Add CloudTrail Advanced Event Selector (#70)

Author: X-Guardian

.editorconfig

@@ -0,0 +1,29 @@
+# Unix-style newlines with a newline ending every file
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 2
+indent_style = space
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+# Override for Makefile
+[{Makefile, makefile, GNUmakefile, Makefile.*}]
+tab_width = 4
+indent_style = tab
+indent_size = tab
+
+[*.sh]
+indent_size = unset
+indent_style = tab
+
+# Enforce `go` formatting rules
+[*.go]
+indent_size = unset
+indent_style = tab
+
+[*.json]
+insert_final_newline = false
+
+[COMMIT_EDITMSG]
+max_line_length = 0

README.md

@@ -132,14 +132,14 @@ Available targets:
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 2.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.0 |
 
 ## Modules
 
@@ -158,6 +158,7 @@ Available targets:
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_additional_tag_map"></a> [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.<br>This is for some rare cases where resources want additional configuration of tags<br>and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
+| <a name="input_advanced_event_selector"></a> [advanced\_event\_selector](#input\_advanced\_event\_selector) | Specifies an advanced event selector for enabling data event logging. See: https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for details on this variable | <pre>list(object({<br>    name = optional(string)<br>    field_selector = list(object({<br>      field           = string<br>      ends_with       = optional(list(string))<br>      not_ends_with   = optional(list(string))<br>      equals          = optional(list(string))<br>      not_equals      = optional(list(string))<br>      starts_with     = optional(list(string))<br>      not_starts_with = optional(list(string))<br>    }))<br>  }))</pre> | `[]` | no |
 | <a name="input_attributes"></a> [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,<br>in the order they appear in the list. New attributes are appended to the<br>end of the list. The elements of the list are joined by the `delimiter`<br>and treated as a single ID element. | `list(string)` | `[]` | no |
 | <a name="input_cloud_watch_logs_group_arn"></a> [cloud\_watch\_logs\_group\_arn](#input\_cloud\_watch\_logs\_group\_arn) | Specifies a log group name using an Amazon Resource Name (ARN), that represents the log group to which CloudTrail logs will be delivered | `string` | `""` | no |
 | <a name="input_cloud_watch_logs_role_arn"></a> [cloud\_watch\_logs\_role\_arn](#input\_cloud\_watch\_logs\_role\_arn) | Specifies the role for the CloudWatch Logs endpoint to assume to write to a user’s log group | `string` | `""` | no |
@@ -168,7 +169,7 @@ Available targets:
 | <a name="input_enable_logging"></a> [enable\_logging](#input\_enable\_logging) | Enable logging for the trail | `bool` | `true` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
-| <a name="input_event_selector"></a> [event\_selector](#input\_event\_selector) | Specifies an event selector for enabling data event logging. See: https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for details on this variable | <pre>list(object({<br>    include_management_events = bool<br>    read_write_type           = string<br><br>    data_resource = list(object({<br>      type   = string<br>      values = list(string)<br>    }))<br>  }))</pre> | `[]` | no |
+| <a name="input_event_selector"></a> [event\_selector](#input\_event\_selector) | Specifies an event selector for enabling data event logging. See: https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for details on this variable | <pre>list(object({<br>    include_management_events        = bool<br>    read_write_type                  = string<br>    exclude_management_event_sources = optional(set(string))<br><br>    data_resource = list(object({<br>      type   = string<br>      values = list(string)<br>    }))<br>  }))</pre> | `[]` | no |
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
 | <a name="input_include_global_service_events"></a> [include\_global\_service\_events](#input\_include\_global\_service\_events) | Specifies whether the trail is publishing events from global services such as IAM to the log files | `bool` | `false` | no |
 | <a name="input_insight_selector"></a> [insight\_selector](#input\_insight\_selector) | Specifies an insight selector for type of insights to log on a trail | <pre>list(object({<br>    insight_type = string<br>  }))</pre> | `[]` | no |
@@ -195,7 +196,7 @@ Available targets:
 |------|-------------|
 | <a name="output_cloudtrail_arn"></a> [cloudtrail\_arn](#output\_cloudtrail\_arn) | The Amazon Resource Name of the trail |
 | <a name="output_cloudtrail_home_region"></a> [cloudtrail\_home\_region](#output\_cloudtrail\_home\_region) | The region in which the trail was created |
-| <a name="output_cloudtrail_id"></a> [cloudtrail\_id](#output\_cloudtrail\_id) | The name of the trail |
+| <a name="output_cloudtrail_id"></a> [cloudtrail\_id](#output\_cloudtrail\_id) | The ID of the trail. (Name for provider < v5, ARN for provider >= v5). |
 <!-- markdownlint-restore -->
 
 

docs/terraform.md

@@ -3,14 +3,14 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 2.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.0 |
 
 ## Modules
 
@@ -29,6 +29,7 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_additional_tag_map"></a> [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.<br>This is for some rare cases where resources want additional configuration of tags<br>and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
+| <a name="input_advanced_event_selector"></a> [advanced\_event\_selector](#input\_advanced\_event\_selector) | Specifies an advanced event selector for enabling data event logging. See: https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for details on this variable | <pre>list(object({<br>    name = optional(string)<br>    field_selector = list(object({<br>      field           = string<br>      ends_with       = optional(list(string))<br>      not_ends_with   = optional(list(string))<br>      equals          = optional(list(string))<br>      not_equals      = optional(list(string))<br>      starts_with     = optional(list(string))<br>      not_starts_with = optional(list(string))<br>    }))<br>  }))</pre> | `[]` | no |
 | <a name="input_attributes"></a> [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,<br>in the order they appear in the list. New attributes are appended to the<br>end of the list. The elements of the list are joined by the `delimiter`<br>and treated as a single ID element. | `list(string)` | `[]` | no |
 | <a name="input_cloud_watch_logs_group_arn"></a> [cloud\_watch\_logs\_group\_arn](#input\_cloud\_watch\_logs\_group\_arn) | Specifies a log group name using an Amazon Resource Name (ARN), that represents the log group to which CloudTrail logs will be delivered | `string` | `""` | no |
 | <a name="input_cloud_watch_logs_role_arn"></a> [cloud\_watch\_logs\_role\_arn](#input\_cloud\_watch\_logs\_role\_arn) | Specifies the role for the CloudWatch Logs endpoint to assume to write to a user’s log group | `string` | `""` | no |
@@ -39,7 +40,7 @@
 | <a name="input_enable_logging"></a> [enable\_logging](#input\_enable\_logging) | Enable logging for the trail | `bool` | `true` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
-| <a name="input_event_selector"></a> [event\_selector](#input\_event\_selector) | Specifies an event selector for enabling data event logging. See: https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for details on this variable | <pre>list(object({<br>    include_management_events = bool<br>    read_write_type           = string<br><br>    data_resource = list(object({<br>      type   = string<br>      values = list(string)<br>    }))<br>  }))</pre> | `[]` | no |
+| <a name="input_event_selector"></a> [event\_selector](#input\_event\_selector) | Specifies an event selector for enabling data event logging. See: https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for details on this variable | <pre>list(object({<br>    include_management_events        = bool<br>    read_write_type                  = string<br>    exclude_management_event_sources = optional(set(string))<br><br>    data_resource = list(object({<br>      type   = string<br>      values = list(string)<br>    }))<br>  }))</pre> | `[]` | no |
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
 | <a name="input_include_global_service_events"></a> [include\_global\_service\_events](#input\_include\_global\_service\_events) | Specifies whether the trail is publishing events from global services such as IAM to the log files | `bool` | `false` | no |
 | <a name="input_insight_selector"></a> [insight\_selector](#input\_insight\_selector) | Specifies an insight selector for type of insights to log on a trail | <pre>list(object({<br>    insight_type = string<br>  }))</pre> | `[]` | no |
@@ -66,5 +67,5 @@
 |------|-------------|
 | <a name="output_cloudtrail_arn"></a> [cloudtrail\_arn](#output\_cloudtrail\_arn) | The Amazon Resource Name of the trail |
 | <a name="output_cloudtrail_home_region"></a> [cloudtrail\_home\_region](#output\_cloudtrail\_home\_region) | The region in which the trail was created |
-| <a name="output_cloudtrail_id"></a> [cloudtrail\_id](#output\_cloudtrail\_id) | The name of the trail |
+| <a name="output_cloudtrail_id"></a> [cloudtrail\_id](#output\_cloudtrail\_id) | The ID of the trail. (Name for provider < v5, ARN for provider >= v5). |
 <!-- markdownlint-restore -->

examples/complete/fixtures.us-east-2.tfvars

@@ -1,5 +1,3 @@
-enabled = true
-
 region = "us-east-2"
 
 namespace = "eg"
@@ -17,3 +15,22 @@ include_global_service_events = false
 enable_logging = true
 
 is_organization_trail = false
+
+advanced_event_selector = [
+  {
+    name = "WriteOnly"
+    field_selector = [
+      {
+        field  = "eventCategory"
+        equals = ["Data"]
+      },
+      {
+        field  = "resources.type"
+        equals = ["AWS::Lambda::Function"]
+      },
+      {
+        field  = "readOnly"
+        equals = ["false"]
+    }]
+  }
+]

examples/complete/main.tf

@@ -11,13 +11,14 @@ module "cloudtrail" {
   is_multi_region_trail         = var.is_multi_region_trail
   is_organization_trail         = var.is_organization_trail
   s3_bucket_name                = module.cloudtrail_s3_bucket.bucket_id
+  advanced_event_selector       = var.advanced_event_selector
 
   context = module.this.context
 }
 
 module "cloudtrail_s3_bucket" {
   source  = "cloudposse/cloudtrail-s3-bucket/aws"
-  version = "0.14.0"
+  version = "0.26.4"
 
   force_destroy = true
 

examples/complete/variables.tf

@@ -27,3 +27,20 @@ variable "is_organization_trail" {
   type        = bool
   description = "The trail is an AWS Organizations trail"
 }
+
+variable "advanced_event_selector" {
+  type = list(object({
+    name = optional(string)
+    field_selector = list(object({
+      field           = string
+      ends_with       = optional(list(string))
+      not_ends_with   = optional(list(string))
+      equals          = optional(list(string))
+      not_equals      = optional(list(string))
+      starts_with     = optional(list(string))
+      not_starts_with = optional(list(string))
+    }))
+  }))
+  description = "Specifies an advanced event selector for enabling data event logging. See: https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for details on this variable"
+  default     = []
+}

examples/complete/versions.tf

@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 0.13.0"
+  required_version = ">= 1.3.0"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 2.0"
+      version = ">= 3.0"
     }
     local = {
       source  = "hashicorp/local"

main.tf

@@ -24,8 +24,9 @@ resource "aws_cloudtrail" "default" {
   dynamic "event_selector" {
     for_each = var.event_selector
     content {
-      include_management_events = lookup(event_selector.value, "include_management_events", null)
-      read_write_type           = lookup(event_selector.value, "read_write_type", null)
+      include_management_events        = lookup(event_selector.value, "include_management_events", null)
+      read_write_type                  = lookup(event_selector.value, "read_write_type", null)
+      exclude_management_event_sources = event_selector.value.exclude_management_event_sources
 
       dynamic "data_resource" {
         for_each = lookup(event_selector.value, "data_resource", [])
@@ -36,4 +37,24 @@ resource "aws_cloudtrail" "default" {
       }
     }
   }
-}
+
+  dynamic "advanced_event_selector" {
+    for_each = var.advanced_event_selector
+    content {
+      name = lookup(advanced_event_selector.value, "name", null)
+
+      dynamic "field_selector" {
+        for_each = advanced_event_selector.value.field_selector
+        content {
+          field           = field_selector.value.field
+          equals          = lookup(field_selector.value, "equals", null)
+          not_equals      = lookup(field_selector.value, "not_equals", null)
+          starts_with     = lookup(field_selector.value, "starts_with", null)
+          not_starts_with = lookup(field_selector.value, "not_starts_with", null)
+          ends_with       = lookup(field_selector.value, "ends_with", null)
+          not_ends_with   = lookup(field_selector.value, "not_ends_with", null)
+        }
+      }
+    }
+  }
+}

outputs.tf

@@ -1,14 +1,14 @@
 output "cloudtrail_id" {
-  value       = join("", aws_cloudtrail.default.*.id)
-  description = "The name of the trail"
+  value       = join("", aws_cloudtrail.default[*].id)
+  description = "The ID of the trail. (Name for provider < v5, ARN for provider >= v5)."
 }
 
 output "cloudtrail_home_region" {
-  value       = join("", aws_cloudtrail.default.*.home_region)
+  value       = join("", aws_cloudtrail.default[*].home_region)
   description = "The region in which the trail was created"
 }
 
 output "cloudtrail_arn" {
-  value       = join("", aws_cloudtrail.default.*.arn)
+  value       = join("", aws_cloudtrail.default[*].arn)
   description = "The Amazon Resource Name of the trail"
 }

test/Makefile

@@ -33,11 +33,11 @@ clean:
 all: module examples/complete
 
 ## Run basic sanity checks against the module itself
-module: export TESTS ?= installed lint get-modules module-pinning get-plugins provider-pinning validate terraform-docs input-descriptions output-descriptions
+module: export TESTS ?= installed lint module-pinning provider-pinning validate terraform-docs input-descriptions output-descriptions
 module: deps
 	$(call RUN_TESTS, ../)
 
 ## Run tests against example
-examples/complete: export TESTS ?= installed lint get-modules get-plugins validate
+examples/complete: export TESTS ?= installed lint validate
 examples/complete: deps
 	$(call RUN_TESTS, ../$@)