Merge pull request #17203 from StephenKing/f-aws_cloudtrail-exclude_m…

…anagement_event_sources r/cloudtrail: Exclude Management Event Sources
hashicorp · Nov 23, 2021 · baa990e · baa990e
2 parents a098d25 + 6836793
commit baa990e
Show file tree

Hide file tree

Showing 4 changed files with 132 additions and 6 deletions.
diff --git a/.changelog/17203.txt b/.changelog/17203.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_cloudtrail: Add `exclude_management_event_sources` argument
+```
diff --git a/internal/service/cloudtrail/cloudtrail.go b/internal/service/cloudtrail/cloudtrail.go
@@ -159,6 +159,11 @@ func ResourceCloudTrail() *schema.Resource {
 								},
 							},
 						},
+						"exclude_management_event_sources": {
+							Type:     schema.TypeSet,
+							Optional: true,
+							Elem:     &schema.Schema{Type: schema.TypeString},
+						},
 						"include_management_events": {
 							Type:     schema.TypeBool,
 							Optional: true,
@@ -639,6 +644,11 @@ func expandEventSelector(configured []interface{}) []*cloudtrail.EventSelector {
 			ReadWriteType:           aws.String(data["read_write_type"].(string)),
 			DataResources:           dataResources,
 		}
+
+		if v, ok := data["exclude_management_event_sources"].(*schema.Set); ok && v.Len() > 0 {
+			es.ExcludeManagementEventSources = flex.ExpandStringSet(v)
+		}
+
 		eventSelectors = append(eventSelectors, es)
 	}
 
@@ -672,13 +682,14 @@ func flattenEventSelector(configured []*cloudtrail.EventSelector) []map[string]i
 	eventSelectors := make([]map[string]interface{}, 0, len(configured))
 
 	// Prevent default configurations shows differences
-	if len(configured) == 1 && len(configured[0].DataResources) == 0 && aws.StringValue(configured[0].ReadWriteType) == "All" {
+	if len(configured) == 1 && len(configured[0].DataResources) == 0 && aws.StringValue(configured[0].ReadWriteType) == "All" && len(configured[0].ExcludeManagementEventSources) == 0 {
 		return eventSelectors
 	}
 
 	for _, raw := range configured {
 		item := make(map[string]interface{})
 		item["read_write_type"] = aws.StringValue(raw.ReadWriteType)
+		item["exclude_management_event_sources"] = flex.FlattenStringSet(raw.ExcludeManagementEventSources)
 		item["include_management_events"] = aws.BoolValue(raw.IncludeManagementEvents)
 		item["data_resource"] = flattenEventSelectorDataResource(raw.DataResources)
 

diff --git a/internal/service/cloudtrail/cloudtrail_test.go b/internal/service/cloudtrail/cloudtrail_test.go
@@ -29,6 +29,7 @@ func TestAccCloudTrail_serial(t *testing.T) {
 			"tags":                  testAcc_tags,
 			"eventSelector":         testAcc_eventSelector,
 			"eventSelectorDynamoDB": testAcc_eventSelectorDynamoDB,
+			"eventSelectorExclude":  testAcc_eventSelectorExclude,
 			"insightSelector":       testAcc_insightSelector,
 			"advancedEventSelector": testAcc_advanced_event_selector,
 		},
@@ -83,6 +84,11 @@ func testAcc_basic(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "kms_key_id", ""),
 				),
 			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -119,6 +125,11 @@ func testAcc_cloudWatch(t *testing.T) {
 					resource.TestCheckResourceAttrSet(resourceName, "cloud_watch_logs_role_arn"),
 				),
 			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -135,7 +146,7 @@ func testAcc_enableLogging(t *testing.T) {
 		CheckDestroy: testAccCheckDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccConfig(rName),
+				Config: testAccEnableLoggingConfig(rName, true),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckCloudTrailExists(resourceName, &trail),
 					// AWS will create the trail with logging turned off.
@@ -151,14 +162,19 @@ func testAcc_enableLogging(t *testing.T) {
 				ImportStateVerify: true,
 			},
 			{
-				Config: testAccModifiedConfig(rName),
+				Config: testAccEnableLoggingConfig(rName, false),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckCloudTrailExists(resourceName, &trail),
 					testAccCheckCloudTrailLoggingEnabled(resourceName, false),
 					testAccCheckCloudTrailLogValidationEnabled(resourceName, false, &trail),
 					resource.TestCheckResourceAttr(resourceName, "kms_key_id", ""),
 				),
 			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 			{
 				Config: testAccConfig(rName),
 				Check: resource.ComposeTestCheckFunc(
@@ -434,6 +450,7 @@ func testAcc_eventSelector(t *testing.T) {
 					acctest.CheckResourceAttrGlobalARNNoAccount(resourceName, "event_selector.0.data_resource.0.values.1", "s3", fmt.Sprintf("%s-2/ko", rName)),
 					resource.TestCheckResourceAttr(resourceName, "event_selector.0.include_management_events", "false"),
 					resource.TestCheckResourceAttr(resourceName, "event_selector.0.read_write_type", "ReadOnly"),
+					resource.TestCheckResourceAttr(resourceName, "event_selector.0.exclude_management_event_sources.#", "0"),
 				),
 			},
 			{
@@ -468,6 +485,7 @@ func testAcc_eventSelector(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "event_selector.1.data_resource.1.type", "AWS::Lambda::Function"),
 					resource.TestCheckResourceAttr(resourceName, "event_selector.1.data_resource.1.values.#", "1"),
 					acctest.CheckResourceAttrRegionalARN(resourceName, "event_selector.1.data_resource.1.values.0", "lambda", fmt.Sprintf("function:%s", rName)),
+					resource.TestCheckResourceAttr(resourceName, "event_selector.0.exclude_management_event_sources.#", "0"),
 					resource.TestCheckResourceAttr(resourceName, "event_selector.1.include_management_events", "false"),
 					resource.TestCheckResourceAttr(resourceName, "event_selector.1.read_write_type", "All"),
 				),
@@ -508,6 +526,55 @@ func testAcc_eventSelectorDynamoDB(t *testing.T) {
 	})
 }
 
+func testAcc_eventSelectorExclude(t *testing.T) {
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	resourceName := "aws_cloudtrail.test"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { acctest.PreCheck(t) },
+		ErrorCheck:   acctest.ErrorCheck(t, cloudtrail.EndpointsID),
+		Providers:    acctest.Providers,
+		CheckDestroy: testAccCheckDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccEventSelectorExcludeKMSConfig(rName),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "event_selector.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "event_selector.0.include_management_events", "true"),
+					resource.TestCheckResourceAttr(resourceName, "event_selector.0.exclude_management_event_sources.#", "1"),
+					resource.TestCheckTypeSetElemAttr(resourceName, "event_selector.0.exclude_management_event_sources.*", "kms.amazonaws.com"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccEventSelectorExcludeKMSAndRDSDataConfig(rName),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "event_selector.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "event_selector.0.include_management_events", "true"),
+					resource.TestCheckResourceAttr(resourceName, "event_selector.0.exclude_management_event_sources.#", "2"),
+					resource.TestCheckTypeSetElemAttr(resourceName, "event_selector.0.exclude_management_event_sources.*", "kms.amazonaws.com"),
+					resource.TestCheckTypeSetElemAttr(resourceName, "event_selector.0.exclude_management_event_sources.*", "rdsdata.amazonaws.com"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccEventSelectorNoneConfig(rName),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "event_selector.#", "0"),
+				),
+			},
+		},
+	})
+}
+
 func testAcc_insightSelector(t *testing.T) {
 	resourceName := "aws_cloudtrail.test"
 	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
@@ -807,11 +874,22 @@ resource "aws_cloudtrail" "test" {
   s3_bucket_name                = aws_s3_bucket.test.id
   s3_key_prefix                 = "prefix"
   include_global_service_events = false
-  enable_logging                = false
 }
 `, rName))
 }
 
+func testAccEnableLoggingConfig(rName string, enableLogging bool) string {
+	return acctest.ConfigCompose(testAccBaseConfig(rName), fmt.Sprintf(`
+resource "aws_cloudtrail" "test" {
+  name                          = %[1]q
+  s3_bucket_name                = aws_s3_bucket.test.id
+  s3_key_prefix                 = "prefix"
+  include_global_service_events = false
+  enable_logging                = %[2]t
+}
+`, rName, enableLogging))
+}
+
 func testAccCloudWatchConfig(rName string) string {
 	return acctest.ConfigCompose(testAccBaseConfig(rName), fmt.Sprintf(`
 resource "aws_cloudtrail" "test" {
@@ -1210,6 +1288,39 @@ resource "aws_dynamodb_table" "test" {
 `, rName))
 }
 
+func testAccEventSelectorExcludeKMSConfig(rName string) string {
+	return acctest.ConfigCompose(
+		testAccBaseConfig(rName),
+		fmt.Sprintf(`
+resource "aws_cloudtrail" "test" {
+  name           = %[1]q
+  s3_bucket_name = aws_s3_bucket.test.id
+
+  event_selector {
+    exclude_management_event_sources = ["kms.${data.aws_partition.current.dns_suffix}"]
+  }
+}
+`, rName))
+}
+
+func testAccEventSelectorExcludeKMSAndRDSDataConfig(rName string) string {
+	return acctest.ConfigCompose(
+		testAccBaseConfig(rName),
+		fmt.Sprintf(`
+resource "aws_cloudtrail" "test" {
+  name           = %[1]q
+  s3_bucket_name = aws_s3_bucket.test.id
+
+  event_selector {
+    exclude_management_event_sources = [
+      "kms.${data.aws_partition.current.dns_suffix}",
+      "rdsdata.${data.aws_partition.current.dns_suffix}"
+    ]
+  }
+}
+`, rName))
+}
+
 func testAccInsightSelectorConfig(rName string) string {
 	return acctest.ConfigCompose(testAccBaseConfig(rName), fmt.Sprintf(`
 resource "aws_cloudtrail" "test" {

diff --git a/website/docs/r/cloudtrail.html.markdown b/website/docs/r/cloudtrail.html.markdown
@@ -318,7 +318,8 @@ The following arguments are optional:
 This configuration block supports the following attributes:
 
 * `data_resource` - (Optional) Configuration block for data events. See details below.
-* `include_management_events` - (Optional) Whether to include management events for your trail.
+* `exclude_management_event_sources` (Optional) -  A set of event sources to exclude. Valid values include: `kms.amazonaws.com` and `rdsdata.amazonaws.com`. `include_management_events` must be set to`true` to allow this.
+* `include_management_events` - (Optional) Whether to include management events for your trail. Defaults to `true`.
 * `read_write_type` - (Optional) Type of events to log. Valid values are `ReadOnly`, `WriteOnly`, `All`. Default value is `All`.
 
 #### data_resource
@@ -367,4 +368,4 @@ Cloudtrails can be imported using the `name`, e.g.,
 
 ```
 $ terraform import aws_cloudtrail.sample my-sample-trail
-```
+```