Merge pull request #244 from terraform-contrib/feat/insights/allow-enabling-available-insights

feat(insights): allow enabling available insights

Author: chtakahashi

.gitignore

@@ -1,5 +1,6 @@
 .DS_Store
 .terraform
+.terraform.lock.hcl
 terraform.tfstate
 terraform.tfstate.backup
 terraform.tfstate.*.backup

README.md

@@ -61,6 +61,8 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| api\_call\_rate\_insight | A measurement of write-only management API calls that occur per minute against a baseline API call volume. | `bool` | `false` | no |
+| api\_error\_rate\_insight | A measurement of management API calls that result in error codes. The error is shown if the API call is unsuccessful. | `bool` | `false` | no |
 | cloudwatch\_log\_group\_name | The name of the CloudWatch Log Group that receives CloudTrail events. | `string` | `"cloudtrail-events"` | no |
 | enabled | Enables logging for the trail. Defaults to true. Setting this to false will pause logging. | `bool` | `true` | no |
 | iam\_policy\_name | Name for the CloudTrail IAM policy | `string` | `"cloudtrail-cloudwatch-logs-policy"` | no |

main.tf

@@ -1,10 +1,8 @@
 # The AWS region currently being used.
-data "aws_region" "current" {
-}
+data "aws_region" "current" {}
 
 # The AWS account id
-data "aws_caller_identity" "current" {
-}
+data "aws_caller_identity" "current" {}
 
 # The AWS partition (commercial or govcloud)
 data "aws_partition" "current" {}
@@ -219,12 +217,11 @@ data "aws_iam_policy_document" "cloudtrail_kms_policy_doc" {
       "kms:Decrypt*",
       "kms:ReEncrypt*",
       "kms:GenerateDataKey*",
-      "kms:Describe*"
+      "kms:Describe*",
     ]
     resources = ["*"]
   }
 
-
   statement {
     sid    = "Allow Cloudtrail to decrypt and generate key for sns access"
     effect = "Allow"
@@ -240,7 +237,6 @@ data "aws_iam_policy_document" "cloudtrail_kms_policy_doc" {
     ]
     resources = ["*"]
   }
-
 }
 
 resource "aws_kms_key" "cloudtrail" {
@@ -289,8 +285,18 @@ resource "aws_cloudtrail" "main" {
   # Enables SNS log notification
   sns_topic_name = var.sns_topic_arn
 
-  tags = var.tags
+  # Enable Insights
+  dynamic "insight_selector" {
+    for_each = compact([
+      var.api_call_rate_insight ? "ApiCallRateInsight" : null,
+      var.api_error_rate_insight ? "ApiErrorRateInsight" : null,
+    ])
+    content {
+      insight_type = insight_selector.value
+    }
+  }
 
+  tags = var.tags
 
   depends_on = [
     aws_kms_key.cloudtrail,

variables.tf

@@ -56,6 +56,7 @@ variable "s3_key_prefix" {
   default     = "cloudtrail"
   type        = string
 }
+
 variable "sns_topic_arn" {
   description = "ARN of the SNS topic for notification of log file delivery."
   default     = ""
@@ -67,3 +68,15 @@ variable "tags" {
   default     = {}
   type        = map(string)
 }
+
+variable "api_call_rate_insight" {
+  description = "A measurement of write-only management API calls that occur per minute against a baseline API call volume."
+  default     = false
+  type        = bool
+}
+
+variable "api_error_rate_insight" {
+  description = "A measurement of management API calls that result in error codes. The error is shown if the API call is unsuccessful."
+  default     = false
+  type        = bool
+}