From 24c831d99dd5276883221dbbae568cfc68c1c5a7 Mon Sep 17 00:00:00 2001 From: cahnk <99229283*cahnk@users.noreply.github.com> Date: Thu, 1 Sep 2022 14:08:30 -0600 Subject: [PATCH 1/2] Adds advanced_event_selector support --- .bumpversion.cfg | 2 +- CHANGELOG.md | 12 ++++- README.md | 1 + main.tf | 22 ++++++++ tests/advanced_event_selector/main.tf | 53 ++++++++++++++++++++ tests/advanced_event_selector/prereq/main.tf | 8 +++ variables.tf | 6 +++ 7 files changed, 102 insertions(+), 2 deletions(-) create mode 100644 tests/advanced_event_selector/main.tf create mode 100644 tests/advanced_event_selector/prereq/main.tf diff --git a/.bumpversion.cfg b/.bumpversion.cfg index 0d9bde9..069b8e7 100644 --- a/.bumpversion.cfg +++ b/.bumpversion.cfg @@ -1,5 +1,5 @@ [bumpversion] -current_version = 6.2.0 +current_version = 6.3.0 commit = True message = Bumps version to {new_version} tag = False diff --git a/CHANGELOG.md b/CHANGELOG.md index 0c6dbdd..9904577 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,11 +4,21 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). +### 6.3.0 + +**Released**: 2022.09.01 + +**Commit Delta**: [Change from 6.2.0 release](https://github.com/plus3it/terraform-aws-tardigrade-cloudtrail/compare/6.2.0...6.3.0) + +**Summary**: + +* Adds advanced_event_selectors support + ### 6.2.0 **Released**: 2022.08.22 -**Commit Delta**: [Change from 6.0.0 release](https://github.com/plus3it/terraform-aws-tardigrade-cloudtrail/compare/6.1.0...6.0.0) +**Commit Delta**: [Change from 6.1.0 release](https://github.com/plus3it/terraform-aws-tardigrade-cloudtrail/compare/6.1.0...6.2.0) **Summary**: diff --git a/README.md b/README.md index bcda899..5e2f7ec 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,7 @@ AWS_PROFILE=xxx make terraform/pytest PYTEST_ARGS="-v --nomock" | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [advanced\_event\_selectors](#input\_advanced\_event\_selectors) | Specifies an advanced event selector for enabling data event logging. Contains an options name for the selector and a list of maps specifying field\_selectors. See https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for more information regarding the field selectors | `list(any)` | `[]` | no | | [cloud\_watch\_logs\_group\_name](#input\_cloud\_watch\_logs\_group\_name) | (Optional) Name of preexisting log group to use; by default the module will create a log group | `string` | `null` | no | | [cloud\_watch\_logs\_role\_arn](#input\_cloud\_watch\_logs\_role\_arn) | (Optional) Specifies the role for the CloudWatch Logs endpoint to assume to write to a user’s log group. | `string` | `null` | no | | [cloudtrail\_bucket](#input\_cloudtrail\_bucket) | Name of S3 bucket to send CloudTrail logs; bucket must already exist | `string` | `null` | no | diff --git a/main.tf b/main.tf index 05392bc..8b72e69 100644 --- a/main.tf +++ b/main.tf @@ -95,6 +95,28 @@ resource "aws_cloudtrail" "this" { } } } + + dynamic "advanced_event_selector" { + iterator = advanced_event_selectors + for_each = var.advanced_event_selectors + content { + name = lookup(advanced_event_selectors.value, "name", null) //optional + + dynamic "field_selector" { + iterator = field_selectors + for_each = lookup(advanced_event_selectors.value, "field_selectors", []) + content { + field = lookup(field_selectors.value, "field", null) //required + equals = lookup(field_selectors.value, "equals", null) //optional + not_equals = lookup(field_selectors.value, "not_equals", null) //optional + starts_with = lookup(field_selectors.value, "starts_with", null) //optional + not_starts_with = lookup(field_selectors.value, "not_starts_with", null) //optional + ends_with = lookup(field_selectors.value, "ends_with", null) //optional + not_ends_with = lookup(field_selectors.value, "not_ends_with", null) //optional + } + } + } + } } ### DATA SOURCES ### diff --git a/tests/advanced_event_selector/main.tf b/tests/advanced_event_selector/main.tf new file mode 100644 index 0000000..8be15cf --- /dev/null +++ b/tests/advanced_event_selector/main.tf @@ -0,0 +1,53 @@ +data "aws_partition" "current" {} + +data "terraform_remote_state" "prereq" { + backend = "local" + config = { + path = "prereq/terraform.tfstate" + } +} + +locals { + test_id = data.terraform_remote_state.prereq.outputs.random_name +} + +resource "aws_s3_bucket" "this" { + bucket = local.test_id + force_destroy = true + + policy = templatefile( + "${path.module}/../templates/cloudtrail-bucket-policy.json", + { + bucket = local.test_id + partition = data.aws_partition.current.partition + } + ) +} + +module "advanced_event_selector" { + source = "../../" + + cloudtrail_name = local.test_id + cloudtrail_bucket = aws_s3_bucket.this.id + kms_key_alias = local.test_id + + advanced_event_selectors = [ + { + name = "S3EventSelector" + field_selectors = [ + { + field = "eventCategory" + equals = ["Data"] + }, + { + field = "resources.type" + equals = ["AWS::S3::Object"] + }, + { + field = "resources.ARN" + starts_with = ["arn:aws:s3:::test"] + } + ] + }, + ] +} diff --git a/tests/advanced_event_selector/prereq/main.tf b/tests/advanced_event_selector/prereq/main.tf new file mode 100644 index 0000000..ce23594 --- /dev/null +++ b/tests/advanced_event_selector/prereq/main.tf @@ -0,0 +1,8 @@ +resource "random_id" "name" { + byte_length = 6 + prefix = "tardigrade-cloudtrail-" +} + +output "random_name" { + value = random_id.name.hex +} diff --git a/variables.tf b/variables.tf index 8bbabba..5722e49 100644 --- a/variables.tf +++ b/variables.tf @@ -88,6 +88,12 @@ variable "event_selectors" { default = [] } +variable "advanced_event_selectors" { + description = "Specifies an advanced event selector for enabling data event logging. Contains an options name for the selector and a list of maps specifying field_selectors. See https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for more information regarding the field selectors" + type = list(any) + default = [] +} + variable "tags" { description = "A map of tags to add to the cloudtrail resource" type = map(string) From 9f6c7617e1c254c3d176bd9265b38f8313757635 Mon Sep 17 00:00:00 2001 From: cahnk <99229283*cahnk@users.noreply.github.com> Date: Thu, 1 Sep 2022 14:47:22 -0600 Subject: [PATCH 2/2] Simplified iteration code --- main.tf | 32 ++++++++++++++------------------ 1 file changed, 14 insertions(+), 18 deletions(-) diff --git a/main.tf b/main.tf index 8b72e69..80138a4 100644 --- a/main.tf +++ b/main.tf @@ -79,40 +79,36 @@ resource "aws_cloudtrail" "this" { cloud_watch_logs_role_arn = var.use_cloud_watch_logs ? local.cloud_watch_logs_role_arn : null dynamic "event_selector" { - iterator = event_selectors for_each = var.event_selectors content { - read_write_type = lookup(event_selectors.value, "read_write_type", "All") - include_management_events = lookup(event_selectors.value, "include_management_events", "true") + read_write_type = try(event_selector.value.read_write_type, "All") + include_management_events = try(event_selector.value.include_management_events, "true") dynamic "data_resource" { - iterator = data_resources - for_each = lookup(event_selectors.value, "data_resources", []) + for_each = try(event_selector.value.data_resources, []) content { - type = lookup(data_resources.value, "type", null) - values = lookup(data_resources.value, "values", []) + type = try(data_resource.value.type, null) + values = try(data_resource.value.values, []) } } } } dynamic "advanced_event_selector" { - iterator = advanced_event_selectors for_each = var.advanced_event_selectors content { - name = lookup(advanced_event_selectors.value, "name", null) //optional + name = try(advanced_event_selector.value.name, null) //optional dynamic "field_selector" { - iterator = field_selectors - for_each = lookup(advanced_event_selectors.value, "field_selectors", []) + for_each = try(advanced_event_selector.value.field_selectors, []) content { - field = lookup(field_selectors.value, "field", null) //required - equals = lookup(field_selectors.value, "equals", null) //optional - not_equals = lookup(field_selectors.value, "not_equals", null) //optional - starts_with = lookup(field_selectors.value, "starts_with", null) //optional - not_starts_with = lookup(field_selectors.value, "not_starts_with", null) //optional - ends_with = lookup(field_selectors.value, "ends_with", null) //optional - not_ends_with = lookup(field_selectors.value, "not_ends_with", null) //optional + field = try(field_selector.value.field, null) //required + equals = try(field_selector.value.equals, null) //optional + not_equals = try(field_selector.value.not_equals, null) //optional + starts_with = try(field_selector.value.starts_with, null) //optional + not_starts_with = try(field_selector.value.not_starts_with, null) //optional + ends_with = try(field_selector.value.ends_with, null) //optional + not_ends_with = try(field_selector.value.not_ends_with, null) //optional } } }