Merge pull request #4010 from pforman/cloudtrail-enable

provider/aws: Add "enable_logging" to CloudTrail resource
11 years ago · 749fcd4931
parent 774ed1ded8 52aad04930
commit 749fcd4931
3 changed files with 132 additions and 0 deletions
--- a/builtin/providers/aws/resource_aws_cloudtrail.go
+++ b/builtin/providers/aws/resource_aws_cloudtrail.go
@ -22,6 +22,11 @@ func resourceAwsCloudTrail() *schema.Resource {
 				Required: true,
 				ForceNew: true,
 			},
+			"enable_logging": &schema.Schema{
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  true,
+			},
 			"s3_bucket_name": &schema.Schema{
 				Type:     schema.TypeString,
 				Required: true,
@ -84,6 +89,14 @@ func resourceAwsCloudTrailCreate(d *schema.ResourceData, meta interface{}) error

 	d.SetId(*t.Name)

+	// AWS CloudTrail sets newly-created trails to false.
+	if v, ok := d.GetOk("enable_logging"); ok && v.(bool) {
+		err := cloudTrailSetLogging(conn, v.(bool), d.Id())
+		if err != nil {
+			return err
+		}
+	}
+
 	return resourceAwsCloudTrailRead(d, meta)
 }

@ -115,6 +128,12 @@ func resourceAwsCloudTrailRead(d *schema.ResourceData, meta interface{}) error {
 	d.Set("include_global_service_events", trail.IncludeGlobalServiceEvents)
 	d.Set("sns_topic_name", trail.SnsTopicName)

+	logstatus, err := cloudTrailGetLoggingStatus(conn, trail.Name)
+	if err != nil {
+		return err
+	}
+	d.Set("enable_logging", logstatus)
+
 	return nil
 }

@ -149,6 +168,15 @@ func resourceAwsCloudTrailUpdate(d *schema.ResourceData, meta interface{}) error
 	if err != nil {
 		return err
 	}
+
+	if d.HasChange("enable_logging") {
+		log.Printf("[DEBUG] Updating logging on CloudTrail: %s", input)
+		err := cloudTrailSetLogging(conn, d.Get("enable_logging").(bool), *input.Name)
+		if err != nil {
+			return err
+		}
+	}
+
 	log.Printf("[DEBUG] CloudTrail updated: %s", t)

 	return resourceAwsCloudTrailRead(d, meta)
@ -165,3 +193,45 @@ func resourceAwsCloudTrailDelete(d *schema.ResourceData, meta interface{}) error

 	return err
 }
+
+func cloudTrailGetLoggingStatus(conn *cloudtrail.CloudTrail, id *string) (bool, error) {
+	GetTrailStatusOpts := &cloudtrail.GetTrailStatusInput{
+		Name: id,
+	}
+	resp, err := conn.GetTrailStatus(GetTrailStatusOpts)
+	if err != nil {
+		return false, fmt.Errorf("Error retrieving logging status of CloudTrail (%s): %s", *id, err)
+	}
+
+	return *resp.IsLogging, err
+}
+
+func cloudTrailSetLogging(conn *cloudtrail.CloudTrail, enabled bool, id string) error {
+	if enabled {
+		log.Printf(
+			"[DEBUG] Starting logging on CloudTrail (%s)",
+			id)
+		StartLoggingOpts := &cloudtrail.StartLoggingInput{
+			Name: aws.String(id),
+		}
+		if _, err := conn.StartLogging(StartLoggingOpts); err != nil {
+			return fmt.Errorf(
+				"Error starting logging on CloudTrail (%s): %s",
+				id, err)
+		}
+	} else {
+		log.Printf(
+			"[DEBUG] Stopping logging on CloudTrail (%s)",
+			id)
+		StopLoggingOpts := &cloudtrail.StopLoggingInput{
+			Name: aws.String(id),
+		}
+		if _, err := conn.StopLogging(StopLoggingOpts); err != nil {
+			return fmt.Errorf(
+				"Error stopping logging on CloudTrail (%s): %s",
+				id, err)
+		}
+	}
+
+	return nil
+}
--- a/builtin/providers/aws/resource_aws_cloudtrail_test.go
+++ b/builtin/providers/aws/resource_aws_cloudtrail_test.go
@ -39,6 +39,41 @@ func TestAccAWSCloudTrail_basic(t *testing.T) {
 	})
 }

+func TestAccAWSCloudTrail_enable_logging(t *testing.T) {
+	var trail cloudtrail.Trail
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSCloudTrailDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSCloudTrailConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckCloudTrailExists("aws_cloudtrail.foobar", &trail),
+					// AWS will create the trail with logging turned off.
+					// Test that "enable_logging" default works.
+					testAccCheckCloudTrailLoggingEnabled("aws_cloudtrail.foobar", true, &trail),
+				),
+			},
+			resource.TestStep{
+				Config: testAccAWSCloudTrailConfigModified,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckCloudTrailExists("aws_cloudtrail.foobar", &trail),
+					testAccCheckCloudTrailLoggingEnabled("aws_cloudtrail.foobar", false, &trail),
+				),
+			},
+			resource.TestStep{
+				Config: testAccAWSCloudTrailConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckCloudTrailExists("aws_cloudtrail.foobar", &trail),
+					testAccCheckCloudTrailLoggingEnabled("aws_cloudtrail.foobar", true, &trail),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckCloudTrailExists(n string, trail *cloudtrail.Trail) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		rs, ok := s.RootModule().Resources[n]
@ -63,6 +98,30 @@ func testAccCheckCloudTrailExists(n string, trail *cloudtrail.Trail) resource.Te
 	}
 }

+func testAccCheckCloudTrailLoggingEnabled(n string, desired bool, trail *cloudtrail.Trail) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("Not found: %s", n)
+		}
+
+		conn := testAccProvider.Meta().(*AWSClient).cloudtrailconn
+		params := cloudtrail.GetTrailStatusInput{
+			Name: aws.String(rs.Primary.ID),
+		}
+		resp, err := conn.GetTrailStatus(&params)
+
+		if err != nil {
+			return err
+		}
+		if *resp.IsLogging != desired {
+			return fmt.Errorf("Expected logging status %t, given %t", desired, *resp.IsLogging)
+		}
+
+		return nil
+	}
+}
+
 func testAccCheckAWSCloudTrailDestroy(s *terraform.State) error {
 	conn := testAccProvider.Meta().(*AWSClient).cloudtrailconn

@ -134,6 +193,7 @@ resource "aws_cloudtrail" "foobar" {
    s3_bucket_name = "${aws_s3_bucket.foo.id}"
    s3_key_prefix = "/prefix"
    include_global_service_events = false
+    enable_logging = false
 }

 resource "aws_s3_bucket" "foo" {
--- a/website/source/docs/providers/aws/r/cloudtrail.html.markdown
+++ b/website/source/docs/providers/aws/r/cloudtrail.html.markdown
@ -63,6 +63,8 @@ The following arguments are supported:
    endpoint to assume to write to a user’s log group.
 * `cloud_watch_logs_group_arn` - (Optional) Specifies a log group name using an Amazon Resource Name (ARN),
    that represents the log group to which CloudTrail logs will be delivered.
+* `enable_logging` - (Optional) Enables logging for the trail. Defaults to `true`.
+    Setting this to `false` will pause logging.
 * `include_global_service_events` - (Optional) Specifies whether the trail is publishing events
    from global services such as IAM to the log files. Defaults to `true`.
 * `sns_topic_name` - (Optional) Specifies the name of the Amazon SNS topic