Use trail arn instead of name to get organization trails from a delegated account

[sbldevnet]

Description

• Getting the list of existing CloudTrail organization trails from a delegated account only works using the arn. This change will use trail arn instead of name as ID during creation to avoid that.

• Updating docs basic example adding the recommended AWS S3 policy condition to avoid confused deputy issue.

• Updating docs basic example adding depends_on to avoid race condition.

Relations

Closes #15553
Closes #27945
Closes #28440
Closes #30387

References

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html

Output from Acceptance Testing

$ make testacc TESTS=TestAccCloudTrail_ PKG=cloudtrail
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/cloudtrail/... -v -count 1 -parallel 20 -run='TestAccCloudTrail_'  -timeout 180m
=== RUN   TestAccCloudTrail_serial
=== PAUSE TestAccCloudTrail_serial
=== CONT  TestAccCloudTrail_serial
=== RUN   TestAccCloudTrail_serial/Trail
=== RUN   TestAccCloudTrail_serial/Trail/organization
    acctest.go:883: skipping tests; this AWS account must not be an existing member of an AWS Organization
=== RUN   TestAccCloudTrail_serial/Trail/eventSelectorDynamoDB
=== RUN   TestAccCloudTrail_serial/Trail/eventSelectorExclude
=== RUN   TestAccCloudTrail_serial/Trail/insightSelector
=== RUN   TestAccCloudTrail_serial/Trail/advancedEventSelector
=== RUN   TestAccCloudTrail_serial/Trail/disappears
=== RUN   TestAccCloudTrail_serial/Trail/multiRegion
=== RUN   TestAccCloudTrail_serial/Trail/logValidation
=== RUN   TestAccCloudTrail_serial/Trail/eventSelector
=== RUN   TestAccCloudTrail_serial/Trail/cloudwatch
=== RUN   TestAccCloudTrail_serial/Trail/kmsKey
=== RUN   TestAccCloudTrail_serial/Trail/tags
=== RUN   TestAccCloudTrail_serial/Trail/basic
=== RUN   TestAccCloudTrail_serial/Trail/enableLogging
=== RUN   TestAccCloudTrail_serial/Trail/globalServiceEvents
--- PASS: TestAccCloudTrail_serial (1353.81s)
    --- PASS: TestAccCloudTrail_serial/Trail (1353.81s)
        --- SKIP: TestAccCloudTrail_serial/Trail/organization (1.73s)
        --- PASS: TestAccCloudTrail_serial/Trail/eventSelectorDynamoDB (47.41s)
        --- PASS: TestAccCloudTrail_serial/Trail/eventSelectorExclude (123.43s)
        --- PASS: TestAccCloudTrail_serial/Trail/insightSelector (150.39s)
        --- PASS: TestAccCloudTrail_serial/Trail/advancedEventSelector (50.84s)
        --- PASS: TestAccCloudTrail_serial/Trail/disappears (45.74s)
        --- PASS: TestAccCloudTrail_serial/Trail/multiRegion (118.79s)
        --- PASS: TestAccCloudTrail_serial/Trail/logValidation (83.23s)
        --- PASS: TestAccCloudTrail_serial/Trail/eventSelector (172.92s)
        --- PASS: TestAccCloudTrail_serial/Trail/cloudwatch (111.31s)
        --- PASS: TestAccCloudTrail_serial/Trail/kmsKey (54.16s)
        --- PASS: TestAccCloudTrail_serial/Trail/tags (117.78s)
        --- PASS: TestAccCloudTrail_serial/Trail/basic (94.77s)
        --- PASS: TestAccCloudTrail_serial/Trail/enableLogging (130.06s)
        --- PASS: TestAccCloudTrail_serial/Trail/globalServiceEvents (51.24s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/cloudtrail	1358.005s
...

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this pull request by adding a 👍 reaction to the original post to help the community and maintainers prioritize this pull request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

For Submitters

• Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
• For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.
• Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

[github-actions]

Welcome @sbldevnet 👋

It looks like this is your first Pull Request submission to the Terraform AWS Provider! If you haven’t already done so please make sure you have checked out our CONTRIBUTOR guide and FAQ to make sure your contribution is adhering to best practice and has all the necessary elements in place for a successful approval.

Also take a look at our FAQ which details how we prioritize Pull Requests for inclusion.

Thanks again, and welcome to the community! 😃

[sherifkayad]

Can we get this one merged soon? we are kinda blocked by it 😄

[lostdignity]

Can we get this one merged soon? we are kinda blocked by it 😄

same for us... I've built an workaround with Lambda but I'm longing for this fix.

[ahembree]

Any update on this?

[Dgadavin]

Can someone merge this. This is super usefull thing.

[NaelMachal]

Hello there, is this prioritised? There is currently no other way to deploy an organisation trail from a delegated admin account from terraform which is a very basic aws feature.

[twelsh-aw]

Bump. Share sentiment above that we need this

[angelmaroco]

Please, someone merge it!

[twelsh-aw]

@YakDriver sorry to ping you out of band, but can you please give this one a look. 🙇

A few simple fixes that address some important issues.

[popsicleslayer]

Please merge this 🥺 It's extremely annoying to work with as of now and it just blocks work. You can't create it with the resource and if you create it with the CLI it can't be imported

[schroehe]

Having the same issue. Upvoting for fix/PR

[andredms]

@justinretzolk do we have a timeline for getting this merged in? This is blocking our workflows and its not a change we'd like to revert.

[popsicleslayer]

A month later I would like to ask the same question as @andredms: @justinretzolk is there a timeline for merging this? I have been stuck with this problem since July and am constantly having faith in this being merged.

[rapides]

Bump! Also upvoting for this! ✋🏻

[twelsh-aw]

@ewbankkit It seems like you are mostly maintaining this repo now. Can you give a quick review?

[ewbankkit]

LGTM 🚀.

% make testacc TESTARGS='-run=TestAccCloudTrail_serial/Trail' PKG=cloudtrail
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/cloudtrail/... -v -count 1 -parallel 20  -run=TestAccCloudTrail_serial/Trail -timeout 360m
=== RUN   TestAccCloudTrail_serial
=== PAUSE TestAccCloudTrail_serial
=== CONT  TestAccCloudTrail_serial
=== RUN   TestAccCloudTrail_serial/Trail
=== RUN   TestAccCloudTrail_serial/Trail/kmsKey
=== RUN   TestAccCloudTrail_serial/Trail/tags
=== RUN   TestAccCloudTrail_serial/Trail/eventSelector
=== RUN   TestAccCloudTrail_serial/Trail/eventSelectorExclude
=== RUN   TestAccCloudTrail_serial/Trail/disappears
=== RUN   TestAccCloudTrail_serial/Trail/cloudwatch
=== RUN   TestAccCloudTrail_serial/Trail/globalServiceEvents
=== RUN   TestAccCloudTrail_serial/Trail/organization
    acctest.go:989: this AWS account must be the management account of an AWS Organization
=== RUN   TestAccCloudTrail_serial/Trail/migrateV0
=== RUN   TestAccCloudTrail_serial/Trail/basic
=== RUN   TestAccCloudTrail_serial/Trail/logValidation
=== RUN   TestAccCloudTrail_serial/Trail/enableLogging
    acctest.go:1475: skipping test for aws/us-west-2: Error running apply: exit status 1
        
        Error: stopping CloudTrail Trail (arn:aws:cloudtrail:us-west-2:123456789012:trail/tf-acc-test-1022396321005908609) logging: AccessDeniedException: User: arn:aws:sts::123456789012:assumed-role/terraform_team1_dev-developer/kewbank@hashicorp.com is not authorized to perform: cloudtrail:StopLogging on resource: arn:aws:cloudtrail:us-west-2:123456789012:trail/tf-acc-test-1022396321005908609 with an explicit deny in a service control policy
                status code: 400, request id: d13ddd18-ea14-424d-8d6f-c23c0e2fcc7d
        
          with aws_cloudtrail.test,
          on terraform_plugin_test.tf line 51, in resource "aws_cloudtrail" "test":
          51: resource "aws_cloudtrail" "test" {
        
=== RUN   TestAccCloudTrail_serial/Trail/insightSelector
=== RUN   TestAccCloudTrail_serial/Trail/multiRegion
=== RUN   TestAccCloudTrail_serial/Trail/eventSelectorDynamoDB
=== RUN   TestAccCloudTrail_serial/Trail/advancedEventSelector
--- PASS: TestAccCloudTrail_serial (1116.89s)
    --- PASS: TestAccCloudTrail_serial/Trail (1116.89s)
        --- PASS: TestAccCloudTrail_serial/Trail/kmsKey (49.37s)
        --- PASS: TestAccCloudTrail_serial/Trail/tags (84.98s)
        --- PASS: TestAccCloudTrail_serial/Trail/eventSelector (123.85s)
        --- PASS: TestAccCloudTrail_serial/Trail/eventSelectorExclude (88.77s)
        --- PASS: TestAccCloudTrail_serial/Trail/disappears (45.66s)
        --- PASS: TestAccCloudTrail_serial/Trail/cloudwatch (84.26s)
        --- PASS: TestAccCloudTrail_serial/Trail/globalServiceEvents (46.91s)
        --- SKIP: TestAccCloudTrail_serial/Trail/organization (0.34s)
        --- PASS: TestAccCloudTrail_serial/Trail/migrateV0 (109.15s)
        --- PASS: TestAccCloudTrail_serial/Trail/basic (72.46s)
        --- PASS: TestAccCloudTrail_serial/Trail/logValidation (67.26s)
        --- SKIP: TestAccCloudTrail_serial/Trail/enableLogging (56.25s)
        --- PASS: TestAccCloudTrail_serial/Trail/insightSelector (106.26s)
        --- PASS: TestAccCloudTrail_serial/Trail/multiRegion (86.43s)
        --- PASS: TestAccCloudTrail_serial/Trail/eventSelectorDynamoDB (47.88s)
        --- PASS: TestAccCloudTrail_serial/Trail/advancedEventSelector (47.05s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/cloudtrail 1122.001s

% make testacc TESTARGS='-run=TestAccCloudTrail_serial/Trail/organization' PKG=cloudtrail
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/cloudtrail/... -v -count 1 -parallel 20  -run=TestAccCloudTrail_serial/Trail/organization -timeout 360m
=== RUN   TestAccCloudTrail_serial
=== PAUSE TestAccCloudTrail_serial
=== CONT  TestAccCloudTrail_serial
=== RUN   TestAccCloudTrail_serial/Trail
=== RUN   TestAccCloudTrail_serial/Trail/organization
--- PASS: TestAccCloudTrail_serial (70.63s)
    --- PASS: TestAccCloudTrail_serial/Trail (70.63s)
        --- PASS: TestAccCloudTrail_serial/Trail/organization (70.63s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/cloudtrail 75.943s

[ewbankkit]

@sbldevnet Thanks for the contribution 🎉 👏.
We went ahead and changed the id to always be the trail ARN which simplified the changes somewhat.

[github-actions]

This functionality has been released in v5.25.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.