feat: CloudTrail S3 bucket notifications (#1269)

Author: jon-stewart

cli/cmd/generate_aws.go

@@ -42,6 +42,7 @@ var (
 	QuestionBucketEnableEncryption = "Enable S3 bucket encryption when creating bucket"
 	QuestionBucketSseKeyArn        = "Specify existing KMS encryption key arn for S3 bucket (optional)"
 	QuestionBucketName             = "Specify name when creating S3 bucket (optional)"
+	QuestionS3BucketNotification   = "Enable S3 bucket notifications"
 
 	// SNS Topic Questions
 	QuestionsUseExistingSNSTopic = "Use an existing SNS topic?"
@@ -125,6 +126,7 @@ See help output for more details on the parameter value(s) required for Terrafor
 				aws.WithSqsQueueName(GenerateAwsCommandState.SqsQueueName),
 				aws.WithSqsEncryptionEnabled(GenerateAwsCommandState.SqsEncryptionEnabled),
 				aws.WithSqsEncryptionKeyArn(GenerateAwsCommandState.SqsEncryptionKeyArn),
+				aws.WithS3BucketNotification(GenerateAwsCommandState.S3BucketNotification),
 			}
 
 			if GenerateAwsCommandState.ForceDestroyS3Bucket {
@@ -448,6 +450,11 @@ func initGenerateAwsTfCommandFlags() {
 		"lacework_aws_account_id",
 		"",
 		"the Lacework AWS root account id")
+	generateAwsTfCommand.PersistentFlags().BoolVar(
+		&GenerateAwsCommandState.S3BucketNotification,
+		"use_s3_bucket_notification",
+		false,
+		"enable S3 bucket notifications")
 }
 
 // survey.Validator for aws ARNs
@@ -533,6 +540,12 @@ func promptAwsCtQuestions(config *aws.GenerateAwsTfConfigurationArgs, extraState
 			Opts:     []survey.AskOpt{survey.WithValidator(validateOptionalAwsArnFormat)},
 			Checks:   []*bool{&config.Cloudtrail, &newBucket, &config.BucketEncryptionEnabled},
 		},
+		// Allow the user to enable S3 bucket notifications
+		{
+			Prompt:   &survey.Confirm{Message: QuestionS3BucketNotification, Default: config.S3BucketNotification},
+			Response: &config.S3BucketNotification,
+			Checks:   []*bool{&config.Cloudtrail, &newBucket},
+		},
 	}, config.Cloudtrail); err != nil {
 		return err
 	}

cli/docs/lacework_generate_cloud-account_aws.md

@@ -62,6 +62,7 @@ lacework generate cloud-account aws [flags]
       --sqs_encryption_enabled                enable encryption on SQS queue when creating (default true)
       --sqs_encryption_key_arn string         specify existing KMS encryption key arn for SQS queue
       --sqs_queue_name string                 specify SQS queue name if creating new one
+      --use_s3_bucket_notification            enable S3 bucket notifications
 ```
 
 ### Options inherited from parent commands

integration/aws_generation_test.go

@@ -221,6 +221,7 @@ func TestGenerationAwsAdvancedOptsConsolidatedAndForceDestroy(t *testing.T) {
 				MsgRsp{cmd.QuestionBucketName, ""},
 				MsgRsp{cmd.QuestionBucketEnableEncryption, "y"},
 				MsgRsp{cmd.QuestionBucketSseKeyArn, ""},
+				MsgRsp{cmd.QuestionS3BucketNotification, ""},
 				// SNS Topic Questions
 				MsgRsp{cmd.QuestionsUseExistingSNSTopic, "n"},
 				MsgRsp{cmd.QuestionSnsTopicName, ""},
@@ -329,6 +330,7 @@ func TestGenerationAwsAdvancedOptsConsolidatedWithSubAccounts(t *testing.T) {
 				MsgRsp{cmd.QuestionBucketName, ""},
 				MsgRsp{cmd.QuestionBucketEnableEncryption, "y"},
 				MsgRsp{cmd.QuestionBucketSseKeyArn, ""},
+				MsgRsp{cmd.QuestionS3BucketNotification, ""},
 				// SNS Topic Questions
 				MsgRsp{cmd.QuestionsUseExistingSNSTopic, "n"},
 				MsgRsp{cmd.QuestionSnsTopicName, ""},
@@ -594,6 +596,7 @@ func TestGenerationAwsAdvancedOptsCreateNewElements(t *testing.T) {
 				MsgRsp{cmd.QuestionBucketName, bucketName},
 				MsgRsp{cmd.QuestionBucketEnableEncryption, "y"},
 				MsgRsp{cmd.QuestionBucketSseKeyArn, kmsArn},
+				MsgRsp{cmd.QuestionS3BucketNotification, ""},
 				// SNS Topic Questions
 				MsgRsp{cmd.QuestionsUseExistingSNSTopic, "n"},
 				MsgRsp{cmd.QuestionSnsTopicName, topicName},
@@ -823,6 +826,96 @@ func TestGenerationAwsLaceworkProfile(t *testing.T) {
 	assert.Equal(t, buildTf, tfResult)
 }
 
+func TestGenerationAwsS3BucketNotification(t *testing.T) {
+	os.Setenv("LW_NOCACHE", "true")
+	defer os.Setenv("LW_NOCACHE", "")
+	var final string
+	var runError error
+	region := "us-west-2"
+
+	tfResult := runGenerateTest(t,
+		func(c *expect.Console) {
+			expectsCliOutput(t, c, []MsgRspHandler{
+				MsgRsp{cmd.QuestionAwsEnableConfig, "n"},
+				MsgRsp{cmd.QuestionEnableCloudtrail, "y"},
+				MsgRsp{cmd.QuestionAwsRegion, region},
+				MsgRsp{cmd.QuestionAwsConfigAdvanced, "n"},
+				MsgRsp{cmd.QuestionRunTfPlan, "n"},
+			})
+
+			final, _ = c.ExpectEOF()
+		},
+		"generate",
+		"cloud-account",
+		"aws",
+		"--use_s3_bucket_notification",
+	)
+
+	assert.Nil(t, runError)
+	assert.Contains(t, final, "Terraform code saved in")
+
+	buildTf, _ := aws.NewTerraform(region, false, true,
+		aws.WithS3BucketNotification(true),
+	).Generate()
+	assert.Equal(t, buildTf, tfResult)
+}
+
+func TestGenerationAwsS3BucketNotificationInteractive(t *testing.T) {
+	os.Setenv("LW_NOCACHE", "true")
+	defer os.Setenv("LW_NOCACHE", "")
+	var final string
+	var runError error
+	region := "us-west-2"
+
+	tfResult := runGenerateTest(t,
+		func(c *expect.Console) {
+			expectsCliOutput(t, c, []MsgRspHandler{
+				MsgRsp{cmd.QuestionAwsEnableConfig, "n"},
+				MsgRsp{cmd.QuestionEnableCloudtrail, "y"},
+				MsgRsp{cmd.QuestionAwsRegion, region},
+
+				MsgRsp{cmd.QuestionAwsConfigAdvanced, "y"},
+				MsgMenu{cmd.AwsAdvancedOptDone, 0},
+
+				MsgRsp{cmd.QuestionConsolidatedCloudtrail, ""},
+				MsgRsp{cmd.QuestionUseExistingCloudtrail, ""},
+				MsgRsp{cmd.QuestionCloudtrailName, ""},
+				// S3 Questions
+				MsgRsp{cmd.QuestionForceDestroyS3Bucket, ""},
+				MsgRsp{cmd.QuestionBucketName, ""},
+				MsgRsp{cmd.QuestionBucketEnableEncryption, ""},
+				MsgRsp{cmd.QuestionBucketSseKeyArn, ""},
+				MsgRsp{cmd.QuestionS3BucketNotification, "y"},
+				// SNS Topic Questions
+				MsgRsp{cmd.QuestionsUseExistingSNSTopic, ""},
+				MsgRsp{cmd.QuestionSnsTopicName, ""},
+				MsgRsp{cmd.QuestionSnsEnableEncryption, ""},
+				MsgRsp{cmd.QuestionSnsEncryptionKeyArn, ""},
+				// SQS Questions
+				MsgRsp{cmd.QuestionSqsQueueName, ""},
+				MsgRsp{cmd.QuestionSqsEnableEncryption, ""},
+				MsgRsp{cmd.QuestionSqsEncryptionKeyArn, ""},
+
+				MsgRsp{cmd.QuestionAwsAnotherAdvancedOpt, "n"},
+				MsgRsp{cmd.QuestionRunTfPlan, "n"},
+			})
+
+			final, _ = c.ExpectEOF()
+		},
+		"generate",
+		"cloud-account",
+		"aws",
+	)
+
+	assert.Nil(t, runError)
+	assert.Contains(t, final, "Terraform code saved in")
+
+	buildTf, _ := aws.NewTerraform(region, false, true,
+		aws.WithS3BucketNotification(true),
+	).Generate()
+	assert.Equal(t, buildTf, tfResult)
+}
+
 func runGenerateTest(t *testing.T, conditions func(*expect.Console), args ...string) string {
 	os.Setenv("HOME", tfPath)
 

integration/test_resources/help/generate_cloud-account_aws

@@ -46,6 +46,7 @@ Flags:
       --sqs_encryption_enabled                enable encryption on SQS queue when creating (default true)
       --sqs_encryption_key_arn string         specify existing KMS encryption key arn for SQS queue
       --sqs_queue_name string                 specify SQS queue name if creating new one
+      --use_s3_bucket_notification            enable S3 bucket notifications
 
 Global Flags:
   -a, --account string      account subdomain of URL (i.e. <ACCOUNT>.lacework.net)

lwgenerate/aws/aws.go

@@ -150,6 +150,8 @@ type GenerateAwsTfConfigurationArgs struct {
 
 	// The Lacework AWS Root Account ID
 	LaceworkAccountID string
+
+	S3BucketNotification bool
 }
 
 // Ensure all combinations of inputs our valid for supported spec
@@ -340,6 +342,12 @@ func WithSqsEncryptionKeyArn(ssqEncryptionKeyArn string) AwsTerraformModifier {
 	}
 }
 
+func WithS3BucketNotification(s3BucketNotifiaction bool) AwsTerraformModifier {
+	return func(c *GenerateAwsTfConfigurationArgs) {
+		c.S3BucketNotification = s3BucketNotifiaction
+	}
+}
+
 // Generate new Terraform code based on the supplied args.
 func (args *GenerateAwsTfConfigurationArgs) Generate() (string, error) {
 	// Validate inputs
@@ -578,6 +586,10 @@ func createCloudtrail(args *GenerateAwsTfConfigurationArgs) (*hclwrite.Block, er
 			attributes["iam_role_external_id"] = args.ExistingIamRole.ExternalId
 		}
 
+		if args.S3BucketNotification {
+			attributes["use_s3_bucket_notification"] = true
+		}
+
 		if len(args.SubAccounts) > 0 {
 			modDetails = append(modDetails, lwgenerate.HclModuleWithProviderDetails(map[string]string{"aws": "aws.main"}))
 		}

lwgenerate/aws/aws_test.go

@@ -314,6 +314,17 @@ func TestGenerationPartialExistingIamValues(t *testing.T) {
 	})
 }
 
+func TestGenerationCloudTrailS3BucketNotification(t *testing.T) {
+	hcl, err := NewTerraform("us-east-2", false, true, WithS3BucketNotification(true)).Generate()
+	assert.Nil(t, err)
+	assert.NotNil(t, hcl)
+	assert.Equal(
+		t,
+		reqProviderAndRegion(moduleImportCtWithS3BucketNotification),
+		hcl,
+	)
+}
+
 var requiredProviders = `terraform {
   required_providers {
     lacework = {
@@ -437,3 +448,10 @@ var moduleImportCtWithLaceworkAccountID = `module "main_cloudtrail" {
   use_existing_iam_role   = true
 }
 `
+
+var moduleImportCtWithS3BucketNotification = `module "main_cloudtrail" {
+  source                     = "lacework/cloudtrail/aws"
+  version                    = "~> 2.0"
+  use_s3_bucket_notification = true
+}
+`