diff --git a/packages/@aws-cdk/aws-cloudtrail/README.md b/packages/@aws-cdk/aws-cloudtrail/README.md index 2a5f3a06c300d..4a750517d60bd 100644 --- a/packages/@aws-cdk/aws-cloudtrail/README.md +++ b/packages/@aws-cdk/aws-cloudtrail/README.md @@ -190,7 +190,7 @@ trail.addLambdaEventSelector([ amazingFunction ]); ## Organization Trail It is possible to create a trail that will be applied to all accounts in an organization if the current account manages an organization. -To enable this, the property `isOrganizationTrail` must be set. If this property is set and the current account does not manage an organization, the created trail will be created only for the account. +To enable this, the property `isOrganizationTrail` must be set. If this property is set and the current account does not manage an organization, the stack will fail to deploy. ```ts new cloudtrail.Trail(this, 'OrganizationTrail', { diff --git a/packages/@aws-cdk/aws-cloudtrail/lib/cloudtrail.ts b/packages/@aws-cdk/aws-cloudtrail/lib/cloudtrail.ts index 1394baeab8965..73cb247821560 100644 --- a/packages/@aws-cdk/aws-cloudtrail/lib/cloudtrail.ts +++ b/packages/@aws-cdk/aws-cloudtrail/lib/cloudtrail.ts @@ -119,6 +119,8 @@ export interface TrailProps { /** * Specifies whether the trail is applied to all accounts in an organization in AWS Organizations, or only for the current AWS account. * + * If this is set to true then the current account _must_ be the management account. If it is not, then CloudFormation will throw an error. + * * If this is set to true and the current account is a management account for an organization in AWS Organizations, the trail will be created in all AWS accounts that belong to the organization. * If this is set to false, the trail will remain in the current AWS account but be deleted from all member accounts in the organization. * diff --git a/packages/@aws-cdk/aws-cloudtrail/test/cloudtrail.integ.snapshot/CloudtrailIntegTestStack.template.json b/packages/@aws-cdk/aws-cloudtrail/test/cloudtrail.integ.snapshot/CloudtrailIntegTestStack.template.json deleted file mode 100644 index d07a2d5591de4..0000000000000 --- a/packages/@aws-cdk/aws-cloudtrail/test/cloudtrail.integ.snapshot/CloudtrailIntegTestStack.template.json +++ /dev/null @@ -1,116 +0,0 @@ -{ - "Resources": { - "TrailS30071F172": { - "Type": "AWS::S3::Bucket", - "UpdateReplacePolicy": "Retain", - "DeletionPolicy": "Retain" - }, - "TrailS3PolicyE42170FE": { - "Type": "AWS::S3::BucketPolicy", - "Properties": { - "Bucket": { - "Ref": "TrailS30071F172" - }, - "PolicyDocument": { - "Statement": [ - { - "Action": "s3:*", - "Condition": { - "Bool": { - "aws:SecureTransport": "false" - } - }, - "Effect": "Deny", - "Principal": { - "AWS": "*" - }, - "Resource": [ - { - "Fn::GetAtt": [ - "TrailS30071F172", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TrailS30071F172", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": "s3:GetBucketAcl", - "Effect": "Allow", - "Principal": { - "Service": "cloudtrail.amazonaws.com" - }, - "Resource": { - "Fn::GetAtt": [ - "TrailS30071F172", - "Arn" - ] - } - }, - { - "Action": "s3:PutObject", - "Condition": { - "StringEquals": { - "s3:x-amz-acl": "bucket-owner-full-control" - } - }, - "Effect": "Allow", - "Principal": { - "Service": "cloudtrail.amazonaws.com" - }, - "Resource": { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TrailS30071F172", - "Arn" - ] - }, - "/AWSLogs/", - { - "Ref": "AWS::AccountId" - }, - "/*" - ] - ] - } - } - ], - "Version": "2012-10-17" - } - } - }, - "Trail022F0CF2": { - "Type": "AWS::CloudTrail::Trail", - "Properties": { - "IsLogging": true, - "S3BucketName": { - "Ref": "TrailS30071F172" - }, - "EnableLogFileValidation": true, - "EventSelectors": [], - "IncludeGlobalServiceEvents": true, - "IsMultiRegionTrail": true, - "IsOrganizationTrail": true - }, - "DependsOn": [ - "TrailS3PolicyE42170FE" - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-cloudtrail/test/cloudtrail.integ.snapshot/TrailIntegTestDefaultTestDeployAssertA42C24D1.template.json b/packages/@aws-cdk/aws-cloudtrail/test/cloudtrail.integ.snapshot/TrailIntegTestDefaultTestDeployAssertA42C24D1.template.json deleted file mode 100644 index 9e26dfeeb6e64..0000000000000 --- a/packages/@aws-cdk/aws-cloudtrail/test/cloudtrail.integ.snapshot/TrailIntegTestDefaultTestDeployAssertA42C24D1.template.json +++ /dev/null @@ -1 +0,0 @@ -{} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-cloudtrail/test/cloudtrail.integ.snapshot/cdk.out b/packages/@aws-cdk/aws-cloudtrail/test/cloudtrail.integ.snapshot/cdk.out deleted file mode 100644 index 588d7b269d34f..0000000000000 --- a/packages/@aws-cdk/aws-cloudtrail/test/cloudtrail.integ.snapshot/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"20.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-cloudtrail/test/cloudtrail.integ.snapshot/integ.json b/packages/@aws-cdk/aws-cloudtrail/test/cloudtrail.integ.snapshot/integ.json deleted file mode 100644 index 61291759f654d..0000000000000 --- a/packages/@aws-cdk/aws-cloudtrail/test/cloudtrail.integ.snapshot/integ.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "version": "20.0.0", - "testCases": { - "TrailIntegTest/DefaultTest": { - "stacks": [ - "CloudtrailIntegTestStack" - ], - "assertionStack": "TrailIntegTestDefaultTestDeployAssertA42C24D1" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-cloudtrail/test/cloudtrail.integ.snapshot/manifest.json b/packages/@aws-cdk/aws-cloudtrail/test/cloudtrail.integ.snapshot/manifest.json deleted file mode 100644 index 66d0aeebc2852..0000000000000 --- a/packages/@aws-cdk/aws-cloudtrail/test/cloudtrail.integ.snapshot/manifest.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "version": "20.0.0", - "artifacts": { - "Tree": { - "type": "cdk:tree", - "properties": { - "file": "tree.json" - } - }, - "CloudtrailIntegTestStack": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "CloudtrailIntegTestStack.template.json", - "validateOnSynth": false - }, - "metadata": { - "/CloudtrailIntegTestStack/Trail/S3/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "TrailS30071F172" - } - ], - "/CloudtrailIntegTestStack/Trail/S3/Policy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "TrailS3PolicyE42170FE" - } - ], - "/CloudtrailIntegTestStack/Trail/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "Trail022F0CF2" - } - ] - }, - "displayName": "CloudtrailIntegTestStack" - }, - "TrailIntegTestDefaultTestDeployAssertA42C24D1": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "TrailIntegTestDefaultTestDeployAssertA42C24D1.template.json", - "validateOnSynth": false - }, - "displayName": "TrailIntegTest/DefaultTest/DeployAssert" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-cloudtrail/test/cloudtrail.integ.snapshot/tree.json b/packages/@aws-cdk/aws-cloudtrail/test/cloudtrail.integ.snapshot/tree.json deleted file mode 100644 index 1a80da9d3bd60..0000000000000 --- a/packages/@aws-cdk/aws-cloudtrail/test/cloudtrail.integ.snapshot/tree.json +++ /dev/null @@ -1,229 +0,0 @@ -{ - "version": "tree-0.1", - "tree": { - "id": "App", - "path": "", - "children": { - "Tree": { - "id": "Tree", - "path": "Tree", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.71" - } - }, - "CloudtrailIntegTestStack": { - "id": "CloudtrailIntegTestStack", - "path": "CloudtrailIntegTestStack", - "children": { - "Trail": { - "id": "Trail", - "path": "CloudtrailIntegTestStack/Trail", - "children": { - "S3": { - "id": "S3", - "path": "CloudtrailIntegTestStack/Trail/S3", - "children": { - "Resource": { - "id": "Resource", - "path": "CloudtrailIntegTestStack/Trail/S3/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::S3::Bucket", - "aws:cdk:cloudformation:props": {} - }, - "constructInfo": { - "fqn": "@aws-cdk/aws-s3.CfnBucket", - "version": "0.0.0" - } - }, - "Policy": { - "id": "Policy", - "path": "CloudtrailIntegTestStack/Trail/S3/Policy", - "children": { - "Resource": { - "id": "Resource", - "path": "CloudtrailIntegTestStack/Trail/S3/Policy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::S3::BucketPolicy", - "aws:cdk:cloudformation:props": { - "bucket": { - "Ref": "TrailS30071F172" - }, - "policyDocument": { - "Statement": [ - { - "Action": "s3:*", - "Condition": { - "Bool": { - "aws:SecureTransport": "false" - } - }, - "Effect": "Deny", - "Principal": { - "AWS": "*" - }, - "Resource": [ - { - "Fn::GetAtt": [ - "TrailS30071F172", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TrailS30071F172", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": "s3:GetBucketAcl", - "Effect": "Allow", - "Principal": { - "Service": "cloudtrail.amazonaws.com" - }, - "Resource": { - "Fn::GetAtt": [ - "TrailS30071F172", - "Arn" - ] - } - }, - { - "Action": "s3:PutObject", - "Condition": { - "StringEquals": { - "s3:x-amz-acl": "bucket-owner-full-control" - } - }, - "Effect": "Allow", - "Principal": { - "Service": "cloudtrail.amazonaws.com" - }, - "Resource": { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TrailS30071F172", - "Arn" - ] - }, - "/AWSLogs/", - { - "Ref": "AWS::AccountId" - }, - "/*" - ] - ] - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/aws-s3.CfnBucketPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/aws-s3.BucketPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/aws-s3.Bucket", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "CloudtrailIntegTestStack/Trail/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::CloudTrail::Trail", - "aws:cdk:cloudformation:props": { - "isLogging": true, - "s3BucketName": { - "Ref": "TrailS30071F172" - }, - "enableLogFileValidation": true, - "eventSelectors": [], - "includeGlobalServiceEvents": true, - "isMultiRegionTrail": true, - "isOrganizationTrail": true - } - }, - "constructInfo": { - "fqn": "@aws-cdk/aws-cloudtrail.CfnTrail", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/aws-cloudtrail.Trail", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/core.Stack", - "version": "0.0.0" - } - }, - "TrailIntegTest": { - "id": "TrailIntegTest", - "path": "TrailIntegTest", - "children": { - "DefaultTest": { - "id": "DefaultTest", - "path": "TrailIntegTest/DefaultTest", - "children": { - "Default": { - "id": "Default", - "path": "TrailIntegTest/DefaultTest/Default", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.71" - } - }, - "DeployAssert": { - "id": "DeployAssert", - "path": "TrailIntegTest/DefaultTest/DeployAssert", - "constructInfo": { - "fqn": "@aws-cdk/core.Stack", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests.IntegTestCase", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests.IntegTest", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/core.App", - "version": "0.0.0" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-cloudtrail/test/integ.cloudtrail.ts b/packages/@aws-cdk/aws-cloudtrail/test/integ.cloudtrail.ts deleted file mode 100644 index 23d5ba58e4776..0000000000000 --- a/packages/@aws-cdk/aws-cloudtrail/test/integ.cloudtrail.ts +++ /dev/null @@ -1,16 +0,0 @@ -import * as cdk from '@aws-cdk/core'; -import * as integ from '@aws-cdk/integ-tests'; -import * as cloudtrail from '../lib'; - -const app = new cdk.App(); -const stack = new cdk.Stack(app, 'CloudtrailIntegTestStack'); - -new cloudtrail.Trail(stack, 'Trail', { - isOrganizationTrail: true, -}); - -new integ.IntegTest(app, 'TrailIntegTest', { - testCases: [stack], -}); - -app.synth(); \ No newline at end of file