* 2.5.5 -- 2024-02-26

- cloudtrail - add filter_path of cloudtrail/ for notification
terraform-modules · Feb 27, 2024 · 4e4a447 · 4e4a447
1 parent 0698e5c
commit 4e4a447
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 34 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -346,3 +346,7 @@
 * 2.5.4 -- 2024-02-16
   - terraform-state
     - a resource set to count=0 with no acl was failing; remove the resource (comment)
+
+* 2.5.5 -- 2024-02-26
+  - cloudtrail
+    - add filter_path of cloudtrail/ for notification
diff --git a/cloudtrail/s3.tf b/cloudtrail/s3.tf
@@ -110,9 +110,9 @@ resource "aws_s3_bucket_notification" "this" {
   bucket = aws_s3_bucket.this.id
 
   topic {
-    topic_arn = try(aws_sns_topic.cloudtrail_s3[0].arn, null)
-    events    = ["s3:ObjectCreated:*"]
-    #    filter_prefix = "cloudtrail/"
+    topic_arn     = try(aws_sns_topic.cloudtrail_s3[0].arn, null)
+    events        = ["s3:ObjectCreated:*"]
+    filter_prefix = "cloudtrail/"
     #    filter_suffix = ".json.gz"
   }
 }
diff --git a/cloudtrail/sns.s3.tf b/cloudtrail/sns.s3.tf
@@ -18,31 +18,6 @@ resource "aws_sns_topic_policy" "cloudtrail_s3" {
 
 data "aws_iam_policy_document" "cloudtrail_s3_topic" {
   policy_id = format("%v_s3_topic", local.s3_name)
-  ##   statement {
-  ##     sid    = "CloudtrailS3SNSPermissions"
-  ##     effect = "Allow"
-  ##     principals {
-  ##       type        = "AWS"
-  ##       identifiers = ["*"]
-  ##     }
-  ##     actions = [
-  ##       "sns:Subscribe",
-  ##       "sns:SetTopicAttributes",
-  ##       "sns:RemovePermission",
-  ##       "sns:Receive",
-  ##       "sns:Publish",
-  ##       "sns:ListSubscriptionsByTopic",
-  ##       "sns:GetTopicAttributes",
-  ##       "sns:DeleteTopic",
-  ##       "sns:AddPermission",
-  ##     ]
-  ##     condition {
-  ##       test     = "StringEquals"
-  ##       variable = "AWS:SourceOwner"
-  ##       values   = [local.account_id]
-  ##     }
-  ##     resources = [var.enable_s3_sns ? aws_sns_topic.cloudtrail_s3[0].arn : ""]
-  ##   }
   statement {
     sid    = "CloudTrailSNSS3Policy"
     effect = "Allow"
@@ -52,15 +27,16 @@ data "aws_iam_policy_document" "cloudtrail_s3_topic" {
     }
     actions   = ["sns:Publish"]
     resources = [var.enable_s3_sns ? aws_sns_topic.cloudtrail_s3[0].arn : ""]
-    ##     condition {
-    ##       test     = "StringEquals"
-    ##       variable = "AWS:SourceOwner"
-    ##       values   = [local.account_id]
-    ##     }
     condition {
       test     = "StringEquals"
       variable = "aws:SourceArn"
       values   = [aws_s3_bucket.this.arn]
     }
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = [data.aws_caller_identity.current.account_id]
+    }
   }
 }
+
diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.5.4"
+  _module_version = "2.5.5"
 }