Skip to content

Commit

Permalink
Merge pull request #1357 from terraform-providers/b-cloudtrail-cw-update
Browse files Browse the repository at this point in the history
r/cloudtrail: Fix CloudWatch role ARN/group updates
  • Loading branch information
radeksimko authored Aug 7, 2017
2 parents 8f39a1e + 7da0f7d commit 3b808c4
Show file tree
Hide file tree
Showing 2 changed files with 212 additions and 3 deletions.
6 changes: 3 additions & 3 deletions aws/resource_aws_cloudtrail.go
Original file line number Diff line number Diff line change
Expand Up @@ -243,10 +243,10 @@ func resourceAwsCloudTrailUpdate(d *schema.ResourceData, meta interface{}) error
if d.HasChange("s3_key_prefix") {
input.S3KeyPrefix = aws.String(d.Get("s3_key_prefix").(string))
}
if d.HasChange("cloud_watch_logs_role_arn") {
if d.HasChange("cloud_watch_logs_role_arn") || d.HasChange("cloud_watch_logs_group_arn") {
// Both of these need to be provided together
// in the update call otherwise API complains
input.CloudWatchLogsRoleArn = aws.String(d.Get("cloud_watch_logs_role_arn").(string))
}
if d.HasChange("cloud_watch_logs_group_arn") {
input.CloudWatchLogsLogGroupArn = aws.String(d.Get("cloud_watch_logs_group_arn").(string))
}
if d.HasChange("include_global_service_events") {
Expand Down
209 changes: 209 additions & 0 deletions aws/resource_aws_cloudtrail_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ func TestAccAWSCloudTrail(t *testing.T) {
testCases := map[string]map[string]func(t *testing.T){
"Trail": {
"basic": testAccAWSCloudTrail_basic,
"cloudwatch": testAccAWSCloudTrail_cloudwatch,
"enableLogging": testAccAWSCloudTrail_enable_logging,
"isMultiRegion": testAccAWSCloudTrail_is_multi_region,
"logValidation": testAccAWSCloudTrail_logValidation,
Expand Down Expand Up @@ -71,6 +72,35 @@ func testAccAWSCloudTrail_basic(t *testing.T) {
})
}

func testAccAWSCloudTrail_cloudwatch(t *testing.T) {
var trail cloudtrail.Trail
randInt := acctest.RandInt()

resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAWSCloudTrailDestroy,
Steps: []resource.TestStep{
{
Config: testAccAWSCloudTrailConfigCloudWatch(randInt),
Check: resource.ComposeTestCheckFunc(
testAccCheckCloudTrailExists("aws_cloudtrail.test", &trail),
resource.TestCheckResourceAttrSet("aws_cloudtrail.test", "cloud_watch_logs_group_arn"),
resource.TestCheckResourceAttrSet("aws_cloudtrail.test", "cloud_watch_logs_role_arn"),
),
},
{
Config: testAccAWSCloudTrailConfigCloudWatchModified(randInt),
Check: resource.ComposeTestCheckFunc(
testAccCheckCloudTrailExists("aws_cloudtrail.test", &trail),
resource.TestCheckResourceAttrSet("aws_cloudtrail.test", "cloud_watch_logs_group_arn"),
resource.TestCheckResourceAttrSet("aws_cloudtrail.test", "cloud_watch_logs_role_arn"),
),
},
},
})
}

func testAccAWSCloudTrail_enable_logging(t *testing.T) {
var trail cloudtrail.Trail
cloudTrailRandInt := acctest.RandInt()
Expand Down Expand Up @@ -501,6 +531,185 @@ POLICY
`, cloudTrailRandInt, cloudTrailRandInt, cloudTrailRandInt, cloudTrailRandInt)
}

func testAccAWSCloudTrailConfigCloudWatch(randInt int) string {
return fmt.Sprintf(`
resource "aws_cloudtrail" "test" {
name = "tf-acc-test-%d"
s3_bucket_name = "${aws_s3_bucket.test.id}"
cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.test.arn}"
cloud_watch_logs_role_arn = "${aws_iam_role.test.arn}"
}
resource "aws_s3_bucket" "test" {
bucket = "tf-test-trail-%d"
force_destroy = true
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::tf-test-trail-%d"
},
{
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::tf-test-trail-%d/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
POLICY
}
resource "aws_cloudwatch_log_group" "test" {
name = "tf-acc-test-cloudtrail-%d"
}
resource "aws_iam_role" "test" {
name = "tf-acc-test-cloudtrail-%d"
assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
POLICY
}
resource "aws_iam_role_policy" "test" {
name = "tf-acc-test-cloudtrail-%d"
role = "${aws_iam_role.test.id}"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailCreateLogStream",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "${aws_cloudwatch_log_group.test.arn}"
}
]
}
POLICY
}
`, randInt, randInt, randInt, randInt, randInt, randInt, randInt)
}

func testAccAWSCloudTrailConfigCloudWatchModified(randInt int) string {
return fmt.Sprintf(`
resource "aws_cloudtrail" "test" {
name = "tf-acc-test-%d"
s3_bucket_name = "${aws_s3_bucket.test.id}"
cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.second.arn}"
cloud_watch_logs_role_arn = "${aws_iam_role.test.arn}"
}
resource "aws_s3_bucket" "test" {
bucket = "tf-test-trail-%d"
force_destroy = true
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::tf-test-trail-%d"
},
{
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::tf-test-trail-%d/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
POLICY
}
resource "aws_cloudwatch_log_group" "test" {
name = "tf-acc-test-cloudtrail-%d"
}
resource "aws_cloudwatch_log_group" "second" {
name = "tf-acc-test-cloudtrail-second-%d"
}
resource "aws_iam_role" "test" {
name = "tf-acc-test-cloudtrail-%d"
assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
POLICY
}
resource "aws_iam_role_policy" "test" {
name = "tf-acc-test-cloudtrail-%d"
role = "${aws_iam_role.test.id}"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailCreateLogStream",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "${aws_cloudwatch_log_group.second.arn}"
}
]
}
POLICY
}
`, randInt, randInt, randInt, randInt, randInt, randInt, randInt, randInt)
}

func testAccAWSCloudTrailConfigMultiRegion(cloudTrailRandInt int) string {
return fmt.Sprintf(`
resource "aws_cloudtrail" "foobar" {
Expand Down

0 comments on commit 3b808c4

Please sign in to comment.