Merge pull request #4010 from pforman/cloudtrail-enable
provider/aws: Add "enable_logging" to CloudTrail resource
This commit is contained in:
Radek Simko
commit
749fcd4931
|
|
@ -22,6 +22,11 @@ func resourceAwsCloudTrail() *schema.Resource {
|
|||
Required: true,
|
||||
ForceNew: true,
|
||||
},
|
||||
"enable_logging": &schema.Schema{
|
||||
Type: schema.TypeBool,
|
||||
Optional: true,
|
||||
Default: true,
|
||||
},
|
||||
"s3_bucket_name": &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
Required: true,
|
||||
|
|
@ -84,6 +89,14 @@ func resourceAwsCloudTrailCreate(d *schema.ResourceData, meta interface{}) error
|
|||
|
||||
d.SetId(*t.Name)
|
||||
|
||||
// AWS CloudTrail sets newly-created trails to false.
|
||||
if v, ok := d.GetOk("enable_logging"); ok && v.(bool) {
|
||||
err := cloudTrailSetLogging(conn, v.(bool), d.Id())
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
return resourceAwsCloudTrailRead(d, meta)
|
||||
}
|
||||
|
||||
|
|
@ -115,6 +128,12 @@ func resourceAwsCloudTrailRead(d *schema.ResourceData, meta interface{}) error {
|
|||
d.Set("include_global_service_events", trail.IncludeGlobalServiceEvents)
|
||||
d.Set("sns_topic_name", trail.SnsTopicName)
|
||||
|
||||
logstatus, err := cloudTrailGetLoggingStatus(conn, trail.Name)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
d.Set("enable_logging", logstatus)
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
@ -149,6 +168,15 @@ func resourceAwsCloudTrailUpdate(d *schema.ResourceData, meta interface{}) error
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if d.HasChange("enable_logging") {
|
||||
log.Printf("[DEBUG] Updating logging on CloudTrail: %s", input)
|
||||
err := cloudTrailSetLogging(conn, d.Get("enable_logging").(bool), *input.Name)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
log.Printf("[DEBUG] CloudTrail updated: %s", t)
|
||||
|
||||
return resourceAwsCloudTrailRead(d, meta)
|
||||
|
|
@ -165,3 +193,45 @@ func resourceAwsCloudTrailDelete(d *schema.ResourceData, meta interface{}) error
|
|||
|
||||
return err
|
||||
}
|
||||
|
||||
func cloudTrailGetLoggingStatus(conn *cloudtrail.CloudTrail, id *string) (bool, error) {
|
||||
GetTrailStatusOpts := &cloudtrail.GetTrailStatusInput{
|
||||
Name: id,
|
||||
}
|
||||
resp, err := conn.GetTrailStatus(GetTrailStatusOpts)
|
||||
if err != nil {
|
||||
return false, fmt.Errorf("Error retrieving logging status of CloudTrail (%s): %s", *id, err)
|
||||
}
|
||||
|
||||
return *resp.IsLogging, err
|
||||
}
|
||||
|
||||
func cloudTrailSetLogging(conn *cloudtrail.CloudTrail, enabled bool, id string) error {
|
||||
if enabled {
|
||||
log.Printf(
|
||||
"[DEBUG] Starting logging on CloudTrail (%s)",
|
||||
id)
|
||||
StartLoggingOpts := &cloudtrail.StartLoggingInput{
|
||||
Name: aws.String(id),
|
||||
}
|
||||
if _, err := conn.StartLogging(StartLoggingOpts); err != nil {
|
||||
return fmt.Errorf(
|
||||
"Error starting logging on CloudTrail (%s): %s",
|
||||
id, err)
|
||||
}
|
||||
} else {
|
||||
log.Printf(
|
||||
"[DEBUG] Stopping logging on CloudTrail (%s)",
|
||||
id)
|
||||
StopLoggingOpts := &cloudtrail.StopLoggingInput{
|
||||
Name: aws.String(id),
|
||||
}
|
||||
if _, err := conn.StopLogging(StopLoggingOpts); err != nil {
|
||||
return fmt.Errorf(
|
||||
"Error stopping logging on CloudTrail (%s): %s",
|
||||
id, err)
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -39,6 +39,41 @@ func TestAccAWSCloudTrail_basic(t *testing.T) {
|
|||
})
|
||||
}
|
||||
|
||||
func TestAccAWSCloudTrail_enable_logging(t *testing.T) {
|
||||
var trail cloudtrail.Trail
|
||||
|
||||
resource.Test(t, resource.TestCase{
|
||||
PreCheck: func() { testAccPreCheck(t) },
|
||||
Providers: testAccProviders,
|
||||
CheckDestroy: testAccCheckAWSCloudTrailDestroy,
|
||||
Steps: []resource.TestStep{
|
||||
resource.TestStep{
|
||||
Config: testAccAWSCloudTrailConfig,
|
||||
Check: resource.ComposeTestCheckFunc(
|
||||
testAccCheckCloudTrailExists("aws_cloudtrail.foobar", &trail),
|
||||
// AWS will create the trail with logging turned off.
|
||||
// Test that "enable_logging" default works.
|
||||
testAccCheckCloudTrailLoggingEnabled("aws_cloudtrail.foobar", true, &trail),
|
||||
),
|
||||
},
|
||||
resource.TestStep{
|
||||
Config: testAccAWSCloudTrailConfigModified,
|
||||
Check: resource.ComposeTestCheckFunc(
|
||||
testAccCheckCloudTrailExists("aws_cloudtrail.foobar", &trail),
|
||||
testAccCheckCloudTrailLoggingEnabled("aws_cloudtrail.foobar", false, &trail),
|
||||
),
|
||||
},
|
||||
resource.TestStep{
|
||||
Config: testAccAWSCloudTrailConfig,
|
||||
Check: resource.ComposeTestCheckFunc(
|
||||
testAccCheckCloudTrailExists("aws_cloudtrail.foobar", &trail),
|
||||
testAccCheckCloudTrailLoggingEnabled("aws_cloudtrail.foobar", true, &trail),
|
||||
),
|
||||
},
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
func testAccCheckCloudTrailExists(n string, trail *cloudtrail.Trail) resource.TestCheckFunc {
|
||||
return func(s *terraform.State) error {
|
||||
rs, ok := s.RootModule().Resources[n]
|
||||
|
|
@ -63,6 +98,30 @@ func testAccCheckCloudTrailExists(n string, trail *cloudtrail.Trail) resource.Te
|
|||
}
|
||||
}
|
||||
|
||||
func testAccCheckCloudTrailLoggingEnabled(n string, desired bool, trail *cloudtrail.Trail) resource.TestCheckFunc {
|
||||
return func(s *terraform.State) error {
|
||||
rs, ok := s.RootModule().Resources[n]
|
||||
if !ok {
|
||||
return fmt.Errorf("Not found: %s", n)
|
||||
}
|
||||
|
||||
conn := testAccProvider.Meta().(*AWSClient).cloudtrailconn
|
||||
params := cloudtrail.GetTrailStatusInput{
|
||||
Name: aws.String(rs.Primary.ID),
|
||||
}
|
||||
resp, err := conn.GetTrailStatus(¶ms)
|
||||
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if *resp.IsLogging != desired {
|
||||
return fmt.Errorf("Expected logging status %t, given %t", desired, *resp.IsLogging)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func testAccCheckAWSCloudTrailDestroy(s *terraform.State) error {
|
||||
conn := testAccProvider.Meta().(*AWSClient).cloudtrailconn
|
||||
|
||||
|
|
@ -134,6 +193,7 @@ resource "aws_cloudtrail" "foobar" {
|
|||
s3_bucket_name = "${aws_s3_bucket.foo.id}"
|
||||
s3_key_prefix = "/prefix"
|
||||
include_global_service_events = false
|
||||
enable_logging = false
|
||||
}
|
||||
|
||||
resource "aws_s3_bucket" "foo" {
|
||||
|
|
|
|||
|
|
@ -63,6 +63,8 @@ The following arguments are supported:
|
|||
endpoint to assume to write to a user’s log group.
|
||||
* `cloud_watch_logs_group_arn` - (Optional) Specifies a log group name using an Amazon Resource Name (ARN),
|
||||
that represents the log group to which CloudTrail logs will be delivered.
|
||||
* `enable_logging` - (Optional) Enables logging for the trail. Defaults to `true`.
|
||||
Setting this to `false` will pause logging.
|
||||
* `include_global_service_events` - (Optional) Specifies whether the trail is publishing events
|
||||
from global services such as IAM to the log files. Defaults to `true`.
|
||||
* `sns_topic_name` - (Optional) Specifies the name of the Amazon SNS topic
|
||||
|
|
|
|||
Loading…
Reference in New Issue