(cloudtrail): (configuration for IsOrganizationTrail is failed)

[haikoschmidt]

Describe the feature

I miss the fact that I can use boolean to specify an OrganizationTrail as in CloudFormation.

https://docs.aws.amazon.com/de_de/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-isorganizationtrail

Use Case

I am currently converting my payer configuration to CDK, at least what is available at all, which unfortunately is still very little at the moment. Using CloudFormation, I can specify whether a trail is an organization trail and whether it is then automatically rolled out throughout the organization.
Unfortunately, this is not yet possible with CDK.

Proposed Solution

Give an option that you can configure this using boolean, the default should be "false".

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.37.1

Environment details (OS name and version, etc.)

none

[laurelmay]

As a workaround, you should be able to use an escape hatch to override the property:

import * as cloudtrail from "aws-cdk-lib/aws-cloudtrail";

// Create the L2 Trail resource with the preferred configuration
const trail = new cloudtrail.Trail(stack, "OrganizationTrail");
// Get the underlying AWS::CloudTrail::Trail L1 resource
const l1Trail = trail.node.defaultChild as cloudtrail.CfnTrail;
// Use the escape hatch to set the L1 AWS::CloudTrail::Trail resource's property
l1Trail.addPropertyOverride("IsOrganizationTrail", true);

[peterwoodworth]

Thanks for the feature request @haikoschmidt,

I am marking this issue as p2, which means that we are unable to work on this immediately.

Check out our contributing guide if you're interested in contributing yourself - there's a low chance the team will be able to address this soon but we'd be happy to review a PR 🙂

Link to code where we declare the CfnTrail

aws-cdk/packages/@aws-cdk/aws-cloudtrail/lib/cloudtrail.ts

Line 275 in 1e57c6c

const trail = new CfnTrail(this, 'Resource', {

[chinmayv2]

Hello All,
I was going through the chain since I am interested to contribute to the cdk. I understood the suggestion/ proposed solution is

Give an option that you can configure this using boolean, the default should be "false".

Excerpts from this link attached in the bug report.

If the trail is an organization trail and this is set to false, the trail will remain in the current AWS account but be deleted from all member accounts in the organization.

1- Do we expect any unintended side-effects or trails being un-intentionally deleted if we default it to false ?
2- Should we have the default to true ?

[peterwoodworth]

Hey @chinmayv2,

The CloudFormation documentation mentions that this prop is set to false by default, so that's what we'd want to do here as well. Someone would have had to explicitly set this to true for the behavior to change, so if we keep the default as false or undefined then that will not affect existing users.

[TheRealAmazonKendra]

It may be worth it to point to to CloudFormation that the documentation there is pretty confusing/misleading. I had to re-read it a few times to get what the actual behavior was.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.