feat(cloudtrail): enable trail insight

aws · Nov 26, 2022 · d2f6a01 · d2f6a01
1 parent 82c3646
commit d2f6a01
Show file tree

Hide file tree

Showing 17 changed files with 1,693 additions and 3 deletions.
diff --git a/packages/@aws-cdk/aws-cloudtrail/README.md b/packages/@aws-cdk/aws-cloudtrail/README.md
@@ -197,3 +197,21 @@ new cloudtrail.Trail(this, 'OrganizationTrail', {
   isOrganizationTrail: true,
 });
 ```
+
+## CloudTrail Insights
+
+Set `InsightSelector` to enable Insight.
+Insights selector values can be `ApiCallRateInsight`, `ApiErrorRateInsight`, or both.
+
+```ts
+new Trail(stack, 'Insights', {
+  insightSelectors: [
+    {
+      insightType: Insight.TYPE_API_CALL_RATE,
+    },
+    {
+      insightType: Insight.TYPE_API_ERROR_RATE,
+    },
+  ],
+});
+```
diff --git a/packages/@aws-cdk/aws-cloudtrail/lib/cloudtrail.ts b/packages/@aws-cdk/aws-cloudtrail/lib/cloudtrail.ts
@@ -127,6 +127,13 @@ export interface TrailProps {
    * @default - false
    */
   readonly isOrganizationTrail?: boolean
+
+  /**
+   * A JSON string that contains the insight types you want to log on a trail.
+   *
+   * @default - No Value.
+   */
+  readonly insightSelectors?: InsightSelector[]
 }
 
 /**
@@ -158,6 +165,24 @@ export enum ReadWriteType {
   NONE = 'None',
 }
 
+/**
+ * Util element for InsightSelector
+ */
+export class Insight {
+
+  /**
+   * The type of insights to log on a trail. (API Call Rate)
+   */
+  public static readonly TYPE_API_CALL_RATE = 'ApiCallRateInsight'
+
+  /**
+   * The type of insights to log on a trail. (API Error Rate)
+   */
+  public static readonly TYPE_API_ERROR_RATE = 'ApiErrorRateInsight'
+
+  protected constructor(public readonly value: string) {}
+}
+
 /**
  * Cloud trail allows you to log events that happen in your AWS account
  * For example:
@@ -298,6 +323,7 @@ export class Trail extends Resource {
       snsTopicName: this.topic?.topicName,
       eventSelectors: this.eventSelectors,
       isOrganizationTrail: props.isOrganizationTrail,
+      insightSelectors: props.insightSelectors,
     });
 
     this.trailArn = this.getResourceArnAttribute(trail.attrArn, {
@@ -502,3 +528,15 @@ interface EventSelectorData {
   readonly type: string;
   readonly values: string[];
 }
+
+/**
+ * A JSON string that contains a list of insight types that are logged on a trail.
+ */
+export interface InsightSelector {
+  /**
+   * The type of insights to log on a trail.
+   *
+   * @default - No Value.
+   */
+  readonly insightType?: string;
+}
diff --git a/packages/@aws-cdk/aws-cloudtrail/package.json b/packages/@aws-cdk/aws-cloudtrail/package.json
@@ -115,7 +115,8 @@
   },
   "awslint": {
     "exclude": [
-      "events-method-signature:@aws-cdk/aws-cloudtrail.Trail.onEvent"
+      "events-method-signature:@aws-cdk/aws-cloudtrail.Trail.onEvent",
+      "docs-public-apis:@aws-cdk/aws-cloudtrail.Insight.value"
     ]
   },
   "engines": {

diff --git a/packages/@aws-cdk/aws-cloudtrail/test/cloudtrail.test.ts b/packages/@aws-cdk/aws-cloudtrail/test/cloudtrail.test.ts
@@ -7,7 +7,7 @@ import * as s3 from '@aws-cdk/aws-s3';
 import * as sns from '@aws-cdk/aws-sns';
 import { testDeprecated } from '@aws-cdk/cdk-build-tools';
 import { Stack } from '@aws-cdk/core';
-import { ManagementEventSources, ReadWriteType, Trail } from '../lib';
+import { ManagementEventSources, ReadWriteType, Trail, Insight } from '../lib';
 
 const ExpectedBucketPolicyProperties = {
   PolicyDocument: {
@@ -702,4 +702,91 @@ describe('cloudtrail', () => {
       });
     });
   });
-});
+  describe('insights ', () => {
+    test('no properties', () => {
+      const stack = getTestStack();
+      new Trail(stack, 'MyAmazingCloudTrail', {
+        insightSelectors: [],
+      });
+      Template.fromStack(stack).hasResourceProperties('AWS::CloudTrail::Trail', {
+        InsightSelectors: [],
+      });
+    });
+    test('API Call Rate properties', () => {
+      const stack = getTestStack();
+      new Trail(stack, 'MyAmazingCloudTrail', {
+        insightSelectors: [
+          {
+            insightType: Insight.TYPE_API_CALL_RATE,
+          },
+        ],
+      });
+      Template.fromStack(stack).hasResourceProperties('AWS::CloudTrail::Trail', {
+        InsightSelectors: [{
+          InsightType: 'ApiCallRateInsight',
+        }],
+      });
+    });
+    test('API Call Rate properties', () => {
+      const stack = getTestStack();
+      new Trail(stack, 'MyAmazingCloudTrail', {
+        insightSelectors: [
+          {
+            insightType: Insight.TYPE_API_ERROR_RATE,
+          },
+        ],
+      });
+      Template.fromStack(stack).hasResourceProperties('AWS::CloudTrail::Trail', {
+        InsightSelectors: [{
+          InsightType: 'ApiErrorRateInsight',
+        }],
+      });
+    });
+    test('duplicate properties', () => {
+      const stack = getTestStack();
+      new Trail(stack, 'MyAmazingCloudTrail', {
+        insightSelectors: [
+          {
+            insightType: Insight.TYPE_API_CALL_RATE,
+          },
+          {
+            insightType: Insight.TYPE_API_CALL_RATE,
+          },
+        ],
+      });
+      Template.fromStack(stack).hasResourceProperties('AWS::CloudTrail::Trail', {
+        InsightSelectors: [
+          {
+            InsightType: 'ApiCallRateInsight',
+          },
+          {
+            InsightType: 'ApiCallRateInsight',
+          },
+        ],
+      });
+    });
+    test('ALL properties', () => {
+      const stack = getTestStack();
+      new Trail(stack, 'MyAmazingCloudTrail', {
+        insightSelectors: [
+          {
+            insightType: Insight.TYPE_API_CALL_RATE,
+          },
+          {
+            insightType: Insight.TYPE_API_ERROR_RATE,
+          },
+        ],
+      });
+      Template.fromStack(stack).hasResourceProperties('AWS::CloudTrail::Trail', {
+        InsightSelectors: [
+          {
+            InsightType: 'ApiCallRateInsight',
+          },
+          {
+            InsightType: 'ApiErrorRateInsight',
+          },
+        ],
+      });
+    });
+  });
+});
diff --git a/.../asset.33e2651435a0d472a75c1e033c9832b21321d9e56711926b04c5705e5f63874c/__entrypoint__.js b/.../asset.33e2651435a0d472a75c1e033c9832b21321d9e56711926b04c5705e5f63874c/__entrypoint__.js
diff --git a/....snapshot/asset.33e2651435a0d472a75c1e033c9832b21321d9e56711926b04c5705e5f63874c/index.js b/....snapshot/asset.33e2651435a0d472a75c1e033c9832b21321d9e56711926b04c5705e5f63874c/index.js
diff --git a/...st/integ.cloudtrail-insight.lit.js.snapshot/aws-cdk-cloudtrail-inshights-test.assets.json b/...st/integ.cloudtrail-insight.lit.js.snapshot/aws-cdk-cloudtrail-inshights-test.assets.json
@@ -0,0 +1,32 @@
+{
+  "version": "21.0.0",
+  "files": {
+    "33e2651435a0d472a75c1e033c9832b21321d9e56711926b04c5705e5f63874c": {
+      "source": {
+        "path": "asset.33e2651435a0d472a75c1e033c9832b21321d9e56711926b04c5705e5f63874c",
+        "packaging": "zip"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "33e2651435a0d472a75c1e033c9832b21321d9e56711926b04c5705e5f63874c.zip",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    },
+    "9e54867c184c79374c51ba171db494a5736a30294e618efa94e199b94e58868e": {
+      "source": {
+        "path": "aws-cdk-cloudtrail-inshights-test.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "9e54867c184c79374c51ba171db494a5736a30294e618efa94e199b94e58868e.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}