `bool` | `true` | no |
+| <a name="input_enable_logging"></a> [enable\_logging](#input\_enable\_logging) | Specifies whether to enable logging if it is configured | `bool` | `true` | no |
 | <a name="input_event_selectors"></a> [event\_selectors](#input\_event\_selectors) | List of maps specifying `read_write_type`, `include_management_events`, `type`, and `values`. See https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for more information regarding the map vales | `list(any)` | `[]` | no |
 | <a name="input_include_global_service_events"></a> [include\_global\_service\_events](#input\_include\_global\_service\_events) | Specifies whether the trail is publishing events from global services such as IAM to the log files | `bool` | `true` | no |
 | <a name="input_is_multi_region_trail"></a> [is\_multi\_region\_trail](#input\_is\_multi\_region\_trail) | Specifies whether the trail is created in the current region or in all regions | `bool` | `true` | no |
 | <a name="input_kms_key_alias"></a> [kms\_key\_alias](#input\_kms\_key\_alias) | (Optional) The display name of the alias | `string` | `"terraform-cloudtrail-kms-key"` | no |
 | <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | (Optional) ARN of the kms key used to encrypt the CloudTrail logs. | `string` | `null` | no |
 | <a name="input_retention_in_days"></a> [retention\_in\_days](#input\_retention\_in\_days) | (Optional) Specifies the number of days to retain log events in the log group. Only works if module creates the log group | `number` | `7` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to the cloudtrail resource | `map(string)` | `{}` | no |
+| <a name="input_use_cloud_watch_logs"></a> [use\_cloud\_watch\_logs](#input\_use\_cloud\_watch\_logs) | Specifies whether to use a CloudWatch log group for this trail | `bool` | `true` | no |
 
 ## Outputs
 

diff --git a/main.tf b/main.tf
@@ -1,11 +1,11 @@
 ### LOCALS ###
 locals {
   # cloudwatch log group integration
-  create_log_group            = var.cloud_watch_logs_group_name == null
+  create_log_group            = var.use_cloud_watch_logs ? var.cloud_watch_logs_group_name == null : false
   cloud_watch_logs_group_name = local.create_log_group ? "/aws/cloudtrail/${format("%v", var.cloudtrail_name)}" : var.cloud_watch_logs_group_name
-  cloud_watch_logs_group_arn  = local.create_log_group ? "${aws_cloudwatch_log_group.this[0].arn}:*" : data.aws_cloudwatch_log_group.this[0].arn
+  cloud_watch_logs_group_arn  = var.use_cloud_watch_logs ? local.create_log_group ? "${aws_cloudwatch_log_group.this[0].arn}:*" : "${data.aws_cloudwatch_log_group.this[0].arn}:*" : null
 
-  create_log_group_role     = var.cloud_watch_logs_role_arn == null
+  create_log_group_role     = var.use_cloud_watch_logs ? var.cloud_watch_logs_role_arn == null : false
   cloud_watch_logs_role_arn = local.create_log_group_role ? aws_iam_role.this[0].arn : var.cloud_watch_logs_role_arn
 
   # kms integration
@@ -68,13 +68,14 @@ resource "aws_cloudtrail" "this" {
   name                          = var.cloudtrail_name
   s3_bucket_name                = var.cloudtrail_bucket
   enable_log_file_validation    = var.enable_log_file_validation
+  enable_logging                = var.enable_logging
   include_global_service_events = var.include_global_service_events
   is_multi_region_trail         = var.is_multi_region_trail
   tags                          = var.tags
   kms_key_id                    = local.kms_key_id
 
-  cloud_watch_logs_group_arn = local.cloud_watch_logs_group_arn
-  cloud_watch_logs_role_arn  = local.cloud_watch_logs_role_arn
+  cloud_watch_logs_group_arn = var.use_cloud_watch_logs ? local.cloud_watch_logs_group_arn : null
+  cloud_watch_logs_role_arn  = var.use_cloud_watch_logs ? local.cloud_watch_logs_role_arn : null
 
   dynamic "event_selector" {
     iterator = event_selectors
@@ -103,7 +104,7 @@ data "aws_region" "current" {}
 data "aws_caller_identity" "current" {}
 
 data "aws_cloudwatch_log_group" "this" {
-  count = !local.create_log_group ? 1 : 0
+  count = var.use_cloud_watch_logs && !local.create_log_group ? 1 : 0
 
   name = var.cloud_watch_logs_group_name
 }

diff --git a/tests/no_log_group/main.tf b/tests/no_log_group/main.tf
@@ -0,0 +1,32 @@
+locals {
+  partition = "aws"
+}
+
+resource "random_id" "name" {
+  byte_length = 6
+  prefix      = "tardigrade-cloudtrail-"
+}
+
+resource "aws_s3_bucket" "this" {
+  bucket        = random_id.name.hex
+  force_destroy = true
+
+  policy = templatefile(
+    "${path.module}/../templates/cloudtrail-bucket-policy.json",
+    {
+      bucket    = random_id.name.hex
+      partition = local.partition
+    }
+  )
+}
+
+module "baseline" {
+  source = "../../"
+
+  create_kms_key             = false
+  cloudtrail_name            = random_id.name.hex
+  cloudtrail_bucket          = aws_s3_bucket.this.id
+  use_cloud_watch_logs       = false
+  enable_log_file_validation = false
+  enable_logging             = false
+}
diff --git a/variables.tf b/variables.tf
@@ -16,6 +16,12 @@ variable "enable_log_file_validation" {
   default     = true
 }
 
+variable "enable_logging" {
+  description = "Specifies whether to enable logging if it is configured"
+  type        = bool
+  default     = true
+}
+
 variable "include_global_service_events" {
   description = "Specifies whether the trail is publishing events from global services such as IAM to the log files"
   type        = bool
@@ -46,6 +52,12 @@ variable "cloudtrail_bucket" {
   default     = null
 }
 
+variable "use_cloud_watch_logs" {
+  description = "Specifies whether to use a CloudWatch log group for this trail"
+  type        = bool
+  default     = true
+}
+
 variable "cloud_watch_logs_group_name" {
   description = "(Optional) Name of preexisting log group to use; by default the module will create a log group"
   type        = string