ResiLien
/
terraform
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add enable_logging to AWS CloudTrail 

The AWS CloudTrail resource is capable of creating CloudTrail resources,
but AWS defaults the actual logging of the trails to `false`, and
Terraform has no method to enable or monitor the status of logging.

CloudTrail trails that are inactive aren't very useful, and it's a
surprise to discover they aren't logging on creation.

Added an `enable_logging` parameter to resource_aws_cloudtrail to enable
logging.  This requires some extra API calls, which are wrapped in new
internal functions.

For compatibility with AWS, the default of `enable_logging` is set to
`false`.
This commit is contained in:
Paul Forman 2015-11-20 22:51:40 -07:00
parent cf87ede5dd
commit 52db098292
1 changed files with 64 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
builtin/providers/aws/resource_aws_cloudtrail.go
View File

@ -22,6 +22,11 @@ func resourceAwsCloudTrail() *schema.Resource {
Required: true, Required: true,
ForceNew: true, ForceNew: true,
}, },
"enable_logging": &schema.Schema{
Type: schema.TypeBool,
Optional: true,
Default: false,
},
"s3_bucket_name": &schema.Schema{ "s3_bucket_name": &schema.Schema{
Type: schema.TypeString, Type: schema.TypeString,
Required: true, Required: true,
@ -84,6 +89,11 @@ func resourceAwsCloudTrailCreate(d *schema.ResourceData, meta interface{}) error
d.SetId(*t.Name) d.SetId(*t.Name)
// AWS CloudTrail sets newly-created trails to false.
if v, ok := d.GetOk("enable_logging"); ok && v.(bool) {
cloudTrailSetLogging(conn, v.(bool), d.Id())
}
return resourceAwsCloudTrailRead(d, meta) return resourceAwsCloudTrailRead(d, meta)
} }
@ -115,6 +125,12 @@ func resourceAwsCloudTrailRead(d *schema.ResourceData, meta interface{}) error {
d.Set("include_global_service_events", trail.IncludeGlobalServiceEvents) d.Set("include_global_service_events", trail.IncludeGlobalServiceEvents)
d.Set("sns_topic_name", trail.SnsTopicName) d.Set("sns_topic_name", trail.SnsTopicName)
logstatus, err := cloudTrailGetLoggingStatus(conn, *trail.Name)
if err != nil {
return err
}
d.Set("enable_logging", logstatus)
return nil return nil
} }
@ -149,6 +165,15 @@ func resourceAwsCloudTrailUpdate(d *schema.ResourceData, meta interface{}) error
if err != nil { if err != nil {
return err return err
} }
if d.HasChange("enable_logging") {
log.Printf("[DEBUG] Updating logging on CloudTrail: %s", input)
err := cloudTrailSetLogging(conn, d.Get("enable_logging").(bool), *input.Name)
if err != nil {
return err
}
}
log.Printf("[DEBUG] CloudTrail updated: %s", t) log.Printf("[DEBUG] CloudTrail updated: %s", t)
return resourceAwsCloudTrailRead(d, meta) return resourceAwsCloudTrailRead(d, meta)
@ -165,3 +190,42 @@ func resourceAwsCloudTrailDelete(d *schema.ResourceData, meta interface{}) error
return err return err
} }
func cloudTrailGetLoggingStatus(conn *cloudtrail.CloudTrail, id string) (bool, error) {
GetTrailStatusOpts := &cloudtrail.GetTrailStatusInput{
Name: aws.String(id),
}
resp, err := conn.GetTrailStatus(GetTrailStatusOpts)
return *resp.IsLogging, err
}
func cloudTrailSetLogging(conn *cloudtrail.CloudTrail, enabled bool, id string) error {
if enabled {
log.Printf(
"[DEBUG] Starting logging on CloudTrail (%s)",
id)
StartLoggingOpts := &cloudtrail.StartLoggingInput{
Name: aws.String(id),
}
if _, err := conn.StartLogging(StartLoggingOpts); err != nil {
return fmt.Errorf(
"Error starting logging on CloudTrail (%s): %s",
id, err)
}
} else {
log.Printf(
"[DEBUG] Stopping logging on CloudTrail (%s)",
id)
StopLoggingOpts := &cloudtrail.StopLoggingInput{
Name: aws.String(id),
}
if _, err := conn.StopLogging(StopLoggingOpts); err != nil {
return fmt.Errorf(
"Error stopping logging on CloudTrail (%s): %s",
id, err)
}
}
return nil
}