cloudtrail/enabled_in_all_regions:snowflake

cloudquery · Dec 23, 2023 · b387f58 · b387f58
1 parent 80855d1
commit b387f58
Showing 1 changed file with 22 additions and 8 deletions.
diff --git a/transformations/aws/macros/cloudtrail/enabled_in_all_regions.sql b/transformations/aws/macros/cloudtrail/enabled_in_all_regions.sql
@@ -39,10 +39,17 @@ select
     aws_cloudtrail_trails.account_id,
     arn as resource_id,
     case
-        when is_multi_region_trail = FALSE or (
-                    is_multi_region_trail = TRUE and (
-                        read_write_type != 'All' or include_management_events = FALSE
-                )) then 'fail'
+        when aws_cloudtrail_trails.is_multi_region_trail = FALSE then 'fail'
+        when exists(select *
+                    from jsonb_array_elements(aws_cloudtrail_trail_event_selectors.event_selectors) as es
+                    where es ->>'ReadWriteType' != 'All' or (es->>'IncludeManagementEvents')::boolean = FALSE)
+            then 'fail'
+        when exists(select *
+                    from jsonb_array_elements(aws_cloudtrail_trail_event_selectors.advanced_event_selectors) as aes
+                    where exists(select *
+                                 from jsonb_array_elements(aes ->'FieldSelectors') as aes_fs
+                                 where aes_fs ->>'Field' = 'readOnly'))
+            then 'fail'
         else 'pass'
     end as status
 from {{ full_table_name("aws_cloudtrail_trails") }}
@@ -61,10 +68,17 @@ select
     aws_cloudtrail_trails.account_id,
     arn as resource_id,
     case
-        when is_multi_region_trail = FALSE or (
-                    is_multi_region_trail = TRUE and (
-                        read_write_type != 'All' or include_management_events = FALSE
-                )) then 'fail'
+        when aws_cloudtrail_trails.is_multi_region_trail = FALSE then 'fail'
+        when exists(select *
+                    from jsonb_array_elements(aws_cloudtrail_trail_event_selectors.event_selectors) as es
+                    where es:ReadWriteType != 'All' or (es:IncludeManagementEvents)::boolean = FALSE)
+            then 'fail'
+        when exists(select *
+                    from jsonb_array_elements(aws_cloudtrail_trail_event_selectors.advanced_event_selectors) as aes
+                    where exists(select *
+                                 from jsonb_array_elements(aes:FieldSelectors) as aes_fs
+                                 where aes_fs:Field = 'readOnly'))
+            then 'fail'
         else 'pass'
     end as status
 from aws_cloudtrail_trails