Merge pull request #150 from plus3it/advanced_event_selector

Adds advanced_event_selector support
plus3it · Sep 1, 2022 · 7d19ae5 · 7d19ae5
2 parents b5b2cbe + 9f6c761
commit 7d19ae5
Show file tree

Hide file tree

Showing 7 changed files with 105 additions and 9 deletions.
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 6.2.0
+current_version = 6.3.0
 commit = True
 message = Bumps version to {new_version}
 tag = False

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,11 +4,21 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
 
+### 6.3.0
+
+**Released**: 2022.09.01
+
+**Commit Delta**: [Change from 6.2.0 release](https://github.com/plus3it/terraform-aws-tardigrade-cloudtrail/compare/6.2.0...6.3.0)
+
+**Summary**:
+
+*   Adds advanced_event_selectors support
+
 ### 6.2.0
 
 **Released**: 2022.08.22
 
-**Commit Delta**: [Change from 6.0.0 release](https://github.com/plus3it/terraform-aws-tardigrade-cloudtrail/compare/6.1.0...6.0.0)
+**Commit Delta**: [Change from 6.1.0 release](https://github.com/plus3it/terraform-aws-tardigrade-cloudtrail/compare/6.1.0...6.2.0)
 
 **Summary**:
 

diff --git a/README.md b/README.md
@@ -41,6 +41,7 @@ AWS_PROFILE=xxx make terraform/pytest PYTEST_ARGS="-v --nomock"
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_advanced_event_selectors"></a> [advanced\_event\_selectors](#input\_advanced\_event\_selectors) | Specifies an advanced event selector for enabling data event logging.  Contains an options name for the selector and a list of maps specifying field\_selectors. See https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for more information regarding the field selectors | `list(any)` | `[]` | no |
 | <a name="input_cloud_watch_logs_group_name"></a> [cloud\_watch\_logs\_group\_name](#input\_cloud\_watch\_logs\_group\_name) | (Optional) Name of preexisting log group to use; by default the module will create a log group | `string` | `null` | no |
 | <a name="input_cloud_watch_logs_role_arn"></a> [cloud\_watch\_logs\_role\_arn](#input\_cloud\_watch\_logs\_role\_arn) | (Optional) Specifies the role for the CloudWatch Logs endpoint to assume to write to a user’s log group. | `string` | `null` | no |
 | <a name="input_cloudtrail_bucket"></a> [cloudtrail\_bucket](#input\_cloudtrail\_bucket) | Name of S3 bucket to send CloudTrail logs; bucket must already exist | `string` | `null` | no |

diff --git a/main.tf b/main.tf
@@ -79,18 +79,36 @@ resource "aws_cloudtrail" "this" {
   cloud_watch_logs_role_arn  = var.use_cloud_watch_logs ? local.cloud_watch_logs_role_arn : null
 
   dynamic "event_selector" {
-    iterator = event_selectors
     for_each = var.event_selectors
     content {
-      read_write_type           = lookup(event_selectors.value, "read_write_type", "All")
-      include_management_events = lookup(event_selectors.value, "include_management_events", "true")
+      read_write_type           = try(event_selector.value.read_write_type, "All")
+      include_management_events = try(event_selector.value.include_management_events, "true")
 
       dynamic "data_resource" {
-        iterator = data_resources
-        for_each = lookup(event_selectors.value, "data_resources", [])
+        for_each = try(event_selector.value.data_resources, [])
         content {
-          type   = lookup(data_resources.value, "type", null)
-          values = lookup(data_resources.value, "values", [])
+          type   = try(data_resource.value.type, null)
+          values = try(data_resource.value.values, [])
+        }
+      }
+    }
+  }
+
+  dynamic "advanced_event_selector" {
+    for_each = var.advanced_event_selectors
+    content {
+      name = try(advanced_event_selector.value.name, null) //optional
+
+      dynamic "field_selector" {
+        for_each = try(advanced_event_selector.value.field_selectors, [])
+        content {
+          field           = try(field_selector.value.field, null)           //required
+          equals          = try(field_selector.value.equals, null)          //optional
+          not_equals      = try(field_selector.value.not_equals, null)      //optional
+          starts_with     = try(field_selector.value.starts_with, null)     //optional
+          not_starts_with = try(field_selector.value.not_starts_with, null) //optional
+          ends_with       = try(field_selector.value.ends_with, null)       //optional
+          not_ends_with   = try(field_selector.value.not_ends_with, null)   //optional
         }
       }
     }

diff --git a/tests/advanced_event_selector/main.tf b/tests/advanced_event_selector/main.tf
@@ -0,0 +1,53 @@
+data "aws_partition" "current" {}
+
+data "terraform_remote_state" "prereq" {
+  backend = "local"
+  config = {
+    path = "prereq/terraform.tfstate"
+  }
+}
+
+locals {
+  test_id = data.terraform_remote_state.prereq.outputs.random_name
+}
+
+resource "aws_s3_bucket" "this" {
+  bucket        = local.test_id
+  force_destroy = true
+
+  policy = templatefile(
+    "${path.module}/../templates/cloudtrail-bucket-policy.json",
+    {
+      bucket    = local.test_id
+      partition = data.aws_partition.current.partition
+    }
+  )
+}
+
+module "advanced_event_selector" {
+  source = "../../"
+
+  cloudtrail_name   = local.test_id
+  cloudtrail_bucket = aws_s3_bucket.this.id
+  kms_key_alias     = local.test_id
+
+  advanced_event_selectors = [
+    {
+      name = "S3EventSelector"
+      field_selectors = [
+        {
+          field  = "eventCategory"
+          equals = ["Data"]
+        },
+        {
+          field  = "resources.type"
+          equals = ["AWS::S3::Object"]
+        },
+        {
+          field       = "resources.ARN"
+          starts_with = ["arn:aws:s3:::test"]
+        }
+      ]
+    },
+  ]
+}
diff --git a/tests/advanced_event_selector/prereq/main.tf b/tests/advanced_event_selector/prereq/main.tf
@@ -0,0 +1,8 @@
+resource "random_id" "name" {
+  byte_length = 6
+  prefix      = "tardigrade-cloudtrail-"
+}
+
+output "random_name" {
+  value = random_id.name.hex
+}
diff --git a/variables.tf b/variables.tf
@@ -88,6 +88,12 @@ variable "event_selectors" {
   default     = []
 }
 
+variable "advanced_event_selectors" {
+  description = "Specifies an advanced event selector for enabling data event logging.  Contains an options name for the selector and a list of maps specifying field_selectors. See https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for more information regarding the field selectors"
+  type        = list(any)
+  default     = []
+}
+
 variable "tags" {
   description = "A map of tags to add to the cloudtrail resource"
   type        = map(string)