From 4e4a447331ca22ec446493b33ce1cc97772ecb4f Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Tue, 27 Feb 2024 17:36:42 -0500
Subject: [PATCH] * 2.5.5 -- 2024-02-26   - cloudtrail     - add filter_path of
 cloudtrail/ for notification

---
 CHANGELOG.md         |  4 ++++
 cloudtrail/s3.tf     |  6 +++---
 cloudtrail/sns.s3.tf | 36 ++++++------------------------------
 common/version.tf    |  2 +-
 4 files changed, 14 insertions(+), 34 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7b49fe3..1ee346f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -346,3 +346,7 @@
 * 2.5.4 -- 2024-02-16
   - terraform-state
     - a resource set to count=0 with no acl was failing; remove the resource (comment)
+
+* 2.5.5 -- 2024-02-26
+  - cloudtrail
+    - add filter_path of cloudtrail/ for notification
diff --git a/cloudtrail/s3.tf b/cloudtrail/s3.tf
index 3816aeb..d4c1459 100644
--- a/cloudtrail/s3.tf
+++ b/cloudtrail/s3.tf
@@ -110,9 +110,9 @@ resource "aws_s3_bucket_notification" "this" {
   bucket = aws_s3_bucket.this.id
 
   topic {
-    topic_arn = try(aws_sns_topic.cloudtrail_s3[0].arn, null)
-    events    = ["s3:ObjectCreated:*"]
-    #    filter_prefix = "cloudtrail/"
+    topic_arn     = try(aws_sns_topic.cloudtrail_s3[0].arn, null)
+    events        = ["s3:ObjectCreated:*"]
+    filter_prefix = "cloudtrail/"
     #    filter_suffix = ".json.gz"
   }
 }
diff --git a/cloudtrail/sns.s3.tf b/cloudtrail/sns.s3.tf
index 24700f8..ffd0a55 100644
--- a/cloudtrail/sns.s3.tf
+++ b/cloudtrail/sns.s3.tf
@@ -18,31 +18,6 @@ resource "aws_sns_topic_policy" "cloudtrail_s3" {
 
 data "aws_iam_policy_document" "cloudtrail_s3_topic" {
   policy_id = format("%v_s3_topic", local.s3_name)
-  ##   statement {
-  ##     sid    = "CloudtrailS3SNSPermissions"
-  ##     effect = "Allow"
-  ##     principals {
-  ##       type        = "AWS"
-  ##       identifiers = ["*"]
-  ##     }
-  ##     actions = [
-  ##       "sns:Subscribe",
-  ##       "sns:SetTopicAttributes",
-  ##       "sns:RemovePermission",
-  ##       "sns:Receive",
-  ##       "sns:Publish",
-  ##       "sns:ListSubscriptionsByTopic",
-  ##       "sns:GetTopicAttributes",
-  ##       "sns:DeleteTopic",
-  ##       "sns:AddPermission",
-  ##     ]
-  ##     condition {
-  ##       test     = "StringEquals"
-  ##       variable = "AWS:SourceOwner"
-  ##       values   = [local.account_id]
-  ##     }
-  ##     resources = [var.enable_s3_sns ? aws_sns_topic.cloudtrail_s3[0].arn : ""]
-  ##   }
   statement {
     sid    = "CloudTrailSNSS3Policy"
     effect = "Allow"
@@ -52,15 +27,16 @@ data "aws_iam_policy_document" "cloudtrail_s3_topic" {
     }
     actions   = ["sns:Publish"]
     resources = [var.enable_s3_sns ? aws_sns_topic.cloudtrail_s3[0].arn : ""]
-    ##     condition {
-    ##       test     = "StringEquals"
-    ##       variable = "AWS:SourceOwner"
-    ##       values   = [local.account_id]
-    ##     }
     condition {
       test     = "StringEquals"
       variable = "aws:SourceArn"
       values   = [aws_s3_bucket.this.arn]
     }
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = [data.aws_caller_identity.current.account_id]
+    }
   }
 }
+
diff --git a/common/version.tf b/common/version.tf
index 568abb4..241a4b7 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.5.4"
+  _module_version = "2.5.5"
 }