From 484887c0c5585b5db336da6f5484234bda1c853f Mon Sep 17 00:00:00 2001 From: Paul Forman Date: Sun, 22 Nov 2015 10:47:23 -0700 Subject: [PATCH] Change default for logging in CloudTrail to true The default for `enable_logging`, which defines whether CloudTrail actually logs events was originally written as defaulting to `false`, since that's how AWS creates trails. `true` is likely a better default for Terraform users. Changed the default and updated the docs. Changed the acceptance tests to verify new default behavior. --- builtin/providers/aws/resource_aws_cloudtrail.go | 2 +- .../providers/aws/resource_aws_cloudtrail_test.go | 12 ++++++------ .../docs/providers/aws/r/cloudtrail.html.markdown | 3 ++- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/builtin/providers/aws/resource_aws_cloudtrail.go b/builtin/providers/aws/resource_aws_cloudtrail.go index 82a9172c0..303073422 100644 --- a/builtin/providers/aws/resource_aws_cloudtrail.go +++ b/builtin/providers/aws/resource_aws_cloudtrail.go @@ -25,7 +25,7 @@ func resourceAwsCloudTrail() *schema.Resource { "enable_logging": &schema.Schema{ Type: schema.TypeBool, Optional: true, - Default: false, + Default: true, }, "s3_bucket_name": &schema.Schema{ Type: schema.TypeString, diff --git a/builtin/providers/aws/resource_aws_cloudtrail_test.go b/builtin/providers/aws/resource_aws_cloudtrail_test.go index 47a89083c..2d3e807c6 100644 --- a/builtin/providers/aws/resource_aws_cloudtrail_test.go +++ b/builtin/providers/aws/resource_aws_cloudtrail_test.go @@ -51,23 +51,23 @@ func TestAccAWSCloudTrail_enable_logging(t *testing.T) { Config: testAccAWSCloudTrailConfig, Check: resource.ComposeTestCheckFunc( testAccCheckCloudTrailExists("aws_cloudtrail.foobar", &trail), - // This is a warning test. AWS sets up new trails with logging disabled - // Should that change in the future, this test should fail. - testAccCheckCloudTrailLoggingEnabled("aws_cloudtrail.foobar", false, &trail), + // AWS will create the trail with logging turned off. + // Test that "enable_logging" default works. + testAccCheckCloudTrailLoggingEnabled("aws_cloudtrail.foobar", true, &trail), ), }, resource.TestStep{ Config: testAccAWSCloudTrailConfigModified, Check: resource.ComposeTestCheckFunc( testAccCheckCloudTrailExists("aws_cloudtrail.foobar", &trail), - testAccCheckCloudTrailLoggingEnabled("aws_cloudtrail.foobar", true, &trail), + testAccCheckCloudTrailLoggingEnabled("aws_cloudtrail.foobar", false, &trail), ), }, resource.TestStep{ Config: testAccAWSCloudTrailConfig, Check: resource.ComposeTestCheckFunc( testAccCheckCloudTrailExists("aws_cloudtrail.foobar", &trail), - testAccCheckCloudTrailLoggingEnabled("aws_cloudtrail.foobar", false, &trail), + testAccCheckCloudTrailLoggingEnabled("aws_cloudtrail.foobar", true, &trail), ), }, }, @@ -193,7 +193,7 @@ resource "aws_cloudtrail" "foobar" { s3_bucket_name = "${aws_s3_bucket.foo.id}" s3_key_prefix = "/prefix" include_global_service_events = false - enable_logging = true + enable_logging = false } resource "aws_s3_bucket" "foo" { diff --git a/website/source/docs/providers/aws/r/cloudtrail.html.markdown b/website/source/docs/providers/aws/r/cloudtrail.html.markdown index 0f21f4670..e63a22dd2 100644 --- a/website/source/docs/providers/aws/r/cloudtrail.html.markdown +++ b/website/source/docs/providers/aws/r/cloudtrail.html.markdown @@ -64,7 +64,8 @@ The following arguments are supported: endpoint to assume to write to a user’s log group. * `cloud_watch_logs_group_arn` - (Optional) Specifies a log group name using an Amazon Resource Name (ARN), that represents the log group to which CloudTrail logs will be delivered. -* `enable_logging` - (Optional) Enables logging for the trail. Defaults to `false`. +* `enable_logging` - (Optional) Enables logging for the trail. Defaults to `true`. + Setting this to `false` will pause logging. * `include_global_service_events` - (Optional) Specifies whether the trail is publishing events from global services such as IAM to the log files. Defaults to `true`. * `sns_topic_name` - (Optional) Specifies the name of the Amazon SNS topic