hashicorp · radeksimko · Feb 8, 2016 · Feb 8, 2016 · Feb 8, 2016
diff --git a/builtin/providers/aws/resource_aws_cloudtrail.go b/builtin/providers/aws/resource_aws_cloudtrail.go
@@ -57,6 +57,23 @@ func resourceAwsCloudTrail() *schema.Resource {
 				Type:     schema.TypeString,
 				Optional: true,
 			},
+			"enable_log_file_validation": &schema.Schema{
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+			},
+			"kms_key_id": &schema.Schema{
+				Type:     schema.TypeString,
+				Optional: true,
+			},
+			"home_region": &schema.Schema{
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"arn": &schema.Schema{
+				Type:     schema.TypeString,
+				Computed: true,
+			},
 		},
 	}
 }
@@ -81,6 +98,12 @@ func resourceAwsCloudTrailCreate(d *schema.ResourceData, meta interface{}) error
 	if v, ok := d.GetOk("is_multi_region_trail"); ok {
 		input.IsMultiRegionTrail = aws.Bool(v.(bool))
 	}
+	if v, ok := d.GetOk("enable_log_file_validation"); ok {
+		input.EnableLogFileValidation = aws.Bool(v.(bool))
+	}
+	if v, ok := d.GetOk("kms_key_id"); ok {
+		input.KmsKeyId = aws.String(v.(string))
+	}
 	if v, ok := d.GetOk("s3_key_prefix"); ok {
 		input.S3KeyPrefix = aws.String(v.(string))
 	}
@@ -136,6 +159,15 @@ func resourceAwsCloudTrailRead(d *schema.ResourceData, meta interface{}) error {
 	d.Set("include_global_service_events", trail.IncludeGlobalServiceEvents)
 	d.Set("is_multi_region_trail", trail.IsMultiRegionTrail)
 	d.Set("sns_topic_name", trail.SnsTopicName)
+	d.Set("enable_log_file_validation", trail.LogFileValidationEnabled)
+
+	// TODO: Make it possible to use KMS Key names, not just ARNs
+	// In order to test it properly this PR needs to be merged 1st:
+	// https://github.com/hashicorp/terraform/pull/3928
+	d.Set("kms_key_id", trail.KmsKeyId)
+
+	d.Set("arn", trail.TrailARN)
+	d.Set("home_region", trail.HomeRegion)
 
 	logstatus, err := cloudTrailGetLoggingStatus(conn, trail.Name)
 	if err != nil {
@@ -171,6 +203,12 @@ func resourceAwsCloudTrailUpdate(d *schema.ResourceData, meta interface{}) error
 	if d.HasChange("is_multi_region_trail") {
 		input.IsMultiRegionTrail = aws.Bool(d.Get("is_multi_region_trail").(bool))
 	}
+	if d.HasChange("enable_log_file_validation") {
+		input.EnableLogFileValidation = aws.Bool(d.Get("enable_log_file_validation").(bool))
+	}
+	if d.HasChange("kms_key_id") {
+		input.KmsKeyId = aws.String(d.Get("kms_key_id").(string))
+	}
 	if d.HasChange("sns_topic_name") {
 		input.SnsTopicName = aws.String(d.Get("sns_topic_name").(string))
 	}

diff --git a/builtin/providers/aws/resource_aws_cloudtrail_test.go b/builtin/providers/aws/resource_aws_cloudtrail_test.go
@@ -25,6 +25,8 @@ func TestAccAWSCloudTrail_basic(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckCloudTrailExists("aws_cloudtrail.foobar", &trail),
 					resource.TestCheckResourceAttr("aws_cloudtrail.foobar", "include_global_service_events", "true"),
+					testAccCheckCloudTrailLogValidationEnabled("aws_cloudtrail.foobar", false, &trail),
+					testAccCheckCloudTrailKmsKeyIdEquals("aws_cloudtrail.foobar", "", &trail),
 				),
 			},
 			resource.TestStep{
@@ -33,6 +35,8 @@ func TestAccAWSCloudTrail_basic(t *testing.T) {
 					testAccCheckCloudTrailExists("aws_cloudtrail.foobar", &trail),
 					resource.TestCheckResourceAttr("aws_cloudtrail.foobar", "s3_key_prefix", "/prefix"),
 					resource.TestCheckResourceAttr("aws_cloudtrail.foobar", "include_global_service_events", "false"),
+					testAccCheckCloudTrailLogValidationEnabled("aws_cloudtrail.foobar", false, &trail),
+					testAccCheckCloudTrailKmsKeyIdEquals("aws_cloudtrail.foobar", "", &trail),
 				),
 			},
 		},
@@ -54,20 +58,26 @@ func TestAccAWSCloudTrail_enable_logging(t *testing.T) {
 					// AWS will create the trail with logging turned off.
 					// Test that "enable_logging" default works.
 					testAccCheckCloudTrailLoggingEnabled("aws_cloudtrail.foobar", true, &trail),
+					testAccCheckCloudTrailLogValidationEnabled("aws_cloudtrail.foobar", false, &trail),
+					testAccCheckCloudTrailKmsKeyIdEquals("aws_cloudtrail.foobar", "", &trail),
 				),
 			},
 			resource.TestStep{
 				Config: testAccAWSCloudTrailConfigModified,
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckCloudTrailExists("aws_cloudtrail.foobar", &trail),
 					testAccCheckCloudTrailLoggingEnabled("aws_cloudtrail.foobar", false, &trail),
+					testAccCheckCloudTrailLogValidationEnabled("aws_cloudtrail.foobar", false, &trail),
+					testAccCheckCloudTrailKmsKeyIdEquals("aws_cloudtrail.foobar", "", &trail),
 				),
 			},
 			resource.TestStep{
 				Config: testAccAWSCloudTrailConfig,
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckCloudTrailExists("aws_cloudtrail.foobar", &trail),
 					testAccCheckCloudTrailLoggingEnabled("aws_cloudtrail.foobar", true, &trail),
+					testAccCheckCloudTrailLogValidationEnabled("aws_cloudtrail.foobar", false, &trail),
+					testAccCheckCloudTrailKmsKeyIdEquals("aws_cloudtrail.foobar", "", &trail),
 				),
 			},
 		},
@@ -87,20 +97,60 @@ func TestAccAWSCloudTrail_is_multi_region(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckCloudTrailExists("aws_cloudtrail.foobar", &trail),
 					resource.TestCheckResourceAttr("aws_cloudtrail.foobar", "is_multi_region_trail", "false"),
+					testAccCheckCloudTrailLogValidationEnabled("aws_cloudtrail.foobar", false, &trail),
+					testAccCheckCloudTrailKmsKeyIdEquals("aws_cloudtrail.foobar", "", &trail),
 				),
 			},
 			resource.TestStep{
 				Config: testAccAWSCloudTrailConfigMultiRegion,
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckCloudTrailExists("aws_cloudtrail.foobar", &trail),
 					resource.TestCheckResourceAttr("aws_cloudtrail.foobar", "is_multi_region_trail", "true"),
+					testAccCheckCloudTrailLogValidationEnabled("aws_cloudtrail.foobar", false, &trail),
+					testAccCheckCloudTrailKmsKeyIdEquals("aws_cloudtrail.foobar", "", &trail),
 				),
 			},
 			resource.TestStep{
 				Config: testAccAWSCloudTrailConfig,
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckCloudTrailExists("aws_cloudtrail.foobar", &trail),
 					resource.TestCheckResourceAttr("aws_cloudtrail.foobar", "is_multi_region_trail", "false"),
+					testAccCheckCloudTrailLogValidationEnabled("aws_cloudtrail.foobar", false, &trail),
+					testAccCheckCloudTrailKmsKeyIdEquals("aws_cloudtrail.foobar", "", &trail),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAWSCloudTrail_logValidation(t *testing.T) {
+	var trail cloudtrail.Trail
+
+	// TODO: Add test for KMS Key ID
+	// once https://github.com/hashicorp/terraform/pull/3928 is merged
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSCloudTrailDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSCloudTrailConfig_logValidation,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckCloudTrailExists("aws_cloudtrail.foobar", &trail),
+					resource.TestCheckResourceAttr("aws_cloudtrail.foobar", "s3_key_prefix", ""),
+					resource.TestCheckResourceAttr("aws_cloudtrail.foobar", "include_global_service_events", "true"),
+					testAccCheckCloudTrailLogValidationEnabled("aws_cloudtrail.foobar", true, &trail),
+					testAccCheckCloudTrailKmsKeyIdEquals("aws_cloudtrail.foobar", "", &trail),
+				),
+			},
+			resource.TestStep{
+				Config: testAccAWSCloudTrailConfig_logValidationModified,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckCloudTrailExists("aws_cloudtrail.foobar", &trail),
+					resource.TestCheckResourceAttr("aws_cloudtrail.foobar", "s3_key_prefix", ""),
+					resource.TestCheckResourceAttr("aws_cloudtrail.foobar", "include_global_service_events", "true"),
+					testAccCheckCloudTrailLogValidationEnabled("aws_cloudtrail.foobar", false, &trail),
+					testAccCheckCloudTrailKmsKeyIdEquals("aws_cloudtrail.foobar", "", &trail),
 				),
 			},
 		},
@@ -155,6 +205,75 @@ func testAccCheckCloudTrailLoggingEnabled(n string, desired bool, trail *cloudtr
 	}
 }
 
+func testAccCheckCloudTrailLogValidationEnabled(n string, desired bool, trail *cloudtrail.Trail) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("Not found: %s", n)
+		}
+
+		if trail.LogFileValidationEnabled == nil {
+			return fmt.Errorf("No LogFileValidationEnabled attribute present in trail: %s", trail)
+		}
+
+		if *trail.LogFileValidationEnabled != desired {
+			return fmt.Errorf("Expected log validation status %t, given %t", desired,
+				trail.LogFileValidationEnabled)
+		}
+
+		// local state comparison
+		enabled, ok := rs.Primary.Attributes["enable_log_file_validation"]
+		if !ok {
+			return fmt.Errorf("No enable_log_file_validation attribute defined for %s, expected %t",
+				n, desired)
+		}
+		desiredInString := fmt.Sprintf("%t", desired)
+		if enabled != desiredInString {
+			return fmt.Errorf("Expected log validation status %t, saved %t", desiredInString,
+				enabled)
+		}
+
+		return nil
+	}
+}
+
+func testAccCheckCloudTrailKmsKeyIdEquals(n string, desired string, trail *cloudtrail.Trail) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("Not found: %s", n)
+		}
+
+		if desired != "" && trail.KmsKeyId == nil {
+			return fmt.Errorf("No KmsKeyId attribute present in trail: %s, expected %s",
+				trail, desired)
+		}
+
+		// work around string pointer
+		var kmsKeyIdInString string
+		if trail.KmsKeyId == nil {
+			kmsKeyIdInString = ""
+		} else {
+			kmsKeyIdInString = *trail.KmsKeyId
+		}
+
+		if kmsKeyIdInString != desired {
+			return fmt.Errorf("Expected KMS Key ID %q to equal %q",
+				*trail.KmsKeyId, desired)
+		}
+
+		kmsKeyId, ok := rs.Primary.Attributes["kms_key_id"]
+		if desired != "" && !ok {
+			return fmt.Errorf("No kms_key_id attribute defined for %s", n)
+		}
+		if kmsKeyId != desired {
+			return fmt.Errorf("Expected KMS Key ID %q, saved %q", desired, kmsKeyId)
+		}
+
+		return nil
+	}
+}
+
 func testAccCheckAWSCloudTrailDestroy(s *terraform.State) error {
 	conn := testAccProvider.Meta().(*AWSClient).cloudtrailconn
 
@@ -299,3 +418,83 @@ resource "aws_s3_bucket" "foo" {
 POLICY
 }
 `, cloudTrailRandInt, cloudTrailRandInt, cloudTrailRandInt)
+
+var testAccAWSCloudTrailConfig_logValidation = fmt.Sprintf(`
+resource "aws_cloudtrail" "foobar" {
+    name = "tf-acc-trail-log-validation-test"
+    s3_bucket_name = "${aws_s3_bucket.foo.id}"
+    is_multi_region_trail = true
+    include_global_service_events = true
+    enable_log_file_validation = true
+}
+
+resource "aws_s3_bucket" "foo" {
+	bucket = "tf-test-trail-%d"
+	force_destroy = true
+	policy = <<POLICY
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Sid": "AWSCloudTrailAclCheck",
+			"Effect": "Allow",
+			"Principal": "*",
+			"Action": "s3:GetBucketAcl",
+			"Resource": "arn:aws:s3:::tf-test-trail-%d"
+		},
+		{
+			"Sid": "AWSCloudTrailWrite",
+			"Effect": "Allow",
+			"Principal": "*",
+			"Action": "s3:PutObject",
+			"Resource": "arn:aws:s3:::tf-test-trail-%d/*",
+			"Condition": {
+				"StringEquals": {
+					"s3:x-amz-acl": "bucket-owner-full-control"
+				}
+			}
+		}
+	]
+}
+POLICY
+}
+`, cloudTrailRandInt, cloudTrailRandInt, cloudTrailRandInt)
+
+var testAccAWSCloudTrailConfig_logValidationModified = fmt.Sprintf(`
+resource "aws_cloudtrail" "foobar" {
+    name = "tf-acc-trail-log-validation-test"
+    s3_bucket_name = "${aws_s3_bucket.foo.id}"
+    include_global_service_events = true
+}
+
+resource "aws_s3_bucket" "foo" {
+	bucket = "tf-test-trail-%d"
+	force_destroy = true
+	policy = <<POLICY
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Sid": "AWSCloudTrailAclCheck",
+			"Effect": "Allow",
+			"Principal": "*",
+			"Action": "s3:GetBucketAcl",
+			"Resource": "arn:aws:s3:::tf-test-trail-%d"
+		},
+		{
+			"Sid": "AWSCloudTrailWrite",
+			"Effect": "Allow",
+			"Principal": "*",
+			"Action": "s3:PutObject",
+			"Resource": "arn:aws:s3:::tf-test-trail-%d/*",
+			"Condition": {
+				"StringEquals": {
+					"s3:x-amz-acl": "bucket-owner-full-control"
+				}
+			}
+		}
+	]
+}
+POLICY
+}
+`, cloudTrailRandInt, cloudTrailRandInt, cloudTrailRandInt)
diff --git a/website/source/docs/providers/aws/r/cloudtrail.html.markdown b/website/source/docs/providers/aws/r/cloudtrail.html.markdown
@@ -75,9 +75,14 @@ The following arguments are supported:
     region or in all regions. Defaults to `false`.
 * `sns_topic_name` - (Optional) Specifies the name of the Amazon SNS topic
     defined for notification of log file delivery.
+* `enable_log_file_validation` - (Optional) Specifies whether log file integrity validation is enabled.
+    Defaults to `false`.
+* `kms_key_id` - (Optional) Specifies the KMS key ID to use to encrypt the logs delivered by CloudTrail.
 
 ## Attribute Reference
 
 The following attributes are exported:
 
 * `id` - The name of the trail.
+* `home_region` - The region in which the trail was created.
+* `arn` - The Amazon Resource Name of the trail.