VhbadZdZdZ ddlmZddlmZddlmZddl m Z ddl m Z dd l m Z dd l mZd Zd ZddZdZdZdZdZdZedk(rey y #e$rYLwxYw)a --- module: cloudtrail version_added: 5.0.0 short_description: manage CloudTrail create, delete, update description: - Creates, deletes, or updates CloudTrail configuration. Ensures logging is also enabled. - This module was originally added to C(community.aws) in release 1.0.0. author: - Ansible Core Team - Ted Timmons (@tedder) - Daniel Shepherd (@shepdelacreme) options: state: description: - Add or remove CloudTrail configuration. - 'The following states have been preserved for backwards compatibility: O(state=enabled) and O(state=disabled).' - O(state=enabled) is equivalet to O(state=present). - O(state=disabled) is equivalet to O(state=absent). type: str choices: ['present', 'absent', 'enabled', 'disabled'] default: present name: description: - Name for the CloudTrail. - Names are unique per-region unless the CloudTrail is a multi-region trail, in which case it is unique per-account. type: str default: default enable_logging: description: - Start or stop the CloudTrail logging. If stopped the trail will be paused and will not record events or deliver log files. default: true type: bool s3_bucket_name: description: - An existing S3 bucket where CloudTrail will deliver log files. - This bucket should exist and have the proper policy. - See U(https://docs.aws.amazon.com/awscloudtrail/latest/userguide/aggregating_logs_regions_bucket_policy.html). - Required when O(state=present). type: str s3_key_prefix: description: - S3 Key prefix for delivered log files. A trailing slash is not necessary and will be removed. type: str is_multi_region_trail: description: - Specify whether the trail belongs only to one region or exists in all regions. default: false type: bool enable_log_file_validation: description: - Specifies whether log file integrity validation is enabled. - CloudTrail will create a hash for every log file delivered and produce a signed digest file that can be used to ensure log files have not been tampered. type: bool aliases: [ "log_file_validation_enabled" ] include_global_events: description: - Record API calls from global services such as IAM and STS. default: true type: bool aliases: [ "include_global_service_events" ] sns_topic_name: description: - SNS Topic name to send notifications to when a log file is delivered. type: str cloudwatch_logs_role_arn: description: - Specifies a full ARN for an IAM role that assigns the proper permissions for CloudTrail to create and write to the log group. - See U(https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html). - Required when O(cloudwatch_logs_log_group_arn). type: str cloudwatch_logs_log_group_arn: description: - A full ARN specifying a valid CloudWatch log group to which CloudTrail logs will be delivered. The log group should already exist. - See U(https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html). - Required when O(cloudwatch_logs_role_arn). type: str kms_key_id: description: - Specifies the KMS key ID to use to encrypt the logs delivered by CloudTrail. This also has the effect of enabling log file encryption. - The value can be an alias name prefixed by "alias/", a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier. - Encryption can be disabled by setting O(kms_key_id=""). - See U(https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html). type: str notes: - The O(purge_tags) option was added in release 4.0.0. extends_documentation_fragment: - amazon.aws.common.modules - amazon.aws.region.modules - amazon.aws.tags - amazon.aws.boto3 a - name: create single region cloudtrail amazon.aws.cloudtrail: state: present name: default s3_bucket_name: mylogbucket s3_key_prefix: cloudtrail region: us-east-1 - name: create multi-region trail with validation and tags amazon.aws.cloudtrail: state: present name: default s3_bucket_name: mylogbucket region: us-east-1 is_multi_region_trail: true enable_log_file_validation: true cloudwatch_logs_role_arn: "arn:aws:iam::123456789012:role/CloudTrail_CloudWatchLogs_Role" cloudwatch_logs_log_group_arn: "arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/DefaultLogGroup:*" kms_key_id: "alias/MyAliasName" tags: environment: dev Name: default - name: show another valid kms_key_id amazon.aws.cloudtrail: state: present name: default s3_bucket_name: mylogbucket kms_key_id: "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012" # simply "12345678-1234-1234-1234-123456789012" would be valid too. - name: pause logging the trail we just created amazon.aws.cloudtrail: state: present name: default enable_logging: false s3_bucket_name: mylogbucket region: us-east-1 is_multi_region_trail: true enable_log_file_validation: true tags: environment: dev Name: default - name: delete a trail amazon.aws.cloudtrail: state: absent name: default a exists: description: whether the resource exists. returned: always type: bool sample: true trail: description: CloudTrail resource details. returned: always type: complex sample: hash/dictionary of values contains: trail_arn: description: Full ARN of the CloudTrail resource. returned: success type: str sample: arn:aws:cloudtrail:us-east-1:123456789012:trail/default name: description: Name of the CloudTrail resource. returned: success type: str sample: default is_logging: description: Whether logging is turned on or paused for the Trail. returned: success type: bool sample: True s3_bucket_name: description: S3 bucket name where log files are delivered. returned: success type: str sample: myBucket s3_key_prefix: description: Key prefix in bucket where log files are delivered (if any). returned: success when present type: str sample: myKeyPrefix log_file_validation_enabled: description: Whether log file validation is enabled on the trail. returned: success type: bool sample: true include_global_service_events: description: Whether global services (IAM, STS) are logged with this trail. returned: success type: bool sample: true is_multi_region_trail: description: Whether the trail applies to all regions or just one. returned: success type: bool sample: true is_organization_trail: description: - Specifies whether the trail is created for all accounts in an organization in Organizations, or only for the current Amazon Web Services account. returned: success type: bool sample: true has_custom_event_selectors: description: Whether any custom event selectors are used for this trail. returned: success type: bool sample: False has_insight_selectors: description: Whether any insight selectors are used for this trail. returned: success type: bool sample: False home_region: description: The home region where the trail was originally created and must be edited. returned: success type: str sample: us-east-1 sns_topic_name: description: The SNS topic name where log delivery notifications are sent. returned: success when present type: str sample: myTopic sns_topic_arn: description: Full ARN of the SNS topic where log delivery notifications are sent. returned: success when present type: str sample: arn:aws:sns:us-east-1:123456789012:topic/myTopic cloud_watch_logs_log_group_arn: description: Full ARN of the CloudWatch Logs log group where events are delivered. returned: success when present type: str sample: arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/DefaultLogGroup:* cloud_watch_logs_role_arn: description: Full ARN of the IAM role that CloudTrail assumes to deliver events. returned: success when present type: str sample: arn:aws:iam::123456789012:role/CloudTrail_CloudWatchLogs_Role kms_key_id: description: Full ARN of the KMS Key used to encrypt log files. returned: success when present type: str sample: arn:aws:kms::123456789012:key/12345678-1234-1234-1234-123456789012 tags: description: hash/dictionary of tags applied to this resource returned: success type: dict sample: {'environment': 'dev', 'Name': 'default'} ) BotoCoreError) ClientError)camel_dict_to_snake_dict)AnsibleAWSModule)ansible_dict_to_boto3_tag_list)boto3_tag_list_to_ansible_dict)compare_aws_tagsc` |j|}|dS#ttf$rgcYSwxYw)z get list of key aliases module : AnsibleAWSModule object client : boto3 client connection object for kms keyId : keyId to get aliases for )KeyIdAliases) list_aliasesrr)moduleclientkeyIdkey_resps i/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/amazon/aws/plugins/modules/cloudtrail.pyget_kms_key_aliasesrsD&&U&3 I  ; ' s --ci} |jdi|}|S#ttf$r}|j|dYd}~|Sd}~wwxYw)z Creates a CloudTrail module : AnsibleAWSModule object client : boto3 client connection object ct_params : The parameters for the Trail to create zFailed to create TrailmsgN) create_trailrr fail_json_aws)rr ct_paramsresperrs rrr!s` D@"v""/Y/ K ; '@S&>?? K@sAAANc|y|xsi}t|||\}}|s|sy|jry|r2|Dcic]}||| } }t| } |j|||r t|} |j||yycc}w#tt f$r} |j | dYd} ~ Od} ~ wwxYw#tt f$r} |j | dYd} ~ yd} ~ wwxYw) a Creates, updates, removes tags on a CloudTrail resource module : AnsibleAWSModule object client : boto3 client connection object tags : Dict of tags converted from ansible_dict to boto3 list of dicts trail_arn : The ARN of the CloudTrail to operate on curr_tags : Dict of the current tags on resource, if any dry_run : true/false to determine if changes will be made if needed NF) purge_tagsT) ResourceIdTagsListz Failed to remove tags from TrailrzFailed to add tags to Trail)r check_moder remove_tagsrrradd_tags) rrtags trail_arn curr_tagsr tags_to_addtags_to_removekremovers r tag_trailr+2s |RI"29dz"ZK ~ +9:a!Yq\/::7? N   )n  M4[A  I OOy;O G ;{+ N  *L M M N{+ I  *G H H  Is5 BB /B8 B5B00B58C$CC$c|dk(r% |j||j|S|dk(r% |j ||j|S|j dy#ttf$r}|j |dYd}~yd}~wwxYw#ttf$r}|j |dYd}~yd}~wwxYw) z Starts or stops logging based on given state module : AnsibleAWSModule object client : boto3 client connection object name : The name or ARN of the CloudTrail to operate on action : start or stop startNamezFailed to start loggingrNstopzFailed to stop loggingzUnsupported logging action) start_loggingget_trail_statusrrr stop_logging fail_json)rrnameactionrs r set_loggingr7\s E  d +***5 5 6  D   T  ****5 5 9:{+ E  *C D D E {+ D  *B C C Ds.#A(#B(B7BBC&B>>Cc |j|g}t dr|dd} |j |d}|j |d g }d |d <td dd |d<tgd}|t|jz D]} d|| < |Sy#ttf$r}|j|dYd}~d}~wwxYw#ttf$r}|j|dYd}~d}~wwxYw)z Describes existing trail in an account module : AnsibleAWSModule object client : boto3 client connection object name : Name of the trail ) trailNameListzFailed to describe TrailrN trailListrr/r.TrailARN)ResourceIdList IsLoggingResourceTagListr r$) S3KeyPrefix SnsTopicName SnsTopicARNCloudWatchLogsLogGroupArnCloudWatchLogsRoleArnKmsKeyId) describe_trailsrrrlenr2 list_tagsrsetkeys) rrr5 trail_resprtrail status_resp tags_list optional_valsvs rget_trail_factsrPusFB++4&+A  :k "#;'* F 11uV}1EK((z9J8K(LI)5k6yAR7STU7VWa7bcf    UZZ\!22 AE!H  ? ; 'BS&@AAB{+ F  *D E E Fs.B,+C,C;CCD*DDc |j|y#ttf$r}|j|dYd}~yd}~wwxYw)z Delete a CloudTrail module : AnsibleAWSModule object client : boto3 client connection object trail_arn : Full CloudTrail ARN r.zFailed to delete TrailrN) delete_trailrrr)rrr%rs rrRrRsG@+ ; '@S&>??@A<Ac |jdi|y#ttf$r}|j|dYd}~yd}~wwxYw)z Delete a CloudTrail module : AnsibleAWSModule object client : boto3 client connection object ct_params : The parameters for the Trail to update zFailed to update TrailrNr) update_trailrrr)rrrrs rrUrUsI@(i( ; '@S&>??@rSc ttdgdtdtddttd ttd dtdd g tddd gttttddg tdd}dddgfdddgfg}dg}t|d||}|jddvrd}n|jddvrd}|jd}|jd}|jd}t|jd|jd|jd|jd }|jd!r!|jd!jd"|d#<|jd$r|jd$|d%<|jd&r|jd&|d'<|jd(r|jd(|d)<|jd*|jd*|d+<|jd,|jd,|d-<|j d.} |j } td d /} t || |d0} | d| d1<| jd-} dk(r;| d1r6d| d2<d | d1<t| d3<|jsYt|| | d4nG|dk(r| d1rd }|D]}t|}|d+k(rd5}|j|d6k(rd}n|j|}|| j|k7sRd}|d-k7rd| d2<|jsk| j||j|i|js|rt|| |t || |d0} |js | jd-k7rbd| d2<n\|jd-} |k7rFd| d2<t||j d7| }|D] }|d8|k(s|d9|k(s |d:|k(sd | d2<"|r-| d;s(d| d2<d| d;<|jst|| |d0d<=|s-| d;r(d| d2<d | d;<|jst|| |d0d>=t|| || d4| d|?}|r,t}|s| d}|j|d| d2<|| d<t!| dg@| d3<nE|dk(r?| d1s9d| d2<d| d1<|jsu|rt#||dA<t%|| |} | j'|d0B}|rd;st|| |d0d<=|sd;rt|| |d0d>=t || |d0} |jrdE} |j dF}|j/dG}t} | j|d+|vrd |d+<|d+| d+<| j1d+dH| zdIz|zdJz|d0z}d | dK<| | dL<|| d4<|| d;<|| d<t!| dg@| d3<|j2dMi| y#t(t*f$r}|j-|dCDYd}~+d}~wwxYw#t(t*f$rYwxYw)NNpresent)rWabsentenableddisabled)defaultchoicesr[)r[Tbool)r[typeF)no_loglog_file_validation_enabled)r^aliasesinclude_global_service_events)r[r^radict resource_tags)stater5enable_loggings3_bucket_name s3_key_prefixsns_topic_nameis_multi_region_trailenable_log_file_validationinclude_global_eventscloudwatch_logs_role_arncloudwatch_logs_log_group_arn kms_key_idr$rrergrY)rmrn) argument_specsupports_check_moderequired_together required_if)rWrY)rXrZrXr$rrfr5rlrj)r/ S3BucketNameIncludeGlobalServiceEventsIsMultiRegionTrailrh/r?rir@rmrCrnrBrkEnableLogFileValidationrorD cloudtrail)changedexistsr/r{rzrKr;LogFileValidationEnabledkms AliasNameAliasArn TargetKeyIdr=r-)r5r6r0)r$r%r&r) ignore_listr r.zFailed to fetch Trail statucr 123456789012stsAccountzarn:aws:cloudtrail::z:trail/HasCustomEventSelectors HomeRegionr)rcrparamsrstriprregionrPgetr!rRstrupdaterUrr7r+rrrr2rrrget_caller_identitypop exit_json)rprsrrrrer$rrfrrrresultsrKinitial_kms_key_id do_updatekeytkeyvalnew_keyinitial_aliasesa tags_changed updated_tags created_trailrLracct_id sts_clientfake_arns rmainrs49.Z[ ) $Dv6v%(v"5v>#'V>[=\#]"4fGfFgh!%&*f6 v'8 962M"Y)9(:;gyScRd=efKVW # + F}}W!77 w #9 9 == D|,J]]#34N ]]6 "]]#34#)==1H#I!==)@A I}}_%#)==#A#H#H#M -  }}%&$*MM2B$C .! }}/0-3]];U-V )* }}4517?^1_ -. }}12>/5}}=Y/Z +, }}\". & l ; * ]]< (F ]]F5/G FFIf,= >E  "YYz2 WX.! !6  z): ; )  1  =Cs8D//1}}S!R'mmC(eiio% :%*.GI&$$LL$ c(:!;<' =*  Y  3#FFIf4EFE  !UYYz%::%) "mmJ/G!W,%) " #6ffmmE>RTf"g(3A~0AjMW4LPQR_P`dkPk-2 *3 % "4!%GI !%E+ $$FF61B7S% "4!%GI !&E+ $$FF61B6R! Fz1BeTZmhr  6L$V}    %!%GI (E&M4ExP ) GH$5!    (Ft(L *%(CM N$55=;P5Q k+&>FF61B7S!k+&>FF61B6R#FFIf4EFE   $G #]]51 $88:9EFE LL #( 97< 34/89R/SE+ , II/ 0,v5;gE QT]^dTeeH/4E+ ,"(E,  (E* !/E+  E&M3ExPFwC";/ N$$S.L$MM N ";/  s*X-$YY .YY Y! Y!__main__)NT) DOCUMENTATIONEXAMPLESRETURNbotocore.exceptionsrr ImportError0ansible.module_utils.common.dict_transformationsr;ansible_collections.amazon.aws.plugins.module_utils.modulesr;ansible_collections.amazon.aws.plugins.module_utils.taggingrrr rrr+r7rPrRrUr__name__rrrs\ |1 fg R 1/VXffX$"'T;2*Z @ @H V zFK   s AA! A!