updating CloudTrail to add condition for IAM role and SNS topic. This is required in order to make sure terraform can create resources in 'terraform plan'. issue - https://discuss.hashicorp.com/t/for-each-value-depends-on-resource-attributes-that-cannot-be-determined-until-apply/6061

Author: sourabh

aws/cloudtrail/README.md

@@ -35,7 +35,7 @@ This module is used to create AWS and Sumo Logic resource to collect CloudTrail
 | collector\_details | Provide details for the Sumo Logic collector. If not provided, then defaults will be used. | <pre>object({<br>    collector_name = string<br>    description    = string<br>    fields         = map(string)<br>  })</pre> | <pre>{<br>  "collector_name": "SumoLogic CloudTrail Collector <Random ID>",<br>  "description": "This collector is created using Sumo Logic terraform AWS cloudtrail module to collect AWS cloudtrail logs.",<br>  "fields": {}<br>}</pre> | no |
 | create\_collector | Provide "true" if you would like to create the Sumo Logic Collector. | `bool` | n/a | yes |
 | create\_trail | Provide "true" if you would like to create the AWS CloudTrail. If the bucket is created by the module, module by default creates the AWS cloudtrail. | `bool` | n/a | yes |
-| source\_details | Provide details for the Sumo Logic CloudTrail source. If not provided, then defaults will be used. | <pre>object({<br>    source_name     = string<br>    source_category = string<br>    collector_id    = string<br>    description     = string<br>    bucket_details = object({<br>      create_bucket        = bool<br>      bucket_name          = string<br>      path_expression      = string<br>      force_destroy_bucket = bool<br>    })<br>    paused               = bool<br>    scan_interval        = string<br>    sumo_account_id      = number<br>    cutoff_relative_time = string<br>    fields               = map(string)<br>    iam_role_arn         = string<br>    sns_topic_arn        = string<br>  })</pre> | <pre>{<br>  "bucket_details": {<br>    "bucket_name": "cloudtrail-logs-random-id",<br>    "create_bucket": true,<br>    "force_destroy_bucket": true,<br>    "path_expression": "AWSLogs/<ACCOUNT-ID>/CloudTrail/<REGION-NAME>/*"<br>  },<br>  "collector_id": "",<br>  "cutoff_relative_time": "-1d",<br>  "description": "This source is created using Sumo Logic terraform AWS cloudtrail module to collect AWS cloudtrail logs.",<br>  "fields": {},<br>  "iam_role_arn": "",<br>  "paused": false,<br>  "scan_interval": 300000,<br>  "sns_topic_arn": "",<br>  "source_category": "Labs/aws/cloudtrail",<br>  "source_name": "CloudTrail Source",<br>  "sumo_account_id": 926226587429<br>}</pre> | no |
+| source\_details | Provide details for the Sumo Logic CloudTrail source. If not provided, then defaults will be used. | <pre>object({<br>    source_name     = string<br>    source_category = string<br>    collector_id    = string<br>    description     = string<br>    bucket_details = object({<br>      create_bucket        = bool<br>      bucket_name          = string<br>      path_expression      = string<br>      force_destroy_bucket = bool<br>    })<br>    paused               = bool<br>    scan_interval        = string<br>    sumo_account_id      = number<br>    cutoff_relative_time = string<br>    fields               = map(string)<br>    iam_details = object({<br>      create_iam_role = bool<br>      iam_role_arn    = string<br>    })<br>    sns_topic_details = object({<br>      create_sns_topic = bool<br>      sns_topic_arn    = string<br>    })<br>  })</pre> | <pre>{<br>  "bucket_details": {<br>    "bucket_name": "cloudtrail-logs-random-id",<br>    "create_bucket": true,<br>    "force_destroy_bucket": true,<br>    "path_expression": "AWSLogs/<ACCOUNT-ID>/CloudTrail/<REGION-NAME>/*"<br>  },<br>  "collector_id": "",<br>  "cutoff_relative_time": "-1d",<br>  "description": "This source is created using Sumo Logic terraform AWS cloudtrail module to collect AWS cloudtrail logs.",<br>  "fields": {},<br>  "iam_details": {<br>    "create_iam_role": true,<br>    "iam_role_arn": null<br>  },<br>  "paused": false,<br>  "scan_interval": 300000,<br>  "sns_topic_details": {<br>    "create_sns_topic": true,<br>    "sns_topic_arn": null<br>  },<br>  "source_category": "Labs/aws/cloudtrail",<br>  "source_name": "CloudTrail Source",<br>  "sumo_account_id": 926226587429<br>}</pre> | no |
 | sumologic\_organization\_id | Appears on the Account Overview page that displays information about your Sumo Logic organization. Used for IAM Role in Sumo Logic AWS Sources. | `string` | n/a | yes |
 
 ## Outputs

aws/cloudtrail/cloudtrail.tf

@@ -24,7 +24,7 @@ resource "aws_s3_bucket" "s3_bucket" {
 }
 
 resource "aws_sns_topic" "sns_topic" {
-  for_each = toset(local.create_sns_topic ? ["sns_topic"] : [])
+  for_each = toset(var.source_details.sns_topic_details.create_sns_topic ? ["sns_topic"] : [])
 
   name = "SumoLogic-Terraform-CloudTrail-Module-${random_string.aws_random.id}"
   policy = templatefile("${path.module}/templates/sns_topic_policy.tmpl", {
@@ -36,7 +36,7 @@ resource "aws_sns_topic" "sns_topic" {
 }
 
 resource "aws_s3_bucket_notification" "bucket_notification" {
-  for_each = toset(local.create_sns_topic && var.source_details.bucket_details.create_bucket ? ["bucket_notification"] : [])
+  for_each = toset(var.source_details.sns_topic_details.create_sns_topic && var.source_details.bucket_details.create_bucket ? ["bucket_notification"] : [])
 
   bucket = aws_s3_bucket.s3_bucket["s3_bucket"].id
 
@@ -57,7 +57,7 @@ resource "aws_cloudtrail" "cloudtrail" {
 }
 
 resource "aws_iam_role" "source_iam_role" {
-  for_each = toset(local.create_iam_role ? ["source_iam_role"] : [])
+  for_each = toset(var.source_details.iam_details.create_iam_role ? ["source_iam_role"] : [])
 
   name = "SumoLogic-Terraform-CloudTrail-Module-${random_string.aws_random.id}"
   path = "/"
@@ -72,7 +72,7 @@ resource "aws_iam_role" "source_iam_role" {
 }
 
 resource "aws_iam_policy" "iam_policy" {
-  for_each = toset(local.create_iam_role ? ["iam_policy"] : [])
+  for_each = toset(var.source_details.iam_details.create_iam_role ? ["iam_policy"] : [])
 
   name = "SumoLogicCloudTrailSource-${random_string.aws_random.id}"
   policy = templatefile("${path.module}/templates/sumologic_source_policy.tmpl", {
@@ -111,7 +111,7 @@ resource "sumologic_cloudtrail_source" "source" {
   scan_interval        = var.source_details.scan_interval
   authentication {
     type     = "AWSRoleBasedAuthentication"
-    role_arn = local.create_iam_role ? aws_iam_role.source_iam_role["source_iam_role"].arn : var.source_details.iam_role_arn
+    role_arn = var.source_details.iam_details.create_iam_role ? aws_iam_role.source_iam_role["source_iam_role"].arn : var.source_details.iam_details.iam_role_arn
   }
 
   path {
@@ -139,5 +139,5 @@ resource "aws_sns_topic_subscription" "subscription" {
   endpoint               = sumologic_cloudtrail_source.source.url
   endpoint_auto_confirms = true
   protocol               = "https"
-  topic_arn              = local.create_sns_topic ? aws_sns_topic.sns_topic["sns_topic"].arn : var.source_details.sns_topic_arn
+  topic_arn              = var.source_details.sns_topic_details.create_sns_topic ? aws_sns_topic.sns_topic["sns_topic"].arn : var.source_details.sns_topic_details.sns_topic_arn
 }

aws/cloudtrail/locals.tf

@@ -13,12 +13,6 @@ locals {
   # Get the default bucket name when no bucket is provided and create_bucket is true.
   bucket_name = var.source_details.bucket_details.create_bucket && var.source_details.bucket_details.bucket_name == "cloudtrail-logs-random-id" ? "cloudtrail-logs-${random_string.aws_random.id}" : var.source_details.bucket_details.bucket_name
 
-  # Create IAM role condition if no IAM ROLE ARN is provided.
-  create_iam_role = var.source_details.iam_role_arn != "" ? false : true
-
-  # Create SNS topic condition if no SNS topic arn is provided.
-  create_sns_topic = var.source_details.sns_topic_arn != "" ? false : true
-
   # Trail should be created when we create the bucket. If we do not create the bucket, user should have capability to create and not create trail.
   create_trail = var.source_details.bucket_details.create_bucket ? true : var.create_trail
 

aws/cloudtrail/outputs.tf

@@ -9,12 +9,12 @@ output "aws_s3_bucket" {
 }
 
 output "aws_sns_topic" {
-  value       = local.create_sns_topic ? aws_sns_topic.sns_topic : {}
+  value       = var.source_details.sns_topic_details.create_sns_topic ? aws_sns_topic.sns_topic : {}
   description = "AWS SNS topic attached to the AWS S3 bucket."
 }
 
 output "aws_s3_bucket_notification" {
-  value       = local.create_sns_topic && var.source_details.bucket_details.create_bucket ? aws_s3_bucket_notification.bucket_notification : {}
+  value       = var.source_details.sns_topic_details.create_sns_topic && var.source_details.bucket_details.create_bucket ? aws_s3_bucket_notification.bucket_notification : {}
   description = "AWS S3 Bucket Notification attached to the AWS S3 Bucket"
 }
 
@@ -24,7 +24,7 @@ output "aws_cloudtrail" {
 }
 
 output "aws_iam_role" {
-  value       = local.create_iam_role ? aws_iam_role.source_iam_role : {}
+  value       = var.source_details.iam_details.create_iam_role ? aws_iam_role.source_iam_role : {}
   description = "AWS IAM role with permission to allow Sumo Logic to read logs from S3 Bucket."
 }
 

aws/cloudtrail/variables.tf

@@ -34,8 +34,14 @@ variable "source_details" {
     sumo_account_id      = number
     cutoff_relative_time = string
     fields               = map(string)
-    iam_role_arn         = string
-    sns_topic_arn        = string
+    iam_details = object({
+      create_iam_role = bool
+      iam_role_arn    = string
+    })
+    sns_topic_details = object({
+      create_sns_topic = bool
+      sns_topic_arn    = string
+    })
   })
   description = "Provide details for the Sumo Logic CloudTrail source. If not provided, then defaults will be used."
   default = {
@@ -54,8 +60,14 @@ variable "source_details" {
     sumo_account_id      = 926226587429
     cutoff_relative_time = "-1d"
     fields               = {}
-    iam_role_arn         = ""
-    sns_topic_arn        = ""
+    iam_details = {
+      create_iam_role = true
+      iam_role_arn    = null
+    }
+    sns_topic_details = {
+      create_sns_topic = true
+      sns_topic_arn    = null
+    }
   }
   validation {
     condition     = can(regex("[a-z0-9-.]{3,63}$", var.source_details.bucket_details.bucket_name))

terratest/aws/cloudtrail/cloudtrail_test.go

@@ -110,8 +110,14 @@ func TestWithExistingBucketTrailNewCollectorSNSIAM(t *testing.T) {
 			},
 			"sumo_account_id": "926226587429",
 			"collector_id":    "",
-			"iam_role_arn":    "",
-			"sns_topic_arn":   "",
+			"iam_details": map[string]interface{}{
+				"create_iam_role": true,
+				"iam_role_arn":    nil,
+			},
+			"sns_topic_details": map[string]interface{}{
+				"create_sns_topic": true,
+				"sns_topic_arn":    nil,
+			},
 		},
 	}
 
@@ -173,8 +179,14 @@ func TestWithExistingBucketTrailCollectorSNSIAM(t *testing.T) {
 			},
 			"sumo_account_id": "926226587429",
 			"collector_id":    COLLECTOR_ID,
-			"iam_role_arn":    IAM_ROLE,
-			"sns_topic_arn":   SNS_TOPIC,
+			"iam_details": map[string]interface{}{
+				"create_iam_role": false,
+				"iam_role_arn":    IAM_ROLE,
+			},
+			"sns_topic_details": map[string]interface{}{
+				"create_sns_topic": false,
+				"sns_topic_arn":    SNS_TOPIC,
+			},
 		},
 	}
 
@@ -241,8 +253,14 @@ func TestWithExistingTrailNewBucketCollectorSNSIAM(t *testing.T) {
 			},
 			"sumo_account_id": "926226587429",
 			"collector_id":    "",
-			"iam_role_arn":    "",
-			"sns_topic_arn":   "",
+			"iam_details": map[string]interface{}{
+				"create_iam_role": true,
+				"iam_role_arn":    nil,
+			},
+			"sns_topic_details": map[string]interface{}{
+				"create_sns_topic": true,
+				"sns_topic_arn":    nil,
+			},
 		},
 	}
 
@@ -347,8 +365,14 @@ func TestUpdates(t *testing.T) {
 			"fields":               map[string]interface{}{},
 			"sumo_account_id":      "926226587429",
 			"collector_id":         "",
-			"iam_role_arn":         IAM_ROLE,
-			"sns_topic_arn":        "",
+			"iam_details": map[string]interface{}{
+				"create_iam_role": false,
+				"iam_role_arn":    IAM_ROLE,
+			},
+			"sns_topic_details": map[string]interface{}{
+				"create_sns_topic": true,
+				"sns_topic_arn":    nil,
+			},
 		},
 	}
 
@@ -390,8 +414,14 @@ func TestUpdates(t *testing.T) {
 			},
 			"sumo_account_id": "926226587429",
 			"collector_id":    "",
-			"iam_role_arn":    IAM_ROLE,
-			"sns_topic_arn":   "",
+			"iam_details": map[string]interface{}{
+				"create_iam_role": false,
+				"iam_role_arn":    IAM_ROLE,
+			},
+			"sns_topic_details": map[string]interface{}{
+				"create_sns_topic": true,
+				"sns_topic_arn":    nil,
+			},
 		},
 	}