fix(cloudtrail): Invalid resource for policy when using sendToCloudWa…

…tchLogs Sets `this.cloudWatchLogsGroupArn` before using it, such that a correct resource ARN is used in the policy generated for CloudTrail to be able to create and use the required log stream. Fixes #1848
aws · Feb 25, 2019 · 0fac1e4 · 0fac1e4
1 parent cec8564
commit 0fac1e4
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 5 deletions.
diff --git a/packages/@aws-cdk/aws-cloudtrail/lib/index.ts b/packages/@aws-cdk/aws-cloudtrail/lib/index.ts
@@ -149,14 +149,13 @@ export class CloudTrail extends cdk.Construct {
       });
       this.cloudWatchLogsGroupArn = logGroup.logGroupArn;
 
-      const logsRole = new iam.Role(this, 'LogsRole', {assumedBy: new iam.ServicePrincipal(cloudTrailPrincipal) });
+      const logsRole = new iam.Role(this, 'LogsRole', { assumedBy: new iam.ServicePrincipal(cloudTrailPrincipal) });
+      this.cloudWatchLogsRoleArn = logsRole.roleArn;
 
       const streamArn = `${this.cloudWatchLogsRoleArn}:log-stream:*`;
       logsRole.addToPolicy(new iam.PolicyStatement()
         .addActions("logs:PutLogEvents", "logs:CreateLogStream")
         .addResource(streamArn));
-      this.cloudWatchLogsRoleArn = logsRole.roleArn;
-
     }
     if (props.managementEvents) {
       const managementEvent =  {

diff --git a/packages/@aws-cdk/aws-cloudtrail/test/test.cloudtrail.ts b/packages/@aws-cdk/aws-cloudtrail/test/test.cloudtrail.ts
@@ -75,8 +75,20 @@ export = {
         expect(stack).to(haveResource("AWS::S3::BucketPolicy", ExpectedBucketPolicyProperties));
         expect(stack).to(haveResource("AWS::Logs::LogGroup"));
         expect(stack).to(haveResource("AWS::IAM::Role"));
-        expect(stack).to(haveResource("AWS::Logs::LogGroup", {
-          RetentionInDays: 365
+        expect(stack).to(haveResource("AWS::Logs::LogGroup", { RetentionInDays: 365 }));
+        expect(stack).to(haveResource("AWS::IAM::Policy", {
+          PolicyDocument: {
+            Version: '2012-10-17',
+            Statement: [{
+              Effect: 'Allow',
+              Action: ['logs:PutLogEvents', 'logs:CreateLogStream'],
+              Resource: {
+                'Fn::Join': ['', [{ 'Fn::GetAtt': ['MyAmazingCloudTrailLogsRoleF2CCF977', 'Arn'] }, ':log-stream:*']],
+              }
+            }]
+          },
+          PolicyName: 'MyAmazingCloudTrailLogsRoleDefaultPolicy61DC49E7',
+          Roles: [{ Ref: 'MyAmazingCloudTrailLogsRoleF2CCF977' }],
         }));
         const trail: any = stack.toCloudFormation().Resources.MyAmazingCloudTrail54516E8D;
         test.deepEqual(trail.DependsOn, ['MyAmazingCloudTrailS3Policy39C120B0']);