diff --git a/aws/resource_aws_cloudtrail.go b/aws/resource_aws_cloudtrail.go index 8c59a5d9408..08b224833d7 100644 --- a/aws/resource_aws_cloudtrail.go +++ b/aws/resource_aws_cloudtrail.go @@ -227,10 +227,10 @@ func resourceAwsCloudTrailUpdate(d *schema.ResourceData, meta interface{}) error if d.HasChange("s3_key_prefix") { input.S3KeyPrefix = aws.String(d.Get("s3_key_prefix").(string)) } - if d.HasChange("cloud_watch_logs_role_arn") { + if d.HasChange("cloud_watch_logs_role_arn") || d.HasChange("cloud_watch_logs_group_arn") { + // Both of these need to be provided together + // in the update call otherwise API complains input.CloudWatchLogsRoleArn = aws.String(d.Get("cloud_watch_logs_role_arn").(string)) - } - if d.HasChange("cloud_watch_logs_group_arn") { input.CloudWatchLogsLogGroupArn = aws.String(d.Get("cloud_watch_logs_group_arn").(string)) } if d.HasChange("include_global_service_events") { diff --git a/aws/resource_aws_cloudtrail_test.go b/aws/resource_aws_cloudtrail_test.go index 08655ea671b..09c13190f59 100644 --- a/aws/resource_aws_cloudtrail_test.go +++ b/aws/resource_aws_cloudtrail_test.go @@ -18,6 +18,7 @@ func TestAccAWSCloudTrail(t *testing.T) { testCases := map[string]map[string]func(t *testing.T){ "Trail": { "basic": testAccAWSCloudTrail_basic, + "cloudwatch": testAccAWSCloudTrail_cloudwatch, "enableLogging": testAccAWSCloudTrail_enable_logging, "isMultiRegion": testAccAWSCloudTrail_is_multi_region, "logValidation": testAccAWSCloudTrail_logValidation, @@ -71,6 +72,35 @@ func testAccAWSCloudTrail_basic(t *testing.T) { }) } +func testAccAWSCloudTrail_cloudwatch(t *testing.T) { + var trail cloudtrail.Trail + randInt := acctest.RandInt() + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSCloudTrailDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSCloudTrailConfigCloudWatch(randInt), + Check: resource.ComposeTestCheckFunc( + testAccCheckCloudTrailExists("aws_cloudtrail.test", &trail), + resource.TestCheckResourceAttrSet("aws_cloudtrail.test", "cloud_watch_logs_group_arn"), + resource.TestCheckResourceAttrSet("aws_cloudtrail.test", "cloud_watch_logs_role_arn"), + ), + }, + { + Config: testAccAWSCloudTrailConfigCloudWatchModified(randInt), + Check: resource.ComposeTestCheckFunc( + testAccCheckCloudTrailExists("aws_cloudtrail.test", &trail), + resource.TestCheckResourceAttrSet("aws_cloudtrail.test", "cloud_watch_logs_group_arn"), + resource.TestCheckResourceAttrSet("aws_cloudtrail.test", "cloud_watch_logs_role_arn"), + ), + }, + }, + }) +} + func testAccAWSCloudTrail_enable_logging(t *testing.T) { var trail cloudtrail.Trail cloudTrailRandInt := acctest.RandInt() @@ -501,6 +531,185 @@ POLICY `, cloudTrailRandInt, cloudTrailRandInt, cloudTrailRandInt, cloudTrailRandInt) } +func testAccAWSCloudTrailConfigCloudWatch(randInt int) string { + return fmt.Sprintf(` +resource "aws_cloudtrail" "test" { + name = "tf-acc-test-%d" + s3_bucket_name = "${aws_s3_bucket.test.id}" + + cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.test.arn}" + cloud_watch_logs_role_arn = "${aws_iam_role.test.arn}" +} + +resource "aws_s3_bucket" "test" { + bucket = "tf-test-trail-%d" + force_destroy = true + policy = <