feat(cloudtrail): user specified log group

packages/@aws-cdk/aws-cloudtrail/lib/cloudtrail.ts

@@ -63,12 +63,19 @@ export interface TrailProps {
   readonly sendToCloudWatchLogs?: boolean;
 
   /**
-   * How long to retain logs in CloudWatchLogs. Ignored if sendToCloudWatchLogs is false
+   * How long to retain logs in CloudWatchLogs.
+   * Ignored if sendToCloudWatchLogs is false or if cloudWatchLogGroup is set.
    *
    *  @default logs.RetentionDays.OneYear
    */
   readonly cloudWatchLogsRetention?: logs.RetentionDays;
 
+  /**
+   * Log Group to which CloudTrail to push logs to. Ignored if sendToCloudWatchLogs is set to false.
+   * @default - a new log group is created and used.
+   */
+  readonly cloudWatchLogGroup?: logs.ILogGroup;
+
   /** The AWS Key Management Service (AWS KMS) key ID that you want to use to encrypt CloudTrail logs.
    *
    * @default - No encryption.
@@ -154,6 +161,12 @@ export class Trail extends Resource {
    */
   public readonly trailSnsTopicArn: string;
 
+  /**
+   * The CloudWatch log group to which CloudTrail events are sent.
+   * `undefined` if `sendToCloudWatchLogs` property is false.
+   */
+  public readonly logGroup: logs.ILogGroup | undefined;
+
   private s3bucket: s3.IBucket;
   private eventSelectors: EventSelector[] = [];
 
@@ -183,19 +196,22 @@ export class Trail extends Resource {
       },
     }));
 
-    let logGroup: logs.CfnLogGroup | undefined;
     let logsRole: iam.IRole | undefined;
 
     if (props.sendToCloudWatchLogs) {
-      logGroup = new logs.CfnLogGroup(this, 'LogGroup', {
-        retentionInDays: props.cloudWatchLogsRetention || logs.RetentionDays.ONE_YEAR,
-      });
+      if (props.cloudWatchLogGroup) {
+        this.logGroup = props.cloudWatchLogGroup;
+      } else {
+        this.logGroup = new logs.LogGroup(this, 'LogGroup', {
+          retention: props.cloudWatchLogsRetention ?? logs.RetentionDays.ONE_YEAR,
+        });
+      }
 
       logsRole = new iam.Role(this, 'LogsRole', { assumedBy: cloudTrailPrincipal });
 
       logsRole.addToPolicy(new iam.PolicyStatement({
         actions: ['logs:PutLogEvents', 'logs:CreateLogStream'],
-        resources: [logGroup.attrArn],
+        resources: [this.logGroup.logGroupArn],
       }));
     }
 
@@ -217,8 +233,8 @@ export class Trail extends Resource {
       kmsKeyId: props.kmsKey && props.kmsKey.keyArn,
       s3BucketName: this.s3bucket.bucketName,
       s3KeyPrefix: props.s3KeyPrefix,
-      cloudWatchLogsLogGroupArn: logGroup && logGroup.attrArn,
-      cloudWatchLogsRoleArn: logsRole && logsRole.roleArn,
+      cloudWatchLogsLogGroupArn: this.logGroup?.logGroupArn,
+      cloudWatchLogsRoleArn: logsRole?.roleArn,
       snsTopicName: props.snsTopic,
       eventSelectors: this.eventSelectors,
     });

packages/@aws-cdk/aws-cloudtrail/test/test.cloudtrail.ts

@@ -1,7 +1,7 @@
-import { expect, haveResource, not, SynthUtils } from '@aws-cdk/assert';
+import { expect, haveResource, haveResourceLike, not, SynthUtils } from '@aws-cdk/assert';
 import * as iam from '@aws-cdk/aws-iam';
 import * as lambda from '@aws-cdk/aws-lambda';
-import { RetentionDays } from '@aws-cdk/aws-logs';
+import { LogGroup, RetentionDays } from '@aws-cdk/aws-logs';
 import * as s3 from '@aws-cdk/aws-s3';
 import { Stack } from '@aws-cdk/core';
 import { Test } from 'nodeunit';
@@ -160,10 +160,12 @@ export = {
     'with cloud watch logs': {
       'enabled'(test: Test) {
         const stack = getTestStack();
-        new Trail(stack, 'MyAmazingCloudTrail', {
+        const t = new Trail(stack, 'MyAmazingCloudTrail', {
           sendToCloudWatchLogs: true,
         });
 
+        test.ok(t.logGroup);
+        test.deepEqual(stack.resolve(t.logGroup!.logGroupArn), { 'Fn::GetAtt': ['MyAmazingCloudTrailLogGroup2BE67F87', 'Arn'] });
         expect(stack).to(haveResource('AWS::CloudTrail::Trail'));
         expect(stack).to(haveResource('AWS::S3::Bucket'));
         expect(stack).to(haveResource('AWS::S3::BucketPolicy', ExpectedBucketPolicyProperties));
@@ -177,7 +179,7 @@ export = {
               Effect: 'Allow',
               Action: ['logs:PutLogEvents', 'logs:CreateLogStream'],
               Resource: {
-                'Fn::GetAtt': ['MyAmazingCloudTrailLogGroupAAD65144', 'Arn'],
+                'Fn::GetAtt': ['MyAmazingCloudTrailLogGroup2BE67F87', 'Arn'],
               },
             }],
           },
@@ -188,6 +190,7 @@ export = {
         test.deepEqual(trail.DependsOn, [logsRolePolicyName, logsRoleName, 'MyAmazingCloudTrailS3Policy39C120B0']);
         test.done();
       },
+
       'enabled and custom retention'(test: Test) {
         const stack = getTestStack();
         new Trail(stack, 'MyAmazingCloudTrail', {
@@ -207,6 +210,46 @@ export = {
         test.deepEqual(trail.DependsOn, [logsRolePolicyName, logsRoleName, 'MyAmazingCloudTrailS3Policy39C120B0']);
         test.done();
       },
+
+      'enabled and with custom log group'(test: Test) {
+        const stack = getTestStack();
+        const cloudWatchLogGroup = new LogGroup(stack, 'MyLogGroup', {
+          retention: RetentionDays.FIVE_DAYS,
+        });
+        new Trail(stack, 'MyAmazingCloudTrail', {
+          sendToCloudWatchLogs: true,
+          cloudWatchLogsRetention: RetentionDays.ONE_WEEK,
+          cloudWatchLogGroup,
+        });
+
+        expect(stack).to(haveResource('AWS::Logs::LogGroup', {
+          RetentionInDays: 5,
+        }));
+
+        expect(stack).to(haveResource('AWS::CloudTrail::Trail', {
+          CloudWatchLogsLogGroupArn: stack.resolve(cloudWatchLogGroup.logGroupArn),
+        }));
+
+        expect(stack).to(haveResourceLike('AWS::IAM::Policy', {
+          PolicyDocument: {
+            Statement: [{
+              Resource: stack.resolve(cloudWatchLogGroup.logGroupArn),
+            }],
+          },
+        }));
+        test.done();
+      },
+
+      'disabled'(test: Test) {
+        const stack = getTestStack();
+        const t = new Trail(stack, 'MyAmazingCloudTrail', {
+          sendToCloudWatchLogs: false,
+          cloudWatchLogsRetention: RetentionDays.ONE_WEEK,
+        });
+        test.equals(t.logGroup, undefined);
+        expect(stack).notTo(haveResource('AWS::Logs::LogGroup'));
+        test.done();
+      },
     },
     'with event selectors': {
       'with default props'(test: Test) {