aws-cdk-lib/aws-cloudtrail/lib/cloudtrail.js

Version 2 of the AWS Cloud Development Kit library

"use strict";var __runInitializers=exports&&exports.__runInitializers||function(thisArg,initializers,value){for(var useValue=arguments.length>2,i=0;i<initializers.length;i++)value=useValue?initializers[i].call(thisArg,value):initializers[i].call(thisArg);return useValue?value:void 0},__esDecorate=exports&&exports.__esDecorate||function(ctor,descriptorIn,decorators,contextIn,initializers,extraInitializers){function accept(f){if(f!==void 0&&typeof f!="function")throw new TypeError("Function expected");return f}for(var kind=contextIn.kind,key=kind==="getter"?"get":kind==="setter"?"set":"value",target=!descriptorIn&&ctor?contextIn.static?ctor:ctor.prototype:null,descriptor=descriptorIn||(target?Object.getOwnPropertyDescriptor(target,contextIn.name):{}),_,done=!1,i=decorators.length-1;i>=0;i--){var context={};for(var p in contextIn)context[p]=p==="access"?{}:contextIn[p];for(var p in contextIn.access)context.access[p]=contextIn.access[p];context.addInitializer=function(f){if(done)throw new TypeError("Cannot add initializers after decoration has completed");extraInitializers.push(accept(f||null))};var result=(0,decorators[i])(kind==="accessor"?{get:descriptor.get,set:descriptor.set}:descriptor[key],context);if(kind==="accessor"){if(result===void 0)continue;if(result===null||typeof result!="object")throw new TypeError("Object expected");(_=accept(result.get))&&(descriptor.get=_),(_=accept(result.set))&&(descriptor.set=_),(_=accept(result.init))&&initializers.unshift(_)}else(_=accept(result))&&(kind==="field"?initializers.unshift(_):descriptor[key]=_)}target&&Object.defineProperty(target,contextIn.name,descriptor),done=!0};Object.defineProperty(exports,"__esModule",{value:!0}),exports.DataResourceType=exports.ManagementEventSources=exports.Trail=exports.InsightType=exports.ReadWriteType=void 0;var jsiiDeprecationWarnings=()=>{var tmp=require("../../.warnings.jsii.js");return jsiiDeprecationWarnings=()=>tmp,tmp};const JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti");var cloudtrail_generated_1=()=>{var tmp=require("./cloudtrail.generated");return cloudtrail_generated_1=()=>tmp,tmp},events=()=>{var tmp=require("../../aws-events");return events=()=>tmp,tmp},iam=()=>{var tmp=require("../../aws-iam");return iam=()=>tmp,tmp},logs=()=>{var tmp=require("../../aws-logs");return logs=()=>tmp,tmp},s3=()=>{var tmp=require("../../aws-s3");return s3=()=>tmp,tmp},core_1=()=>{var tmp=require("../../core");return core_1=()=>tmp,tmp},metadata_resource_1=()=>{var tmp=require("../../core/lib/metadata-resource");return metadata_resource_1=()=>tmp,tmp},prop_injectable_1=()=>{var tmp=require("../../core/lib/prop-injectable");return prop_injectable_1=()=>tmp,tmp},ReadWriteType;(function(ReadWriteType2){ReadWriteType2.READ_ONLY="ReadOnly",ReadWriteType2.WRITE_ONLY="WriteOnly",ReadWriteType2.ALL="All",ReadWriteType2.NONE="None"})(ReadWriteType||(exports.ReadWriteType=ReadWriteType={}));class InsightType{value;static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_cloudtrail.InsightType",version:"2.233.0"};static API_CALL_RATE=new InsightType("ApiCallRateInsight");static API_ERROR_RATE=new InsightType("ApiErrorRateInsight");constructor(value){this.value=value}}exports.InsightType=InsightType;let Trail=(()=>{let _classDecorators=[prop_injectable_1().propertyInjectable],_classDescriptor,_classExtraInitializers=[],_classThis,_classSuper=core_1().Resource,_instanceExtraInitializers=[],_addEventSelector_decorators,_addLambdaEventSelector_decorators,_logAllLambdaDataEvents_decorators,_addS3EventSelector_decorators,_logAllS3DataEvents_decorators,_onCloudTrailEvent_decorators;var Trail2=class extends _classSuper{static{_classThis=this}static{const _metadata=typeof Symbol=="function"&&Symbol.metadata?Object.create(_classSuper[Symbol.metadata]??null):void 0;_addEventSelector_decorators=[(0,metadata_resource_1().MethodMetadata)()],_addLambdaEventSelector_decorators=[(0,metadata_resource_1().MethodMetadata)()],_logAllLambdaDataEvents_decorators=[(0,metadata_resource_1().MethodMetadata)()],_addS3EventSelector_decorators=[(0,metadata_resource_1().MethodMetadata)()],_logAllS3DataEvents_decorators=[(0,metadata_resource_1().MethodMetadata)()],_onCloudTrailEvent_decorators=[(0,metadata_resource_1().MethodMetadata)()],__esDecorate(this,null,_addEventSelector_decorators,{kind:"method",name:"addEventSelector",static:!1,private:!1,access:{has:obj=>"addEventSelector"in obj,get:obj=>obj.addEventSelector},metadata:_metadata},null,_instanceExtraInitializers),__esDecorate(this,null,_addLambdaEventSelector_decorators,{kind:"method",name:"addLambdaEventSelector",static:!1,private:!1,access:{has:obj=>"addLambdaEventSelector"in obj,get:obj=>obj.addLambdaEventSelector},metadata:_metadata},null,_instanceExtraInitializers),__esDecorate(this,null,_logAllLambdaDataEvents_decorators,{kind:"method",name:"logAllLambdaDataEvents",static:!1,private:!1,access:{has:obj=>"logAllLambdaDataEvents"in obj,get:obj=>obj.logAllLambdaDataEvents},metadata:_metadata},null,_instanceExtraInitializers),__esDecorate(this,null,_addS3EventSelector_decorators,{kind:"method",name:"addS3EventSelector",static:!1,private:!1,access:{has:obj=>"addS3EventSelector"in obj,get:obj=>obj.addS3EventSelector},metadata:_metadata},null,_instanceExtraInitializers),__esDecorate(this,null,_logAllS3DataEvents_decorators,{kind:"method",name:"logAllS3DataEvents",static:!1,private:!1,access:{has:obj=>"logAllS3DataEvents"in obj,get:obj=>obj.logAllS3DataEvents},metadata:_metadata},null,_instanceExtraInitializers),__esDecorate(this,null,_onCloudTrailEvent_decorators,{kind:"method",name:"onCloudTrailEvent",static:!1,private:!1,access:{has:obj=>"onCloudTrailEvent"in obj,get:obj=>obj.onCloudTrailEvent},metadata:_metadata},null,_instanceExtraInitializers),__esDecorate(null,_classDescriptor={value:_classThis},_classDecorators,{kind:"class",name:_classThis.name,metadata:_metadata},null,_classExtraInitializers),Trail2=_classThis=_classDescriptor.value,_metadata&&Object.defineProperty(_classThis,Symbol.metadata,{enumerable:!0,configurable:!0,writable:!0,value:_metadata})}static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_cloudtrail.Trail",version:"2.233.0"};static PROPERTY_INJECTION_ID="aws-cdk-lib.aws-cloudtrail.Trail";static onEvent(scope,id,options={}){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_events_OnEventOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.onEvent),error}const rule=new(events()).Rule(scope,id,options);return rule.addTarget(options.target),rule.addEventPattern({detailType:["AWS API Call via CloudTrail"]}),rule}trailArn=__runInitializers(this,_instanceExtraInitializers);trailSnsTopicArn;logGroup;s3bucket;managementEvents;eventSelectors=[];topic;insightTypeValues;constructor(scope,id,props={}){super(scope,id,{physicalName:props.trailName});try{jsiiDeprecationWarnings().aws_cdk_lib_aws_cloudtrail_TrailProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,Trail2),error}(0,metadata_resource_1().addConstructMetadata)(this,props);const cloudTrailPrincipal=new(iam()).ServicePrincipal("cloudtrail.amazonaws.com");this.s3bucket=props.bucket||new(s3()).Bucket(this,"S3",{enforceSSL:!0}),this.s3bucket.addToResourcePolicy(new(iam()).PolicyStatement({resources:[this.s3bucket.bucketArn],actions:["s3:GetBucketAcl"],principals:[cloudTrailPrincipal]})),this.s3bucket.addToResourcePolicy(new(iam()).PolicyStatement({resources:[this.s3bucket.arnForObjects(`${props.s3KeyPrefix?`${props.s3KeyPrefix}/`:""}AWSLogs/${core_1().Stack.of(this).account}/*`)],actions:["s3:PutObject"],principals:[cloudTrailPrincipal],conditions:{StringEquals:{"s3:x-amz-acl":"bucket-owner-full-control"}}})),props.isOrganizationTrail&&(props.orgId===void 0?core_1().Annotations.of(this).addWarningV2("@aws-cdk/aws-cloudtrail:missingOrgIdForOrganizationTrail","Skipped attaching a policy to the bucket which allows organization trail to write because of missing orgId. Consider specifying orgId to add missing permissions"):props.trailName===void 0?core_1().Annotations.of(this).addWarningV2("@aws-cdk/aws-cloudtrail:missingTrailNameForOrganizationTrail","Skipped attaching a policy to the bucket which allows organization trail to write because of missing trailName. Consider specifying trailName to add missing permissions"):this.s3bucket.addToResourcePolicy(new(iam()).PolicyStatement({resources:[this.s3bucket.arnForObjects(`AWSLogs/${props.orgId}/*`)],actions:["s3:PutObject"],principals:[cloudTrailPrincipal],conditions:{StringEquals:{"s3:x-amz-acl":"bucket-owner-full-control","aws:SourceArn":`arn:${this.stack.partition}:cloudtrail:${this.s3bucket.stack.region}:${this.s3bucket.stack.account}:trail/${props.trailName}`}}}))),this.topic=props.snsTopic,this.topic&&this.topic.grantPublish(cloudTrailPrincipal);let logsRole;if(props.sendToCloudWatchLogs&&(props.cloudWatchLogGroup?this.logGroup=props.cloudWatchLogGroup:this.logGroup=new(logs()).LogGroup(this,"LogGroup",{retention:props.cloudWatchLogsRetention??logs().RetentionDays.ONE_YEAR}),logsRole=new(iam()).Role(this,"LogsRole",{assumedBy:cloudTrailPrincipal}),logsRole.addToPrincipalPolicy(new(iam()).PolicyStatement({actions:["logs:PutLogEvents","logs:CreateLogStream"],resources:[this.logGroup.logGroupArn]}))),this.managementEvents=props.managementEvents,this.managementEvents&&this.managementEvents!==ReadWriteType.NONE&&this.eventSelectors.push({includeManagementEvents:!0,readWriteType:props.managementEvents}),this.node.addValidation({validate:()=>this.validateEventSelectors()}),props.kmsKey&&props.encryptionKey)throw new(core_1()).ValidationError("Both kmsKey and encryptionKey must not be specified. Use only encryptionKey",this);props.insightTypes&&(this.insightTypeValues=props.insightTypes.map(function(t){return{insightType:t.value}}));const trail=new(cloudtrail_generated_1()).CfnTrail(this,"Resource",{isLogging:!0,enableLogFileValidation:props.enableFileValidation==null?!0:props.enableFileValidation,isMultiRegionTrail:props.isMultiRegionTrail==null?!0:props.isMultiRegionTrail,includeGlobalServiceEvents:props.includeGlobalServiceEvents==null?!0:props.includeGlobalServiceEvents,trailName:this.physicalName,kmsKeyId:props.encryptionKey?.keyArn??props.kmsKey?.keyRef.keyArn,s3BucketName:this.s3bucket.bucketName,s3KeyPrefix:props.s3KeyPrefix,cloudWatchLogsLogGroupArn:this.logGroup?.logGroupArn,cloudWatchLogsRoleArn:logsRole?.roleArn,snsTopicName:this.topic?.topicName,eventSelectors:this.eventSelectors,isOrganizationTrail:props.isOrganizationTrail,insightSelectors:this.insightTypeValues});this.trailArn=this.getResourceArnAttribute(trail.attrArn,{service:"cloudtrail",resource:"trail",resourceName:this.physicalName}),this.trailSnsTopicArn=trail.attrSnsTopicArn,this.s3bucket.policy&&trail.node.addDependency(this.s3bucket.policy),logsRole!==void 0&&trail.node.addDependency(logsRole)}addEventSelector(dataResourceType,dataResourceValues,options={}){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_cloudtrail_DataResourceType(dataResourceType),jsiiDeprecationWarnings().aws_cdk_lib_aws_cloudtrail_AddEventSelectorOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addEventSelector),error}if(dataResourceValues.length>250)throw new(core_1()).ValidationError("A maximum of 250 data elements can be in one event selector",this);if(this.eventSelectors.length>5)throw new(core_1()).ValidationError("A maximum of 5 event selectors are supported per trail.",this);let includeAllManagementEvents;this.managementEvents===ReadWriteType.NONE&&(includeAllManagementEvents=!1),this.eventSelectors.push({dataResources:[{type:dataResourceType,values:dataResourceValues}],includeManagementEvents:options.includeManagementEvents??includeAllManagementEvents,excludeManagementEventSources:options.excludeManagementEventSources,readWriteType:options.readWriteType})}addLambdaEventSelector(handlers,options={}){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_cloudtrail_AddEventSelectorOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addLambdaEventSelector),error}if(handlers.length===0)return;const dataResourceValues=handlers.map(h=>h.functionArn);return this.addEventSelector(DataResourceType.LAMBDA_FUNCTION,dataResourceValues,options)}logAllLambdaDataEvents(options={}){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_cloudtrail_AddEventSelectorOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.logAllLambdaDataEvents),error}return this.addEventSelector(DataResourceType.LAMBDA_FUNCTION,[`arn:${this.stack.partition}:lambda`],options)}addS3EventSelector(s3Selector,options={}){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_cloudtrail_AddEventSelectorOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addS3EventSelector),error}if(s3Selector.length===0)return;const dataResourceValues=s3Selector.map(sel=>`${sel.bucket.bucketRef.bucketArn}/${sel.objectPrefix??""}`);return this.addEventSelector(DataResourceType.S3_OBJECT,dataResourceValues,options)}logAllS3DataEvents(options={}){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_cloudtrail_AddEventSelectorOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.logAllS3DataEvents),error}return this.addEventSelector(DataResourceType.S3_OBJECT,[`arn:${this.stack.partition}:s3:::`],options)}onCloudTrailEvent(id,options={}){return Trail2.onEvent(this,id,options)}validateEventSelectors(){const errors=[];return this.managementEvents===ReadWriteType.NONE&&this.eventSelectors.length===0&&errors.push("At least one event selector must be added when management event recording is set to None"),errors}static{__runInitializers(_classThis,_classExtraInitializers)}};return Trail2=_classThis})();exports.Trail=Trail;var ManagementEventSources;(function(ManagementEventSources2){ManagementEventSources2.KMS="kms.amazonaws.com",ManagementEventSources2.RDS_DATA_API="rdsdata.amazonaws.com"})(ManagementEventSources||(exports.ManagementEventSources=ManagementEventSources={}));var DataResourceType;(function(DataResourceType2){DataResourceType2.LAMBDA_FUNCTION="AWS::Lambda::Function",DataResourceType2.S3_OBJECT="AWS::S3::Object"})(DataResourceType||(exports.DataResourceType=DataResourceType={}));