diff --git a/.bumpversion.cfg b/.bumpversion.cfg index 83f09ed..c61c792 100644 --- a/.bumpversion.cfg +++ b/.bumpversion.cfg @@ -1,5 +1,5 @@ [bumpversion] -current_version = 4.1.1 +current_version = 5.0.0 commit = True message = Bumps version to {new_version} tag = False diff --git a/README.md b/README.md index f548f45..7d6448d 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,6 @@ Creates an AWS Cloudtrail | cloud\_watch\_logs\_role\_arn | (Optional) Specifies the role for the CloudWatch Logs endpoint to assume to write to a user’s log group. | `string` | `null` | no | | cloudtrail\_bucket | Name of S3 bucket to send CloudTrail logs; bucket must already exist | `string` | `null` | no | | cloudtrail\_name | Name of the trail to create | `string` | `null` | no | -| create\_cloudtrail | Controls whether to create the CloudTrail | `bool` | `true` | no | | create\_kms\_key | Controls whether to create a kms key that Cloudtrail will use to encrypt the logs | `bool` | `true` | no | | enable\_log\_file\_validation | Specifies whether log file integrity validation is enabled | `bool` | `true` | no | | event\_selectors | List of maps specifying `read_write_type`, `include_management_events`, `type`, and `values`. See https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for more information regarding the map vales | `list(any)` | `[]` | no | diff --git a/main.tf b/main.tf index 6dcc978..f556dd6 100644 --- a/main.tf +++ b/main.tf @@ -25,7 +25,7 @@ locals { ### RESOURCES ### # Create CloudWatch Log Group resource "aws_cloudwatch_log_group" "this" { - count = var.create_cloudtrail && local.create_log_group ? 1 : 0 + count = local.create_log_group ? 1 : 0 name = local.cloud_watch_logs_group_name retention_in_days = var.retention_in_days @@ -33,7 +33,7 @@ resource "aws_cloudwatch_log_group" "this" { # Create IAM Policy resource "aws_iam_policy" "this" { - count = var.create_cloudtrail && local.create_log_group_role ? 1 : 0 + count = local.create_log_group_role ? 1 : 0 name = var.cloudtrail_name policy = data.aws_iam_policy_document.write_logs[0].json @@ -41,7 +41,7 @@ resource "aws_iam_policy" "this" { # Create IAM Role resource "aws_iam_role" "this" { - count = var.create_cloudtrail && local.create_log_group_role ? 1 : 0 + count = local.create_log_group_role ? 1 : 0 name = var.cloudtrail_name assume_role_policy = data.aws_iam_policy_document.assume_role[0].json @@ -50,7 +50,7 @@ resource "aws_iam_role" "this" { # Attach Policy to IAM Role resource "aws_iam_policy_attachment" "this" { - count = var.create_cloudtrail && local.create_log_group_role ? 1 : 0 + count = local.create_log_group_role ? 1 : 0 name = var.cloudtrail_name roles = [aws_iam_role.this[0].name] @@ -69,7 +69,6 @@ module "kms" { } resource "aws_cloudtrail" "this" { - count = var.create_cloudtrail ? 1 : 0 name = var.cloudtrail_name s3_bucket_name = var.cloudtrail_bucket @@ -102,26 +101,20 @@ resource "aws_cloudtrail" "this" { } ### DATA SOURCES ### -data "aws_partition" "current" { - count = var.create_cloudtrail ? 1 : 0 -} +data "aws_partition" "current" {} -data "aws_region" "current" { - count = var.create_cloudtrail ? 1 : 0 -} +data "aws_region" "current" {} -data "aws_caller_identity" "current" { - count = var.create_cloudtrail ? 1 : 0 -} +data "aws_caller_identity" "current" {} data "aws_cloudwatch_log_group" "this" { - count = var.create_cloudtrail && !local.create_log_group ? 1 : 0 + count = !local.create_log_group ? 1 : 0 name = var.cloud_watch_logs_group_name } data "aws_iam_policy_document" "assume_role" { - count = var.create_cloudtrail && local.create_log_group_role ? 1 : 0 + count = local.create_log_group_role ? 1 : 0 statement { actions = ["sts:AssumeRole"] @@ -134,7 +127,7 @@ data "aws_iam_policy_document" "assume_role" { } data "aws_iam_policy_document" "write_logs" { - count = var.create_cloudtrail && local.create_log_group_role ? 1 : 0 + count = local.create_log_group_role ? 1 : 0 statement { sid = "WriteCloudWatchLogs" @@ -145,7 +138,7 @@ data "aws_iam_policy_document" "write_logs" { ] resources = [ - "arn:${data.aws_partition.current[0].partition}:logs:${data.aws_region.current[0].name}:${data.aws_caller_identity.current[0].account_id}:log-group:${local.cloud_watch_logs_group_name}:log-stream:*" + "arn:${data.aws_partition.current.partition}:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:${local.cloud_watch_logs_group_name}:log-stream:*" ] } } @@ -179,7 +172,7 @@ data "aws_iam_policy_document" "kms_key_policy" { variable = "kms:EncryptionContext:aws:cloudtrail:arn" values = [ - "arn:${data.aws_partition.current[0].partition}:cloudtrail:*:${data.aws_caller_identity.current[0].account_id}:trail/*" + "arn:${data.aws_partition.current.partition}:cloudtrail:*:${data.aws_caller_identity.current.account_id}:trail/*" ] } @@ -215,7 +208,7 @@ data "aws_iam_policy_document" "kms_key_policy" { variable = "kms:EncryptionContext:aws:cloudtrail:arn" values = [ - "arn:${data.aws_partition.current[0].partition}:cloudtrail:*:${data.aws_caller_identity.current[0].account_id}:trail/*" + "arn:${data.aws_partition.current.partition}:cloudtrail:*:${data.aws_caller_identity.current.account_id}:trail/*" ] } @@ -224,7 +217,7 @@ data "aws_iam_policy_document" "kms_key_policy" { variable = "kms:CallerAccount" values = [ - data.aws_caller_identity.current[0].account_id + data.aws_caller_identity.current.account_id ] } diff --git a/outputs.tf b/outputs.tf index 1c72352..c7796a3 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,25 +1,25 @@ # CloudTrail output "cloudtrail_id" { description = "The name of the trail" - value = join("", aws_cloudtrail.this.*.id) + value = aws_cloudtrail.this.id } output "cloudtrail_home_region" { description = "The region in which the trail was created" - value = join("", aws_cloudtrail.this.*.home_region) + value = aws_cloudtrail.this.home_region } output "cloudtrail_arn" { description = "The Amazon Resource Name of the trail" - value = join("", aws_cloudtrail.this.*.arn) + value = aws_cloudtrail.this.arn } output "log_group" { description = "The CloudWatch log group object created when no previous log group is declared" - value = length(aws_cloudwatch_log_group.this) > 0 ? aws_cloudwatch_log_group.this[0] : null + value = local.create_log_group ? aws_cloudwatch_log_group.this[0] : null } output "kms_key_id" { description = "The KMS Key ARN used to encrypt the logs" - value = length(aws_cloudtrail.this) > 0 ? aws_cloudtrail.this[0].kms_key_id : null + value = aws_cloudtrail.this.kms_key_id } diff --git a/tests/baseline/main.tf b/tests/baseline/main.tf index dc22454..b7ad18e 100644 --- a/tests/baseline/main.tf +++ b/tests/baseline/main.tf @@ -3,8 +3,7 @@ provider "aws" { } locals { - create_cloudtrail = true - partition = "aws" + partition = "aws" } resource "random_id" "name" { @@ -19,8 +18,6 @@ resource "aws_s3_bucket" "this" { } data "template_file" "this" { - count = local.create_cloudtrail ? 1 : 0 - template = file("${path.module}/../templates/cloudtrail-bucket-policy.json") vars = { @@ -36,7 +33,6 @@ module "baseline" { aws = aws } - create_cloudtrail = local.create_cloudtrail create_kms_key = false cloudtrail_name = random_id.name.hex cloudtrail_bucket = aws_s3_bucket.this.id diff --git a/tests/cocreate_kms_key/main.tf b/tests/cocreate_kms_key/main.tf index c3d1ffc..bb65418 100644 --- a/tests/cocreate_kms_key/main.tf +++ b/tests/cocreate_kms_key/main.tf @@ -30,7 +30,6 @@ module "cocreate_kms_key" { aws = aws } - create_cloudtrail = true create_kms_key = true cloudtrail_name = data.terraform_remote_state.prereq.outputs.random_name cloudtrail_bucket = data.terraform_remote_state.prereq.outputs.bucket_id diff --git a/tests/event_selector/main.tf b/tests/event_selector/main.tf index 67bcc4a..a0430c0 100644 --- a/tests/event_selector/main.tf +++ b/tests/event_selector/main.tf @@ -6,8 +6,7 @@ data "aws_partition" "current" { } locals { - create_cloudtrail = true - partition = "aws" + partition = "aws" } resource "random_id" "name" { @@ -22,8 +21,6 @@ resource "aws_s3_bucket" "this" { } data "template_file" "this" { - count = local.create_cloudtrail ? 1 : 0 - template = file("${path.module}/../templates/cloudtrail-bucket-policy.json") vars = { @@ -39,7 +36,6 @@ module "event_selector" { aws = aws } - create_cloudtrail = local.create_cloudtrail cloudtrail_name = random_id.name.hex cloudtrail_bucket = aws_s3_bucket.this.id diff --git a/tests/multiple_event_selectors/main.tf b/tests/multiple_event_selectors/main.tf index 6dd9c6a..6a01d46 100644 --- a/tests/multiple_event_selectors/main.tf +++ b/tests/multiple_event_selectors/main.tf @@ -6,8 +6,7 @@ data "aws_partition" "current" { } locals { - create_cloudtrail = true - partition = "aws" + partition = "aws" } resource "random_id" "name" { @@ -22,8 +21,6 @@ resource "aws_s3_bucket" "this" { } data "template_file" "this" { - count = local.create_cloudtrail ? 1 : 0 - template = file("${path.module}/../templates/cloudtrail-bucket-policy.json") vars = { @@ -39,7 +36,6 @@ module "multiple_event_selectors" { aws = aws } - create_cloudtrail = local.create_cloudtrail cloudtrail_name = random_id.name.hex cloudtrail_bucket = aws_s3_bucket.this.id diff --git a/tests/no_cloudtrail/main.tf b/tests/no_cloudtrail/main.tf deleted file mode 100644 index 56e1a52..0000000 --- a/tests/no_cloudtrail/main.tf +++ /dev/null @@ -1,14 +0,0 @@ -provider "aws" { - region = "us-east-1" -} - -module "no_cloudtrail" { - source = "../../" - - providers = { - aws = aws - } - - create_cloudtrail = false - create_kms_key = false -} diff --git a/tests/premade_cwl_group/main.tf b/tests/premade_cwl_group/main.tf index 4c938dd..67add35 100644 --- a/tests/premade_cwl_group/main.tf +++ b/tests/premade_cwl_group/main.tf @@ -10,8 +10,7 @@ data "terraform_remote_state" "prereq" { } locals { - create_cloudtrail = true - partition = "aws" + partition = "aws" } resource "random_id" "name" { @@ -26,8 +25,6 @@ resource "aws_s3_bucket" "this" { } data "template_file" "this" { - count = local.create_cloudtrail ? 1 : 0 - template = file("${path.module}/../templates/cloudtrail-bucket-policy.json") vars = { @@ -43,7 +40,6 @@ module "premade_cwl_group" { aws = aws } - create_cloudtrail = local.create_cloudtrail cloudtrail_name = random_id.name.hex cloudtrail_bucket = aws_s3_bucket.this.id cloud_watch_logs_group_name = data.terraform_remote_state.prereq.outputs.cwl_group_name diff --git a/tests/premade_cwl_role/main.tf b/tests/premade_cwl_role/main.tf index 70a2fc7..3d21a72 100644 --- a/tests/premade_cwl_role/main.tf +++ b/tests/premade_cwl_role/main.tf @@ -10,8 +10,7 @@ data "terraform_remote_state" "prereq" { } locals { - create_cloudtrail = true - partition = "aws" + partition = "aws" } resource "random_id" "name" { @@ -26,8 +25,6 @@ resource "aws_s3_bucket" "this" { } data "template_file" "this" { - count = local.create_cloudtrail ? 1 : 0 - template = file("${path.module}/../templates/cloudtrail-bucket-policy.json") vars = { @@ -43,7 +40,6 @@ module "premade_cwl_role" { aws = aws } - create_cloudtrail = local.create_cloudtrail cloudtrail_name = random_id.name.hex cloudtrail_bucket = aws_s3_bucket.this.id cloud_watch_logs_group_name = data.terraform_remote_state.prereq.outputs.cwl_group_name diff --git a/tests/premade_kms_key/main.tf b/tests/premade_kms_key/main.tf index f69a9ad..c34782e 100644 --- a/tests/premade_kms_key/main.tf +++ b/tests/premade_kms_key/main.tf @@ -16,7 +16,6 @@ module "premade_kms_key" { aws = aws } - create_cloudtrail = true cloudtrail_name = data.terraform_remote_state.prereq.outputs.random_name cloudtrail_bucket = data.terraform_remote_state.prereq.outputs.bucket_id kms_key_id = data.terraform_remote_state.prereq.outputs.kms_key_id diff --git a/variables.tf b/variables.tf index 6dba7a7..438a106 100644 --- a/variables.tf +++ b/variables.tf @@ -1,9 +1,3 @@ -variable "create_cloudtrail" { - description = "Controls whether to create the CloudTrail" - type = bool - default = true -} - variable "cloudtrail_name" { description = "Name of the trail to create" type = string