PR #350 - CloudTrail support - misc fixes

CHANGES.rst

@@ -6,6 +6,8 @@ Unreleased Changes
 
 This release **requires new IAM permissions**:
 
+* ``cloudtrail:DescribeTrails``
+* ``cloudtrail:GetEventSelectors``
 * ``route53:GetHostedZone``
 * ``route53:ListHostedZones``
 * ``route53:GetHostedZoneLimit``
@@ -16,6 +18,7 @@ This release **officially drops support for Python 2.6 and 3.3.**
 * Support Per-Resource Limits (see below). **Note that this includes some changes to the ``awslimitchecker`` CLI output format and some minor API changes.**
 * `Issue #317 <https://github.com/jantman/awslimitchecker/issues/317>`_ - Officially drop support for Python 2.6 and 3.3. Also, begin testing py37.
 * `Issue #346 <https://github.com/jantman/awslimitchecker/issues/346>`_ - Update documentation for S3 API calls made by ElasticBeanstalk while retrieving EB limits (thanks to `fenichelar <https://github.com/fenichelar>`_ for finding this).
+* `PR #350 <https://github.com/jantman/awslimitchecker/pull/350>`_ - Add support for CloudTrail limits (thanks to `fpiche <https://github.com/fpiche>`_).
 
 Per-Resource Limits
 +++++++++++++++++++

awslimitchecker/services/__init__.py

@@ -41,6 +41,7 @@
 from awslimitchecker.services.apigateway import _ApigatewayService
 from awslimitchecker.services.autoscaling import _AutoscalingService
 from awslimitchecker.services.cloudformation import _CloudformationService
+from awslimitchecker.services.cloudtrail import _CloudTrailService
 from awslimitchecker.services.directoryservice import _DirectoryserviceService
 from awslimitchecker.services.dynamodb import _DynamodbService
 from awslimitchecker.services.ebs import _EbsService

awslimitchecker/services/cloudtrail.py

@@ -1,3 +1,43 @@
+"""
+awslimitchecker/services/cloudtrail.py
+
+The latest version of this package is available at:
+<https://github.com/jantman/awslimitchecker>
+
+################################################################################
+Copyright 2015-2018 Jason Antman <jason@jasonantman.com>
+
+    This file is part of awslimitchecker, also known as awslimitchecker.
+
+    awslimitchecker is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    awslimitchecker is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with awslimitchecker.  If not, see <http://www.gnu.org/licenses/>.
+
+The Copyright and Authors attributions contained herein may not be removed or
+otherwise altered, except to add the Author attribution of a contributor to
+this work. (Additional Terms pursuant to Section 7b of the AGPL v3)
+################################################################################
+While not legally required, I sincerely request that anyone who finds
+bugs please submit them at <https://github.com/jantman/awslimitchecker> or
+to me via email, and that you send any contributions or improvements
+either as a pull request on GitHub, or to me via email.
+################################################################################
+
+AUTHORS:
+Jason Antman <jason@jasonantman.com> <http://www.jasonantman.com>
+################################################################################
+"""
+
+import abc  # noqa
 import logging
 
 from .base import _AwsService
@@ -7,6 +47,7 @@
 
 
 class _CloudTrailService(_AwsService):
+
     service_name = 'CloudTrail'
     api_name = 'cloudtrail'
     aws_type = 'AWS::CloudTrail::Trail'
@@ -40,18 +81,20 @@ def _find_usage_cloudtrail(self):
             event_selectors = response['EventSelectors']
 
             for event_selector in event_selectors:
-                data_resources = event_selector['DataResources']
-                data_resource_count += len(event_selector['DataResources']) \
-                    if data_resources else 0
+                data_resource_count += len(
+                    event_selector.get('DataResources', [])
+                )
 
             self.limits['Event Selectors Per Trail']._add_current_usage(
                 len(event_selectors),
-                aws_type=self.aws_type
+                aws_type='AWS::CloudTrail::EventSelector',
+                resource_id=trail['Name']
             )
 
             self.limits['Data Resources Per Trail']._add_current_usage(
                 data_resource_count,
-                aws_type=self.aws_type
+                aws_type='AWS::CloudTrail::DataResource',
+                resource_id=trail['Name']
             )
 
         self.limits['Trails Per Region']._add_current_usage(
@@ -90,7 +133,8 @@ def get_limits(self):
             5,
             self.warning_threshold,
             self.critical_threshold,
-            limit_type=self.aws_type
+            limit_type=self.aws_type,
+            limit_subtype='AWS::CloudTrail::EventSelector'
         )
 
         limits['Data Resources Per Trail'] = AwsLimit(
@@ -99,7 +143,8 @@ def get_limits(self):
             250,
             self.warning_threshold,
             self.critical_threshold,
-            limit_type=self.aws_type
+            limit_type=self.aws_type,
+            limit_subtype='AWS::CloudTrail::DataResource'
         )
 
         self.limits = limits
@@ -116,5 +161,5 @@ def required_iam_permissions(self):
         """
         return [
             "cloudtrail:DescribeTrails",
-            "cloudtrail:GetTrailStatus",
+            "cloudtrail:GetEventSelectors",
         ]

awslimitchecker/tests/services/result_fixtures.py

@@ -3436,7 +3436,7 @@ class CloudTrail(object):
                     'CloudWatchLogsLogGroupArn': 'string',
                     'CloudWatchLogsRoleArn': 'string',
                     'KmsKeyId': 'string',
-                    'HasCustomEventSelectors': True | False
+                    'HasCustomEventSelectors': False
                 },
                 {
                     'Name': 'trail2',
@@ -3500,5 +3500,14 @@ class CloudTrail(object):
                         }
                     ]
                 },
+                {
+                    'ReadWriteType': 'ReadOnly',
+                    'IncludeManagementEvents': True,
+                    'DataResources': []
+                },
+                {
+                    'ReadWriteType': 'ReadOnly',
+                    'IncludeManagementEvents': True
+                }
             ]
     }

awslimitchecker/tests/services/test_cloudtrail.py

@@ -1,3 +1,42 @@
+"""
+awslimitchecker/services/cloudtrail.py
+
+The latest version of this package is available at:
+<https://github.com/jantman/awslimitchecker>
+
+################################################################################
+Copyright 2015-2018 Jason Antman <jason@jasonantman.com>
+
+    This file is part of awslimitchecker, also known as awslimitchecker.
+
+    awslimitchecker is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    awslimitchecker is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with awslimitchecker.  If not, see <http://www.gnu.org/licenses/>.
+
+The Copyright and Authors attributions contained herein may not be removed or
+otherwise altered, except to add the Author attribution of a contributor to
+this work. (Additional Terms pursuant to Section 7b of the AGPL v3)
+################################################################################
+While not legally required, I sincerely request that anyone who finds
+bugs please submit them at <https://github.com/jantman/awslimitchecker> or
+to me via email, and that you send any contributions or improvements
+either as a pull request on GitHub, or to me via email.
+################################################################################
+
+AUTHORS:
+Jason Antman <jason@jasonantman.com> <http://www.jasonantman.com>
+################################################################################
+"""
+
 import sys
 
 from awslimitchecker.tests.services import result_fixtures
@@ -47,10 +86,14 @@ def test_get_limits(self):
 
         event_selectors_limit = limit_dict['Event Selectors Per Trail']
         assert event_selectors_limit.limit_type == AWS_TYPE
+        assert event_selectors_limit.limit_subtype == \
+            'AWS::CloudTrail::EventSelector'
         assert event_selectors_limit.default_limit == 5
 
         data_resources_limit = limit_dict['Data Resources Per Trail']
         assert data_resources_limit.limit_type == AWS_TYPE
+        assert data_resources_limit.limit_subtype == \
+            'AWS::CloudTrail::DataResource'
         assert data_resources_limit.default_limit == 250
 
     def test_get_limits_again(self):
@@ -65,8 +108,16 @@ def test_find_usage(self):
         mock_trails = Mock()
         mock_trails.describe_trails.return_value = \
             result_fixtures.CloudTrail.mock_describe_trails
-        mock_trails.get_event_selectors.return_value = \
-            result_fixtures.CloudTrail.mock_get_event_selectors
+
+        def se_selectors(*args, **kwargs):
+            if kwargs['TrailName'] == 'trail2':
+                return result_fixtures.CloudTrail.mock_get_event_selectors
+            return {
+                'TrailArn': 'arn:%s' % kwargs['TrailName'],
+                'EventSelectors': []
+            }
+
+        mock_trails.get_event_selectors.side_effect = se_selectors
 
         with patch('%s.connect' % PATCH_BASE,) as mock_connect:
             cls = _CloudTrailService(21, 43)
@@ -83,19 +134,19 @@ def test_find_usage(self):
 
         usage = cls.limits['Event Selectors Per Trail'].get_current_usage()
         assert len(usage) == 3
-        assert usage[0].get_value() == 1
-        assert usage[1].get_value() == 1
-        assert usage[2].get_value() == 1
+        assert usage[0].get_value() == 0
+        assert usage[1].get_value() == 3
+        assert usage[2].get_value() == 0
 
         usage = cls.limits['Data Resources Per Trail'].get_current_usage()
         assert len(usage) == 3
-        assert usage[0].get_value() == 3
+        assert usage[0].get_value() == 0
         assert usage[1].get_value() == 3
-        assert usage[2].get_value() == 3
+        assert usage[2].get_value() == 0
 
     def test_required_iam_permissions(self):
         cls = _CloudTrailService(21, 43)
         assert cls.required_iam_permissions() == [
             "cloudtrail:DescribeTrails",
-            "cloudtrail:GetTrailStatus",
+            "cloudtrail:GetEventSelectors",
         ]