Merge branch 'main' into janeapp-main

.github/CODEOWNERS

@@ -0,0 +1 @@
+*       @lacework/eng-product-platform

.github/workflows/nightly.yml

@@ -0,0 +1,11 @@
+name: Nightly Build
+
+on: 
+  workflow_dispatch:
+  schedule:
+    - cron: '0 10 * * *' # Run every day at 10AM UTC
+
+jobs:
+  call-nightly-workflow:
+    uses: lacework/oss-actions/.github/workflows/tf-nightly.yml@main
+    secrets: inherit

.github/workflows/prepare-release.yml

@@ -0,0 +1,8 @@
+name: Prepare Release
+
+on: workflow_dispatch
+
+jobs:
+  call-nightly-workflow:
+    uses: lacework/oss-actions/.github/workflows/tf-prepare-release.yml@main
+    secrets: inherit

.github/workflows/release.yml

@@ -0,0 +1,12 @@
+name: Release
+
+on: 
+  workflow_dispatch:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  call-nightly-workflow:
+    uses: lacework/oss-actions/.github/workflows/tf-release.yml@main
+    secrets: inherit

.github/workflows/terraform_docs.yml

@@ -0,0 +1,29 @@
+name: Test that terraform docs has been run
+on: push
+jobs:
+  docs:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        ref: ${{ github.event.pull_request.head.ref }}
+    - name: Install terraform-docs
+      run: curl -L https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-linux-amd64.tar.gz | (cd /usr/local/bin; tar zxvf -; chmod +x /usr/local/bin/terraform-docs)
+    - name: store hash of orig README.md
+      id: old_hash
+      run: echo "README_HASH=$(md5sum README.md)" >> $GITHUB_OUTPUT
+    - name: Update README.md using terraform-docs make target
+      run: make terraform-docs
+    - name: store hash of new README.md
+      id: new_hash
+      run: echo "README_HASH=$(md5sum README.md)" >> $GITHUB_OUTPUT
+    - name: echo hashes
+      run: |
+        echo ${{ steps.old_hash.outputs.README_HASH }}
+        echo ${{ steps.new_hash.outputs.README_HASH }}
+    - name: test to see of hashs are the same
+      if: ${{ steps.old_hash.outputs.README_HASH != steps.new_hash.outputs.README_HASH }}
+      uses: actions/github-script@v6
+      with:
+        script: |
+          core.setFailed('Please run "make terraform-docs" and try again')

.github/workflows/test-compat-pr-comment.yml

@@ -0,0 +1,29 @@
+name: Test Compatibility On Comment
+
+on: 
+  workflow_dispatch:
+  issue_comment:                                     
+    types: [created, edited]
+
+jobs:
+  check-commenting-user:
+    runs-on: ubuntu-latest
+    if: ${{  contains(github.event.comment.html_url, '/pull/') &&  contains(github.event.comment.body, 'make it so') }}
+    steps:
+      - uses: actions/github-script@v7
+        with:
+          script: |
+            const creator = context.payload.sender.login
+            const result = await github.rest.teams.getMembershipForUserInOrg({
+              org: context.repo.owner,
+              team_slug: 'growth-team',
+              username: creator
+            })
+            if (result.state != "active" ) {
+              core.setFailed('Commenter is not a member of the growth team.')
+            }
+            
+  call-test-compat:
+    needs: check-commenting-user
+    uses: lacework/oss-actions/.github/workflows/tf-test-compatibility.yml@main
+    secrets: inherit

.github/workflows/test-compatibility.yml

@@ -0,0 +1,13 @@
+name: Test Compatibility
+
+on: 
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  call-test-compat:
+    uses: lacework/oss-actions/.github/workflows/tf-test-compatibility.yml@main
+    secrets: inherit

.github/workflows/verify-release.yml

@@ -0,0 +1,12 @@
+name: Verify Release
+
+on: 
+  workflow_dispatch:
+  push:
+    branches:
+      - release
+
+jobs:
+  call-nightly-workflow:
+    uses: lacework/oss-actions/.github/workflows/tf-verify.yml@main
+    secrets: inherit

CHANGELOG.md

@@ -1,3 +1,27 @@
+# v2.9.1
+
+## Other Changes
+* chore: set local var module name (#155) (Darren)([fc944bd](https://github.com/lacework/terraform-aws-cloudtrail/commit/fc944bd87c5c49166bd319fa6888d08a2157bb08))
+* ci: version bump to v2.9.1-dev (Lacework)([bcd0ae8](https://github.com/lacework/terraform-aws-cloudtrail/commit/bcd0ae868b9f334d228f053a058d62ff4c9fed7f))
+---
+# v2.9.0
+
+## Features
+* feat: add lacework_metric_module datasource (#153) (Darren)([bbfe4a7](https://github.com/lacework/terraform-aws-cloudtrail/commit/bbfe4a7bab1bbe5e5f21d0dc13ce5da6d09d8868))
+## Other Changes
+* ci: version bump to v2.8.2-dev (Lacework)([b989fcd](https://github.com/lacework/terraform-aws-cloudtrail/commit/b989fcd58040113d9c807bad9f38c24723f73bd2))
+---
+# v2.8.1
+
+## Bug Fixes
+* fix: org cloudtrail bucket policy (#151) (Darren)([88657d0](https://github.com/lacework/terraform-aws-cloudtrail/commit/88657d0534cda921fe4653402293e1e21197464c))
+* fix: log_bucket deny policy (#150) (jonathan stewart)([984385b](https://github.com/lacework/terraform-aws-cloudtrail/commit/984385b633fb3f5be7c8ad80d709ad8aacf4fb26))
+## Documentation Updates
+* docs(readme): add terraform docs automation (#149) (Timothy MacDonald)([48f2fbf](https://github.com/lacework/terraform-aws-cloudtrail/commit/48f2fbfebb2ea5a9b4ef3f7aeae88698d41627a5))
+## Other Changes
+* chore: update CHANGELOG with ad-hoc release (#148) (Salim Afiune)([23bf420](https://github.com/lacework/terraform-aws-cloudtrail/commit/23bf420f57a9c6f1c13dc957f794534029fa062a))
+* ci: version bump to v2.8.1-dev (Lacework)([d453292](https://github.com/lacework/terraform-aws-cloudtrail/commit/d453292f5edb61eab4da1fc49d42ddbf32c209c6))
+---
 # v2.8.0
 
 ## Features
@@ -159,6 +183,11 @@
 ## Other Changes
 * ci: version bump to v1.0.3-dev (Lacework)([563e9a8](https://github.com/lacework/terraform-aws-cloudtrail/commit/563e9a8705c21870c39f20339ce45c793f39158c))
 ---
+# v1.0.3
+
+## Bug Fixes
+* fix(pin): module iam-role/aws version ~> 0.3.0
+---
 # v1.0.2
 
 ## Bug Fixes

GNUmakefile

@@ -19,3 +19,8 @@ ci: ## *CI ONLY* Runs tests on CI pipeline
 .PHONY: release
 release: ci ## *CI ONLY* Prepares a release of the Terraform module
 	scripts/release.sh prepare
+
+.PHONY: terraform-docs
+terraform-docs:
+	scripts/terraform-docs.sh
+

README.md

@@ -14,7 +14,7 @@ Terraform module for configuring an integration with Lacework and AWS for CloudT
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.14 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0 |
-| <a name="requirement_lacework"></a> [lacework](#requirement\_lacework) | ~> 1.0 |
+| <a name="requirement_lacework"></a> [lacework](#requirement\_lacework) | >= 1.18 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.1 |
 | <a name="requirement_time"></a> [time](#requirement\_time) | ~> 0.6 |
 
@@ -23,7 +23,7 @@ Terraform module for configuring an integration with Lacework and AWS for CloudT
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 |
-| <a name="provider_lacework"></a> [lacework](#provider\_lacework) | ~> 1.0 |
+| <a name="provider_lacework"></a> [lacework](#provider\_lacework) | >= 1.18 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.1 |
 | <a name="provider_time"></a> [time](#provider\_time) | ~> 0.6 |
 
@@ -70,7 +70,9 @@ Terraform module for configuring an integration with Lacework and AWS for CloudT
 | [aws_iam_policy_document.cross_account_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.kms_key_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.sns_topic_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_organizations_organization.organization](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [lacework_metric_module.lwmetrics](https://registry.terraform.io/providers/lacework/lacework/latest/docs/data-sources/metric_module) | data source |
 
 ## Inputs
 

RELEASE_NOTES.md

@@ -1,8 +1,6 @@
 # Release Notes
-Another day, another release. These are the release notes for the version `v2.8.0`.
+Another day, another release. These are the release notes for the version `v2.9.1`.
 
-## Features
-* feat: enforce External ID v2 format via iam-role module (#144) (djmctavish)([6d4a310](https://github.com/lacework/terraform-aws-cloudtrail/commit/6d4a31028df4d7dc73fdccf8c4185b27452f5237))
 ## Other Changes
-* ci: use a session token for the ci_tests (Peter Moody)([762e155](https://github.com/lacework/terraform-aws-cloudtrail/commit/762e1555df47d72e5b815e16df55127e1029d42b))
-* ci: version bump to v2.7.7-dev (Lacework)([0eb80a3](https://github.com/lacework/terraform-aws-cloudtrail/commit/0eb80a3221a0b5bb2deb40613bf8b1b490e6ce89))
+* chore: set local var module name (#155) (Darren)([fc944bd](https://github.com/lacework/terraform-aws-cloudtrail/commit/fc944bd87c5c49166bd319fa6888d08a2157bb08))
+* ci: version bump to v2.9.1-dev (Lacework)([bcd0ae8](https://github.com/lacework/terraform-aws-cloudtrail/commit/bcd0ae868b9f334d228f053a058d62ff4c9fed7f))

VERSION

@@ -1 +1 @@
-2.8.1-dev
+2.9.2-dev

examples/cloudtrail-existing-kms-key/README.md

@@ -145,4 +145,4 @@ data "aws_iam_policy_document" "kms_key_policy" {
 
 ```
 
-For detailed information on integrating Lacework with AWS see [AWS Config and CloudTrail Integration with Terraform](https://support.lacework.com/hc/en-us/articles/360057092034-AWS-Config-and-CloudTrail-Integration-with-Terraform).
+For detailed information on integrating Lacework with AWS see [AWS Config and CloudTrail Integration with Terraform](https://docs.lacework.net/onboarding/aws-guided-configuration).

examples/existing-cloudtrail/README.md

@@ -39,4 +39,4 @@ module "aws_cloudtrail" {
 }
 ```
 
-For detailed information on integrating Lacework with AWS see [AWS Config and CloudTrail Integration with Terraform](https://support.lacework.com/hc/en-us/articles/360057092034-AWS-Config-and-CloudTrail-Integration-with-Terraform)
+For detailed information on integrating Lacework with AWS see [AWS Config and CloudTrail Integration with Terraform](https://docs.lacework.net/onboarding/aws-guided-configuration).

main.tf

@@ -34,6 +34,9 @@ locals {
   bucket_versioning_enabled = var.bucket_versioning_enabled ? "Enabled" : "Suspended"
   bucket_sse_key_arn        = var.use_existing_kms_key ? var.bucket_sse_key_arn : ((var.use_existing_cloudtrail || length(var.bucket_sse_key_arn) > 0) ? var.bucket_sse_key_arn : aws_kms_key.lacework_kms_key[0].arn)
   cloudtrail_arn = var.consolidated_trail && var.use_existing_cloudtrail && var.cross_account_cloudtrail_arn != null ? var.cross_account_cloudtrail_arn : "arn:aws:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/${var.cloudtrail_name}"
+  version_file   = "${abspath(path.module)}/VERSION"
+  module_name    = "terraform-aws-cloudtrail"
+  module_version = fileexists(local.version_file) ? file(local.version_file) : ""
 }
 
 resource "random_id" "uniq" {
@@ -167,6 +170,9 @@ resource "aws_s3_bucket_versioning" "cloudtrail_bucket_versioning" {
   }
 }
 
+data "aws_organizations_organization" "organization" {
+     count = var.is_organization_trail ? 1 : 0
+}
 
 data "aws_iam_policy_document" "cloudtrail_log_policy" {
   version = "2012-10-17"
@@ -183,7 +189,7 @@ data "aws_iam_policy_document" "cloudtrail_log_policy" {
 
     principals {
       type        = "AWS"
-      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+      identifiers = ["*"]
     }
 
     condition {
@@ -388,6 +394,27 @@ data "aws_iam_policy_document" "cloudtrail_s3_policy" {
     }
   }
 
+
+  dynamic "statement" {
+    for_each = var.is_organization_trail ? [1] : []
+    content {
+    sid       = "AWSCloudTrailOrganizationWrite20150319"
+    actions   = ["s3:PutObject"]
+    resources = ["arn:aws:s3:::${local.bucket_name}/AWSLogs/${data.aws_organizations_organization.organization[0].id}/*"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "s3:x-amz-acl"
+      values   = ["bucket-owner-full-control"]
+    }
+   }
+  }
+
   statement {
     sid       = "AWSCloudTrailWrite20150319"
     actions   = ["s3:PutObject"]
@@ -669,3 +696,8 @@ resource "lacework_integration_aws_ct" "default" {
 
   depends_on = [time_sleep.wait_time]
 }
+
+data "lacework_metric_module" "lwmetrics" {
+  name    = local.module_name
+  version = local.module_version
+}

scripts/release_helpers.sh

@@ -1,6 +1,6 @@
 #
 # Name::        release_helpers.sh
-# Description:: A set of helper funtions to be used by our release.sh script
+# Description:: A set of helper functions to be used by our release.sh script
 # Author::      Salim Afiune Maya (<[email protected]>)
 #
 
@@ -137,6 +137,7 @@ prepare_release() {
   prerequisites
   remove_tag_version
   check_for_minor_version_bump
+  generate_readme
   generate_release_notes
   update_changelog
   push_release
@@ -192,6 +193,10 @@ generate_release_notes() {
   echo "$(cat CHANGES.md)" >> RELEASE_NOTES.md
 }
 
+generate_readme() {
+  make terraform-docs
+}
+
 load_list_of_changes() {
   latest_version=$(find_latest_version)
   local _list_of_changes=$(git log --no-merges --pretty="* %s (%an)([%h](https://github.com/${org_name}/${project_name}/commit/%H))" ${latest_version}..${main_branch})

scripts/terraform-docs.sh

@@ -11,4 +11,3 @@ else
     echo "## please install terraform-docs or docker"
     exit 1
 fi
-

versions.tf

@@ -16,7 +16,7 @@ terraform {
     }
     lacework = {
       source  = "lacework/lacework"
-      version = "~> 1.0"
+      version = ">= 1.18"
     }
   }
 }