Skip to content

Commit

Permalink
Merge pull request #244 from terraform-contrib/feat/insights/allow-en…
Browse files Browse the repository at this point in the history
…abling-available-insights

feat(insights): allow enabling available insights
  • Loading branch information
chtakahashi authored Jan 5, 2024
2 parents 7248e47 + 4f4fd69 commit 8d84f1b
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 8 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
.DS_Store
.terraform
.terraform.lock.hcl
terraform.tfstate
terraform.tfstate.backup
terraform.tfstate.*.backup
Expand Down
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,8 @@ No modules.

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| api\_call\_rate\_insight | A measurement of write-only management API calls that occur per minute against a baseline API call volume. | `bool` | `false` | no |
| api\_error\_rate\_insight | A measurement of management API calls that result in error codes. The error is shown if the API call is unsuccessful. | `bool` | `false` | no |
| cloudwatch\_log\_group\_name | The name of the CloudWatch Log Group that receives CloudTrail events. | `string` | `"cloudtrail-events"` | no |
| enabled | Enables logging for the trail. Defaults to true. Setting this to false will pause logging. | `bool` | `true` | no |
| iam\_policy\_name | Name for the CloudTrail IAM policy | `string` | `"cloudtrail-cloudwatch-logs-policy"` | no |
Expand Down
22 changes: 14 additions & 8 deletions main.tf
Original file line number Diff line number Diff line change
@@ -1,10 +1,8 @@
# The AWS region currently being used.
data "aws_region" "current" {
}
data "aws_region" "current" {}

# The AWS account id
data "aws_caller_identity" "current" {
}
data "aws_caller_identity" "current" {}

# The AWS partition (commercial or govcloud)
data "aws_partition" "current" {}
Expand Down Expand Up @@ -219,12 +217,11 @@ data "aws_iam_policy_document" "cloudtrail_kms_policy_doc" {
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
"kms:Describe*",
]
resources = ["*"]
}


statement {
sid = "Allow Cloudtrail to decrypt and generate key for sns access"
effect = "Allow"
Expand All @@ -240,7 +237,6 @@ data "aws_iam_policy_document" "cloudtrail_kms_policy_doc" {
]
resources = ["*"]
}

}

resource "aws_kms_key" "cloudtrail" {
Expand Down Expand Up @@ -289,8 +285,18 @@ resource "aws_cloudtrail" "main" {
# Enables SNS log notification
sns_topic_name = var.sns_topic_arn

tags = var.tags
# Enable Insights
dynamic "insight_selector" {
for_each = compact([
var.api_call_rate_insight ? "ApiCallRateInsight" : null,
var.api_error_rate_insight ? "ApiErrorRateInsight" : null,
])
content {
insight_type = insight_selector.value
}
}

tags = var.tags

depends_on = [
aws_kms_key.cloudtrail,
Expand Down
13 changes: 13 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ variable "s3_key_prefix" {
default = "cloudtrail"
type = string
}

variable "sns_topic_arn" {
description = "ARN of the SNS topic for notification of log file delivery."
default = ""
Expand All @@ -67,3 +68,15 @@ variable "tags" {
default = {}
type = map(string)
}

variable "api_call_rate_insight" {
description = "A measurement of write-only management API calls that occur per minute against a baseline API call volume."
default = false
type = bool
}

variable "api_error_rate_insight" {
description = "A measurement of management API calls that result in error codes. The error is shown if the API call is unsuccessful."
default = false
type = bool
}

0 comments on commit 8d84f1b

Please sign in to comment.