Merge branch 'main' into feat/aws-lambda-python-exclude-parameter-poetry

aws · Jan 13, 2023 · c22f341 · c22f341
2 parents 83d3d5e + 88fc62d
commit c22f341
Show file tree

Hide file tree

Showing 67 changed files with 4,914 additions and 99 deletions.
diff --git a/packages/@aws-cdk/aws-cloudtrail/lib/cloudtrail.ts b/packages/@aws-cdk/aws-cloudtrail/lib/cloudtrail.ts
@@ -235,6 +235,7 @@ export class Trail extends Resource {
   public readonly logGroup?: logs.ILogGroup;
 
   private s3bucket: s3.IBucket;
+  private managementEvents: ReadWriteType | undefined;
   private eventSelectors: EventSelector[] = [];
   private topic: sns.ITopic | undefined;
   private insightTypeValues: InsightSelector[] | undefined;
@@ -289,20 +290,14 @@ export class Trail extends Resource {
       }));
     }
 
-    if (props.managementEvents) {
-      let managementEvent;
-      if (props.managementEvents === ReadWriteType.NONE) {
-        managementEvent = {
-          includeManagementEvents: false,
-        };
-      } else {
-        managementEvent = {
-          includeManagementEvents: true,
-          readWriteType: props.managementEvents,
-        };
-      }
-      this.eventSelectors.push(managementEvent);
+    this.managementEvents = props.managementEvents;
+    if (this.managementEvents && this.managementEvents !== ReadWriteType.NONE) {
+      this.eventSelectors.push({
+        includeManagementEvents: true,
+        readWriteType: props.managementEvents,
+      });
     }
+    this.node.addValidation({ validate: () => this.validateEventSelectors() });
 
     if (props.kmsKey && props.encryptionKey) {
       throw new Error('Both kmsKey and encryptionKey must not be specified. Use only encryptionKey');
@@ -373,12 +368,17 @@ export class Trail extends Resource {
       throw new Error('A maximum of 5 event selectors are supported per trail.');
     }
 
+    let includeAllManagementEvents;
+    if (this.managementEvents === ReadWriteType.NONE) {
+      includeAllManagementEvents = false;
+    }
+
     this.eventSelectors.push({
       dataResources: [{
         type: dataResourceType,
         values: dataResourceValues,
       }],
-      includeManagementEvents: options.includeManagementEvents,
+      includeManagementEvents: options.includeManagementEvents ?? includeAllManagementEvents,
       excludeManagementEventSources: options.excludeManagementEventSources,
       readWriteType: options.readWriteType,
     });
@@ -403,7 +403,7 @@ export class Trail extends Resource {
   }
 
   /**
-   * Log all Lamda data events for all lambda functions the account.
+   * Log all Lambda data events for all lambda functions the account.
    * @see https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html
    * @default false
    */
@@ -451,6 +451,15 @@ export class Trail extends Resource {
   public onCloudTrailEvent(id: string, options: events.OnEventOptions = {}): events.Rule {
     return Trail.onEvent(this, id, options);
   }
+
+  private validateEventSelectors(): string[] {
+    const errors: string[] = [];
+    // Ensure that there is at least one event selector when management events are set to None
+    if (this.managementEvents === ReadWriteType.NONE && this.eventSelectors.length === 0) {
+      errors.push('At least one event selector must be added when management event recording is set to None');
+    }
+    return errors;
+  }
 }
 
 /**

diff --git a/packages/@aws-cdk/aws-cloudtrail/test/cloudtrail.test.ts b/packages/@aws-cdk/aws-cloudtrail/test/cloudtrail.test.ts
@@ -625,19 +625,77 @@ describe('cloudtrail', () => {
         });
       });
 
-      test('managementEvents set to None correctly turns off management events', () => {
+      test('not provided and managementEvents set to None throws missing event selectors error', () => {
         const stack = getTestStack();
 
         new Trail(stack, 'MyAmazingCloudTrail', {
           managementEvents: ReadWriteType.NONE,
         });
 
+        expect(() => {
+          Template.fromStack(stack);
+        }).toThrowError(/At least one event selector must be added when management event recording is set to None/);
+      });
+
+      test('defaults to not include management events when managementEvents set to None', () => {
+        const stack = getTestStack();
+
+        const cloudTrail = new Trail(stack, 'MyAmazingCloudTrail', {
+          managementEvents: ReadWriteType.NONE,
+        });
+
+        const bucket = new s3.Bucket(stack, 'testBucket', { bucketName: 'test-bucket' });
+        cloudTrail.addS3EventSelector([{ bucket }]);
+
         Template.fromStack(stack).hasResourceProperties('AWS::CloudTrail::Trail', {
-          EventSelectors: [
-            {
-              IncludeManagementEvents: false,
-            },
-          ],
+          EventSelectors: [{
+            DataResources: [{
+              Type: 'AWS::S3::Object',
+              Values: [{
+                'Fn::Join': [
+                  '',
+                  [
+                    { 'Fn::GetAtt': ['testBucketDF4D7D1A', 'Arn'] },
+                    '/',
+                  ],
+                ],
+              }],
+            }],
+            IncludeManagementEvents: false,
+          }],
+        });
+      });
+
+      test('includeManagementEvents can be overridden when managementEvents set to None', () => {
+        const stack = getTestStack();
+
+        const cloudTrail = new Trail(stack, 'MyAmazingCloudTrail', {
+          managementEvents: ReadWriteType.NONE,
+        });
+
+        const bucket = new s3.Bucket(stack, 'testBucket', { bucketName: 'test-bucket' });
+        cloudTrail.addS3EventSelector([{ bucket }], {
+          includeManagementEvents: true,
+          readWriteType: ReadWriteType.WRITE_ONLY,
+        });
+
+        Template.fromStack(stack).hasResourceProperties('AWS::CloudTrail::Trail', {
+          EventSelectors: [{
+            DataResources: [{
+              Type: 'AWS::S3::Object',
+              Values: [{
+                'Fn::Join': [
+                  '',
+                  [
+                    { 'Fn::GetAtt': ['testBucketDF4D7D1A', 'Arn'] },
+                    '/',
+                  ],
+                ],
+              }],
+            }],
+            IncludeManagementEvents: true,
+            ReadWriteType: 'WriteOnly',
+          }],
         });
       });
 

diff --git a/...-only.js.snapshot/CloudTrailDataEventsOnlyTestDefaultTestDeployAssertA7E52868.assets.json b/...-only.js.snapshot/CloudTrailDataEventsOnlyTestDefaultTestDeployAssertA7E52868.assets.json
@@ -0,0 +1,19 @@
+{
+  "version": "22.0.0",
+  "files": {
+    "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
+      "source": {
+        "path": "CloudTrailDataEventsOnlyTestDefaultTestDeployAssertA7E52868.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}
diff --git a/...nly.js.snapshot/CloudTrailDataEventsOnlyTestDefaultTestDeployAssertA7E52868.template.json b/...nly.js.snapshot/CloudTrailDataEventsOnlyTestDefaultTestDeployAssertA7E52868.template.json
@@ -0,0 +1,36 @@
+{
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}
diff --git a/packages/@aws-cdk/aws-cloudtrail/test/integ.cloudtrail-data-events-only.js.snapshot/cdk.out b/packages/@aws-cdk/aws-cloudtrail/test/integ.cloudtrail-data-events-only.js.snapshot/cdk.out
@@ -0,0 +1 @@
+{"version":"22.0.0"}
diff --git a/...st/integ.cloudtrail-data-events-only.js.snapshot/integ-cloudtrail-data-events.assets.json b/...st/integ.cloudtrail-data-events-only.js.snapshot/integ-cloudtrail-data-events.assets.json
@@ -0,0 +1,19 @@
+{
+  "version": "22.0.0",
+  "files": {
+    "1e43b2272a716f06e79a67fe7810bd64d2c4f198ec606c15bac1ce856e05dbbc": {
+      "source": {
+        "path": "integ-cloudtrail-data-events.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "1e43b2272a716f06e79a67fe7810bd64d2c4f198ec606c15bac1ce856e05dbbc.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}