Functional aws_cloudtrail_trail resource #186
Conversation
Fixes chef-boneyard#146 Signed-off-by: Rony Xavier <rx294@nyu.edu>
Fixes chef-boneyard#146 Signed-off-by: Rony Xavier <rx294@nyu.edu>
Signed-off-by: Rony Xavier <rx294@nyu.edu>
|
|
||
| ### be_encrypted | ||
|
|
||
| The test will pass if the logs delivered by identified trail is encrypted. |
There was a problem hiding this comment.
delivered by the identified trail
| The ARN identifier of the specified trail. An ARN uniquely identifies the trail within AWS. | ||
|
|
||
| describe aws_cloudtrail_trail('trail-name') do | ||
| its('trail_arn') { should cmp "trail-arn" } |
There was a problem hiding this comment.
I'd prefer that we had a real-looking ARN URI as the comparison value
|
|
||
| ### be_log_file_validation_enabled | ||
|
|
||
| The test will pass if the identified trail log file integrity validation is enabled. |
There was a problem hiding this comment.
The test will pass if the identified trail has log file integrity validation is enabled.
libraries/aws_cloudtrail_trail.rb
Outdated
| @@ -0,0 +1,74 @@ | |||
| class AwsCloudTrailTrail < Inspec.resource(1) | |||
| name 'aws_cloudtrail_trail' | |||
| desc 'Verifies settings for individual AWS CloudTrail Trail' | |||
There was a problem hiding this comment.
Verifies settings for an individual AWS CloudTrail Trail
|
|
||
| output "aws_region" { | ||
| value = "${data.aws_region.region.name}" | ||
| } |
There was a problem hiding this comment.
👍 to this, I've almost added it myself several times.
| } | ||
| }, | ||
| { | ||
| "Sid": "Enable cross account log decryption", |
There was a problem hiding this comment.
Do we require this ability?
There was a problem hiding this comment.
Not necessary...i was going with the default Key Policy Created in CloudTrail Console.
I have removed it.
| describe aws_cloudtrail_trail(fixtures['cloudtrail_trail_2_name']) do | ||
| it { should_not be_log_file_validation_enabled } | ||
| end | ||
| end |
There was a problem hiding this comment.
💯 The fixtures and integration tests are very good here.
Signed-off-by: Rony Xavier <rx294@nyu.edu>
|
Thank you @clintoncwolfe i have made the updates. |
|
I'm happy with the code, and unit tests pass cleanly. However, the integration tests fail for me, with an IAM Role error: Offhand, that looks like this now-fixed terraform-aws bug, but that had a workaround of re-running terraform, which doesn't work here; that makes me think the policy is actually bad, rather than being a timing issue. I'll continue making my "rounds"; and then circle back to this later, if you haven't gotten to it yet. IAM policies are always pretty subtle, and I'm no expert on what CloudTrail needs. |
|
@clintoncwolfe thats weird the integration tests are working fine on my side. I just had @samcornwell try the same and its working for him too. |
| "logs:CreateLogStream" | ||
| ], | ||
| "Resource": [ | ||
| "arn:aws:logs:us-east-1:${data.aws_caller_identity.creds.account_id}:log-group:${aws_cloudwatch_log_group.trail_1_log_group.name}:log-stream:${data.aws_caller_identity.creds.account_id}_CloudTrail_${data.aws_region.region.name}*" |
There was a problem hiding this comment.
Here's the location triggering the IAM role permission issue - the us-east-1 here needs to be parameterized, that is, replaced with ${data.aws_region.region.name}.
I test in us-east-2, and this grants permission to work in us-east-1; thus the conflict.
| "logs:PutLogEvents" | ||
| ], | ||
| "Resource": [ | ||
| "arn:aws:logs:us-east-1:${data.aws_caller_identity.creds.account_id}:log-group:${aws_cloudwatch_log_group.trail_1_log_group.name}:log-stream:${data.aws_caller_identity.creds.account_id}_CloudTrail_${data.aws_region.region.name}*" |
There was a problem hiding this comment.
Same issue here, parameterize the region.
|
Ok, I found where it was happening - a hardcoded region in the policy. The integration tests pass once that's in place. Once you make the change, we'll get it merged! |
Signed-off-by: Rony Xavier <rx294@nyu.edu>
|
Ah! my bad...I have made the corrections...thanks again @clintoncwolfe. |
|
Thanks for this excellent contribution! |
Signed-off-by: Rony Xavier <rx294@nyu.edu>
Fixes #146