Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support providing a cloudtrail from a different account #136

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat: support providing a cloudtrail from a different account #136

wants to merge 4 commits into from

Conversation

piotrb
Copy link

@piotrb piotrb commented Jul 10, 2023

This is a tiny tweak which allows passing in the arn of the cloudtrail in a different account, and it will allow that cloudtrail to publish into the sns topic.

Summary

We have a particular use case:

  • we use Datadog
  • we have the cloudtrail set up in the org management account
  • but its logging to a S3 bucket in a separate security account as per AWS WAR guidelines.
  • We can't use the S3 notification option because Datadog is using that avenue, so we wanted to use the SNS option on the cloudtrail itself.

We've been working with Clayton Sopel on your side to come up with a solution to make this work and it proved to be a very small change to the SNS topic policy, but given how this module is created, it didn't give us a nice way to slip this tweak in.

How did you test this change?

Switched the module reference in our environment to this fork and it worked.

@dmurray-lacework
Copy link
Collaborator

dmurray-lacework commented Jul 20, 2023
edited
Loading

Make it so!

(this comment triggers tests)

dmurray-lacework
dmurray-lacework approved these changes Jul 20, 2023
View reviewed changes
Copy link
Collaborator

@dmurray-lacework dmurray-lacework left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved this change. But before we merge can you add an example of the scenario to examples/ folder and run the docs tool to update the Readme
https://terraform-docs.io/
terraform-docs markdown .

@piotrb
Copy link
Author

piotrb commented Aug 23, 2023

I added examples .. the diff on the module doc is quite large .. feels like its not been run in a little while .. so I added just the one line of diff adding the new variable :)

You may want to include a .terraform-docs.yml and support in-place updating of the docs (instead of asking people to paste the new docs from the command output :) )

@piotrb
Copy link
Author

piotrb commented Aug 23, 2023

Ok fine .. see last commit .. I added a running script, the terraform-docs config, and the fully updated readme :)

afiune
afiune reviewed Sep 26, 2023
View reviewed changes
...consolidated-existing-cloudtrail-in-another-account-datadog-co-existance/security-account.tf Outdated
Comment on lines 23 to 24
source = "lacework/cloudtrail/aws"
version = "~> 2.8"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
source = "lacework/cloudtrail/aws"
version = "~> 2.8"
source = "../../"

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We refer to the module locally instead of the registry ☝🏽

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@afiune
Copy link
Contributor

afiune commented Sep 26, 2023

Make it so 🎉

@afiune afiune changed the title Support for scenario where module is installed into a different account than the cloudtrail itself. SNS option. feat: support providing a cloudtrail from a different account Sep 26, 2023
@afiune afiune mentioned this pull request Sep 26, 2023
Open
afiune
afiune reviewed Sep 26, 2023
View reviewed changes
scripts/terraform-docs.sh Outdated
@@ -0,0 +1,14 @@

if which terraform-docs >/dev/null; then
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice addition! I am going to ask my team to deploy this script in all our Terraform modules and also, add a new Makefile directive to run it.

afiune
afiune suggested changes Sep 26, 2023
View reviewed changes
Copy link
Contributor

@afiune afiune left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please, look at this feedback and apply the diff in your PR, then we will merge and release!

#147

Note that I had to rebase from main since we had some CI changes, that is probably why PR passes CI. 🍏

@afiune
Copy link
Contributor

afiune commented Oct 11, 2023

@piotrb Your work inspired us to adopt it in all our Terraform Modules! 🎉 Thank you.

We really don't want to let this PR fall behind, any chance you can take some time to
update it so we can merge and release it?

piotrb added 4 commits May 3, 2024 13:54
@piotrb
Support for scenario where module is installed into a different accou…
dc00db4 
…nt than the cloudtrail itself. SNS option.

This is a tiny tweak which allows passing in the arn of the cloudtrail in a different account, and it will allow that cloudtrail to publish into the sns topic.
@piotrb
Added examples
dd6135d
@piotrb
Adding the new doc for the one new input
8e88283
@piotrb
Fix example to use local relative path
1823101
@piotrb
Copy link
Author

piotrb commented May 3, 2024

Alright, I rebased again :) .. applied the one tweak to the example. Was there anything else?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@afiune afiune afiune requested changes

@dmurray-lacework dmurray-lacework dmurray-lacework approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@piotrb @dmurray-lacework @afiune