Simplified use CW logs specification

plus3it · Aug 20, 2022 · cca854d · cca854d
1 parent 9279b89
commit cca854d
Show file tree

Hide file tree

Showing 6 changed files with 12 additions and 28 deletions.
diff --git a/README.md b/README.md
@@ -46,7 +46,6 @@ AWS_PROFILE=xxx make terraform/pytest PYTEST_ARGS="-v --nomock"
 | <a name="input_cloudtrail_bucket"></a> [cloudtrail\_bucket](#input\_cloudtrail\_bucket) | Name of S3 bucket to send CloudTrail logs; bucket must already exist | `string` | `null` | no |
 | <a name="input_cloudtrail_name"></a> [cloudtrail\_name](#input\_cloudtrail\_name) | Name of the trail to create | `string` | `null` | no |
 | <a name="input_create_kms_key"></a> [create\_kms\_key](#input\_create\_kms\_key) | Controls whether to create a kms key that Cloudtrail will use to encrypt the logs | `bool` | `true` | no |
-| <a name="input_create_log_group"></a> [create\_log\_group](#input\_create\_log\_group) | Specifies whether to create a CloudWatch log group for this trail | `bool` | `true` | no |
 | <a name="input_enable_log_file_validation"></a> [enable\_log\_file\_validation](#input\_enable\_log\_file\_validation) | Specifies whether log file integrity validation is enabled | `bool` | `true` | no |
 | <a name="input_enable_logging"></a> [enable\_logging](#input\_enable\_logging) | Specifies whether to enable CloudWatch logging if it is configured | `bool` | `true` | no |
 | <a name="input_event_selectors"></a> [event\_selectors](#input\_event\_selectors) | List of maps specifying `read_write_type`, `include_management_events`, `type`, and `values`. See https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for more information regarding the map vales | `list(any)` | `[]` | no |
@@ -56,7 +55,7 @@ AWS_PROFILE=xxx make terraform/pytest PYTEST_ARGS="-v --nomock"
 | <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | (Optional) ARN of the kms key used to encrypt the CloudTrail logs. | `string` | `null` | no |
 | <a name="input_retention_in_days"></a> [retention\_in\_days](#input\_retention\_in\_days) | (Optional) Specifies the number of days to retain log events in the log group. Only works if module creates the log group | `number` | `7` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to the cloudtrail resource | `map(string)` | `{}` | no |
-| <a name="input_use_existing_log_group"></a> [use\_existing\_log\_group](#input\_use\_existing\_log\_group) | Specifies whether to use an existing CloudWatch log group for this trail | `bool` | `false` | no |
+| <a name="input_use_cloud_watch_logs"></a> [use\_cloud\_watch\_logs](#input\_use\_cloud\_watch\_logs) | Specifies whether to use a CloudWatch log group for this trail | `bool` | `true` | no |
 
 ## Outputs
 

diff --git a/main.tf b/main.tf
@@ -1,16 +1,12 @@
 ### LOCALS ###
 locals {
   # cloudwatch log group integration
-  use_existing_log_group = var.use_existing_log_group
-  create_log_group       = var.use_existing_log_group ? false : var.create_log_group
+  create_log_group            = var.use_cloud_watch_logs ? var.cloud_watch_logs_group_name == null : false
+  cloud_watch_logs_group_name = local.create_log_group ? "/aws/cloudtrail/${format("%v", var.cloudtrail_name)}" : var.cloud_watch_logs_group_name
+  cloud_watch_logs_group_arn  = var.use_cloud_watch_logs ? local.create_log_group ? "${aws_cloudwatch_log_group.this[0].arn}:*" : "${data.aws_cloudwatch_log_group.this[0].arn}:*" : null
 
-  cloud_watch_logs_group_name = var.use_existing_log_group ? var.cloud_watch_logs_group_name : var.create_log_group ? var.cloud_watch_logs_group_name == null ? "/aws/cloudtrail/${format("%v", var.cloudtrail_name)}" : var.cloud_watch_logs_group_name : null
-
-  cloud_watch_logs_group_arn = var.use_existing_log_group ? "${data.aws_cloudwatch_log_group.this[0].arn}:*" : var.create_log_group ? "${aws_cloudwatch_log_group.this[0].arn}:*" : null
-
-  create_log_group_role = var.use_existing_log_group ? var.cloud_watch_logs_role_arn == null : var.create_log_group
-
-  cloud_watch_logs_role_arn = var.use_existing_log_group ? var.cloud_watch_logs_role_arn == null ? aws_iam_role.this[0].arn : var.cloud_watch_logs_role_arn : var.create_log_group ? var.cloud_watch_logs_role_arn == null ? aws_iam_role.this[0].arn : var.cloud_watch_logs_role_arn : null
+  create_log_group_role     = var.use_cloud_watch_logs ? var.cloud_watch_logs_role_arn == null : false
+  cloud_watch_logs_role_arn = local.create_log_group_role ? aws_iam_role.this[0].arn : var.cloud_watch_logs_role_arn
 
   # kms integration
   kms_key_id     = var.create_kms_key ? module.kms[0].keys[var.kms_key_alias].arn : var.kms_key_id
@@ -78,8 +74,8 @@ resource "aws_cloudtrail" "this" {
   tags                          = var.tags
   kms_key_id                    = local.kms_key_id
 
-  cloud_watch_logs_group_arn = local.cloud_watch_logs_group_arn
-  cloud_watch_logs_role_arn  = local.cloud_watch_logs_role_arn
+  cloud_watch_logs_group_arn = var.use_cloud_watch_logs ? local.cloud_watch_logs_group_arn : null
+  cloud_watch_logs_role_arn  = var.use_cloud_watch_logs ? local.cloud_watch_logs_role_arn : null
 
   dynamic "event_selector" {
     iterator = event_selectors
@@ -108,7 +104,7 @@ data "aws_region" "current" {}
 data "aws_caller_identity" "current" {}
 
 data "aws_cloudwatch_log_group" "this" {
-  count = local.use_existing_log_group ? 1 : 0
+  count = var.use_cloud_watch_logs && !local.create_log_group ? 1 : 0
 
   name = var.cloud_watch_logs_group_name
 }

diff --git a/tests/no_log_group/main.tf b/tests/no_log_group/main.tf
@@ -26,8 +26,7 @@ module "baseline" {
   create_kms_key             = false
   cloudtrail_name            = random_id.name.hex
   cloudtrail_bucket          = aws_s3_bucket.this.id
-  use_existing_log_group     = false
-  create_log_group           = false
+  use_cloud_watch_logs       = false
   enable_log_file_validation = false
   enable_logging             = false
 }
diff --git a/tests/premade_cwl_group/main.tf b/tests/premade_cwl_group/main.tf
@@ -30,6 +30,4 @@ module "premade_cwl_group" {
   cloudtrail_bucket           = aws_s3_bucket.this.id
   cloud_watch_logs_group_name = data.terraform_remote_state.prereq.outputs.cwl_group_name
   kms_key_alias               = local.test_id
-  use_existing_log_group      = true
-  create_log_group            = false
 }
diff --git a/tests/premade_cwl_role/main.tf b/tests/premade_cwl_role/main.tf
@@ -31,6 +31,4 @@ module "premade_cwl_role" {
   cloud_watch_logs_group_name = data.terraform_remote_state.prereq.outputs.cwl_group_name
   cloud_watch_logs_role_arn   = data.terraform_remote_state.prereq.outputs.cwl_role_arn
   kms_key_alias               = local.test_id
-  use_existing_log_group      = true
-  create_log_group            = false
 }
diff --git a/variables.tf b/variables.tf
@@ -52,14 +52,8 @@ variable "cloudtrail_bucket" {
   default     = null
 }
 
-variable "use_existing_log_group" {
-  description = "Specifies whether to use an existing CloudWatch log group for this trail"
-  type        = bool
-  default     = false
-}
-
-variable "create_log_group" {
-  description = "Specifies whether to create a CloudWatch log group for this trail"
+variable "use_cloud_watch_logs" {
+  description = "Specifies whether to use a CloudWatch log group for this trail"
   type        = bool
   default     = true
 }