From cca854dec81484db447418382236415b4e6186d4 Mon Sep 17 00:00:00 2001
From: cahnk <99229283*cahnk@users.noreply.github.com>
Date: Sat, 20 Aug 2022 07:40:35 -0600
Subject: [PATCH] Simplified use CW logs specification
---
README.md | 3 +--
main.tf | 20 ++++++++------------
tests/no_log_group/main.tf | 3 +--
tests/premade_cwl_group/main.tf | 2 --
tests/premade_cwl_role/main.tf | 2 --
variables.tf | 10 ++--------
6 files changed, 12 insertions(+), 28 deletions(-)
diff --git a/README.md b/README.md
index 5521910..c662cdb 100644
--- a/README.md
+++ b/README.md
@@ -46,7 +46,6 @@ AWS_PROFILE=xxx make terraform/pytest PYTEST_ARGS="-v --nomock"
| [cloudtrail\_bucket](#input\_cloudtrail\_bucket) | Name of S3 bucket to send CloudTrail logs; bucket must already exist | `string` | `null` | no |
| [cloudtrail\_name](#input\_cloudtrail\_name) | Name of the trail to create | `string` | `null` | no |
| [create\_kms\_key](#input\_create\_kms\_key) | Controls whether to create a kms key that Cloudtrail will use to encrypt the logs | `bool` | `true` | no |
-| [create\_log\_group](#input\_create\_log\_group) | Specifies whether to create a CloudWatch log group for this trail | `bool` | `true` | no |
| [enable\_log\_file\_validation](#input\_enable\_log\_file\_validation) | Specifies whether log file integrity validation is enabled | `bool` | `true` | no |
| [enable\_logging](#input\_enable\_logging) | Specifies whether to enable CloudWatch logging if it is configured | `bool` | `true` | no |
| [event\_selectors](#input\_event\_selectors) | List of maps specifying `read_write_type`, `include_management_events`, `type`, and `values`. See https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for more information regarding the map vales | `list(any)` | `[]` | no |
@@ -56,7 +55,7 @@ AWS_PROFILE=xxx make terraform/pytest PYTEST_ARGS="-v --nomock"
| [kms\_key\_id](#input\_kms\_key\_id) | (Optional) ARN of the kms key used to encrypt the CloudTrail logs. | `string` | `null` | no |
| [retention\_in\_days](#input\_retention\_in\_days) | (Optional) Specifies the number of days to retain log events in the log group. Only works if module creates the log group | `number` | `7` | no |
| [tags](#input\_tags) | A map of tags to add to the cloudtrail resource | `map(string)` | `{}` | no |
-| [use\_existing\_log\_group](#input\_use\_existing\_log\_group) | Specifies whether to use an existing CloudWatch log group for this trail | `bool` | `false` | no |
+| [use\_cloud\_watch\_logs](#input\_use\_cloud\_watch\_logs) | Specifies whether to use a CloudWatch log group for this trail | `bool` | `true` | no |
## Outputs
diff --git a/main.tf b/main.tf
index 3dab342..3f4175b 100644
--- a/main.tf
+++ b/main.tf
@@ -1,16 +1,12 @@
### LOCALS ###
locals {
# cloudwatch log group integration
- use_existing_log_group = var.use_existing_log_group
- create_log_group = var.use_existing_log_group ? false : var.create_log_group
+ create_log_group = var.use_cloud_watch_logs ? var.cloud_watch_logs_group_name == null : false
+ cloud_watch_logs_group_name = local.create_log_group ? "/aws/cloudtrail/${format("%v", var.cloudtrail_name)}" : var.cloud_watch_logs_group_name
+ cloud_watch_logs_group_arn = var.use_cloud_watch_logs ? local.create_log_group ? "${aws_cloudwatch_log_group.this[0].arn}:*" : "${data.aws_cloudwatch_log_group.this[0].arn}:*" : null
- cloud_watch_logs_group_name = var.use_existing_log_group ? var.cloud_watch_logs_group_name : var.create_log_group ? var.cloud_watch_logs_group_name == null ? "/aws/cloudtrail/${format("%v", var.cloudtrail_name)}" : var.cloud_watch_logs_group_name : null
-
- cloud_watch_logs_group_arn = var.use_existing_log_group ? "${data.aws_cloudwatch_log_group.this[0].arn}:*" : var.create_log_group ? "${aws_cloudwatch_log_group.this[0].arn}:*" : null
-
- create_log_group_role = var.use_existing_log_group ? var.cloud_watch_logs_role_arn == null : var.create_log_group
-
- cloud_watch_logs_role_arn = var.use_existing_log_group ? var.cloud_watch_logs_role_arn == null ? aws_iam_role.this[0].arn : var.cloud_watch_logs_role_arn : var.create_log_group ? var.cloud_watch_logs_role_arn == null ? aws_iam_role.this[0].arn : var.cloud_watch_logs_role_arn : null
+ create_log_group_role = var.use_cloud_watch_logs ? var.cloud_watch_logs_role_arn == null : false
+ cloud_watch_logs_role_arn = local.create_log_group_role ? aws_iam_role.this[0].arn : var.cloud_watch_logs_role_arn
# kms integration
kms_key_id = var.create_kms_key ? module.kms[0].keys[var.kms_key_alias].arn : var.kms_key_id
@@ -78,8 +74,8 @@ resource "aws_cloudtrail" "this" {
tags = var.tags
kms_key_id = local.kms_key_id
- cloud_watch_logs_group_arn = local.cloud_watch_logs_group_arn
- cloud_watch_logs_role_arn = local.cloud_watch_logs_role_arn
+ cloud_watch_logs_group_arn = var.use_cloud_watch_logs ? local.cloud_watch_logs_group_arn : null
+ cloud_watch_logs_role_arn = var.use_cloud_watch_logs ? local.cloud_watch_logs_role_arn : null
dynamic "event_selector" {
iterator = event_selectors
@@ -108,7 +104,7 @@ data "aws_region" "current" {}
data "aws_caller_identity" "current" {}
data "aws_cloudwatch_log_group" "this" {
- count = local.use_existing_log_group ? 1 : 0
+ count = var.use_cloud_watch_logs && !local.create_log_group ? 1 : 0
name = var.cloud_watch_logs_group_name
}
diff --git a/tests/no_log_group/main.tf b/tests/no_log_group/main.tf
index 8281f0f..2d329f9 100644
--- a/tests/no_log_group/main.tf
+++ b/tests/no_log_group/main.tf
@@ -26,8 +26,7 @@ module "baseline" {
create_kms_key = false
cloudtrail_name = random_id.name.hex
cloudtrail_bucket = aws_s3_bucket.this.id
- use_existing_log_group = false
- create_log_group = false
+ use_cloud_watch_logs = false
enable_log_file_validation = false
enable_logging = false
}
diff --git a/tests/premade_cwl_group/main.tf b/tests/premade_cwl_group/main.tf
index 6f7f03d..d53193b 100644
--- a/tests/premade_cwl_group/main.tf
+++ b/tests/premade_cwl_group/main.tf
@@ -30,6 +30,4 @@ module "premade_cwl_group" {
cloudtrail_bucket = aws_s3_bucket.this.id
cloud_watch_logs_group_name = data.terraform_remote_state.prereq.outputs.cwl_group_name
kms_key_alias = local.test_id
- use_existing_log_group = true
- create_log_group = false
}
diff --git a/tests/premade_cwl_role/main.tf b/tests/premade_cwl_role/main.tf
index 1f0c5c7..31edbe7 100644
--- a/tests/premade_cwl_role/main.tf
+++ b/tests/premade_cwl_role/main.tf
@@ -31,6 +31,4 @@ module "premade_cwl_role" {
cloud_watch_logs_group_name = data.terraform_remote_state.prereq.outputs.cwl_group_name
cloud_watch_logs_role_arn = data.terraform_remote_state.prereq.outputs.cwl_role_arn
kms_key_alias = local.test_id
- use_existing_log_group = true
- create_log_group = false
}
diff --git a/variables.tf b/variables.tf
index 568af56..e9a52d2 100644
--- a/variables.tf
+++ b/variables.tf
@@ -52,14 +52,8 @@ variable "cloudtrail_bucket" {
default = null
}
-variable "use_existing_log_group" {
- description = "Specifies whether to use an existing CloudWatch log group for this trail"
- type = bool
- default = false
-}
-
-variable "create_log_group" {
- description = "Specifies whether to create a CloudWatch log group for this trail"
+variable "use_cloud_watch_logs" {
+ description = "Specifies whether to use a CloudWatch log group for this trail"
type = bool
default = true
}