From e48b74060e1c7fa3d3d75b5f5e0117a4bc8eb10f Mon Sep 17 00:00:00 2001
From: William Orr <william.orr@justice.gov.uk>
Date: Tue, 3 Dec 2024 13:13:09 +0000
Subject: [PATCH 1/3] add read cloudtrail events

---
 CHANGELOG.md                                        |  4 ++++
 README.md                                           |  7 ++++++-
 iam_builder/iam_builder.py                          |  3 +++
 iam_builder/schemas/iam_schema.json                 |  4 ++++
 iam_builder/templates.py                            | 10 ++++++++++
 pyproject.toml                                      |  2 +-
 tests/expected_policy/cloudtrail_lookup_events.json | 13 +++++++++++++
 tests/test_config/cloudtrail_lookup_events.yaml     |  1 +
 tests/test_iam_builder.py                           |  3 ++-
 9 files changed, 44 insertions(+), 3 deletions(-)
 create mode 100644 tests/expected_policy/cloudtrail_lookup_events.json
 create mode 100644 tests/test_config/cloudtrail_lookup_events.yaml

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6178e37..d5d9d9e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## v4.10.0
+
+- Add read Cloudtrail event permission
+
 ## v4.9.0
 
 - Add `external_iam_role` to allow Airflow Pulumi tests to pass
diff --git a/README.md b/README.md
index 4f1eb5c..d53b4aa 100644
--- a/README.md
+++ b/README.md
@@ -74,6 +74,8 @@ kms:
   - test_kms_key_arn
 
 bedrock: true
+
+cloudtrail_lookup_events: true
 ```
 
 Whilst the example json (`iam_config.json`) looks like this:
@@ -100,7 +102,8 @@ Whilst the example json (`iam_config.json`) looks like this:
     ]
   },
   "kms": ["test_kms_key_arn"],
-  "bedrock": true
+  "bedrock": true,
+  "cloudtrail_lookup_events": true
 }
 ```
 
@@ -129,6 +132,8 @@ Whilst the example json (`iam_config.json`) looks like this:
 
 - **bedrock:** Boolean; must be set to `true` to allow role to interact with Amazon Bedrock. If `false` or absent role will not be able to interact with Amazon Bedrock.
 
+- **cloudtrail_lookup_events** Boolean; must be set to `true` to allow role to read Amazon CloudTrail events. If `false` or absent role will not be able to read  Amazon Cloudtrail events.
+
 ## How to update
 
 When updating IAM builder, make sure to change the version number in `pyproject.toml` and describe the change in `CHANGELOG.md`.
diff --git a/iam_builder/iam_builder.py b/iam_builder/iam_builder.py
index 0a389b9..57ab60c 100644
--- a/iam_builder/iam_builder.py
+++ b/iam_builder/iam_builder.py
@@ -99,4 +99,7 @@ def build_iam_policy(config: dict) -> dict:  # noqa: C901
     if "bedrock" in config and config["bedrock"]:
         iam["Statement"].extend(iam_lookup["bedrock"])
 
+    if "cloudtrail_lookup_events" in config:
+        iam["Statement"].extend(iam_lookup["cloudtrail_lookup_events"])
+
     return iam
diff --git a/iam_builder/schemas/iam_schema.json b/iam_builder/schemas/iam_schema.json
index 797c795..8718ae3 100644
--- a/iam_builder/schemas/iam_schema.json
+++ b/iam_builder/schemas/iam_schema.json
@@ -89,6 +89,10 @@
             "description": "bedrock must be set to true to allow role to interact with Amazon Bedrock.",
             "type": "boolean"
         },
+        "cloudtrail_lookup_events": {
+            "description": "cloudtrail_lookup_events must be set to true to allow cloudtrail lookup",
+            "type": "boolean"
+        },
         "role_duration_seconds":{
             "description": "Max duration role can be assumed for in seconds",
             "type": "integer"
diff --git a/iam_builder/templates.py b/iam_builder/templates.py
index 00951fa..27c9992 100755
--- a/iam_builder/templates.py
+++ b/iam_builder/templates.py
@@ -166,6 +166,16 @@
                 }
             }
         }
+    ],
+    "cloudtrail_lookup_events": [
+        {
+            "Sid": "allowLookup",
+            "Effect": "Allow",
+            "Action": [
+                "cloudtrail:LookupEvents"
+            ],
+            "Resource": ["*"]
+        }
     ]
 }
 
diff --git a/pyproject.toml b/pyproject.toml
index 1410fc6..0daaa4e 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "iam_builder"
-version = "4.9.0"
+version = "4.10.0"
 description = "A lil python package to generate iam policies"
 authors = ["Karik Isichei <karik.isichei@digital.justice.gov.uk>"]
 license = "MIT"
diff --git a/tests/expected_policy/cloudtrail_lookup_events.json b/tests/expected_policy/cloudtrail_lookup_events.json
new file mode 100644
index 0000000..822b78d
--- /dev/null
+++ b/tests/expected_policy/cloudtrail_lookup_events.json
@@ -0,0 +1,13 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "allowLookup",
+            "Effect": "Allow",
+            "Action": [
+                "cloudtrail:LookupEvents"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/tests/test_config/cloudtrail_lookup_events.yaml b/tests/test_config/cloudtrail_lookup_events.yaml
new file mode 100644
index 0000000..357d258
--- /dev/null
+++ b/tests/test_config/cloudtrail_lookup_events.yaml
@@ -0,0 +1 @@
+cloudtrail_lookup_events: true
\ No newline at end of file
diff --git a/tests/test_iam_builder.py b/tests/test_iam_builder.py
index 441baa5..af61347 100644
--- a/tests/test_iam_builder.py
+++ b/tests/test_iam_builder.py
@@ -74,7 +74,8 @@ class TestConfigOutputs(unittest.TestCase):
             "glue_job",
             "all_config",
             "secrets",
-            "secrets_readwrite"
+            "secrets_readwrite",
+            "cloudtrail_lookup_events"
         ]
     )
     def test_config_output(self, config_name):

From 4363ea0244b72ace395a29c5b1cf2baf0eeb0160 Mon Sep 17 00:00:00 2001
From: William Orr <william.orr@justice.gov.uk>
Date: Tue, 3 Dec 2024 13:19:48 +0000
Subject: [PATCH 2/3] fix test

---
 tests/expected_policy/cloudtrail_lookup_events.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/expected_policy/cloudtrail_lookup_events.json b/tests/expected_policy/cloudtrail_lookup_events.json
index 822b78d..04004c9 100644
--- a/tests/expected_policy/cloudtrail_lookup_events.json
+++ b/tests/expected_policy/cloudtrail_lookup_events.json
@@ -7,7 +7,7 @@
             "Action": [
                 "cloudtrail:LookupEvents"
             ],
-            "Resource": "*"
+            "Resource": ["*"]
         }
     ]
 }
\ No newline at end of file

From 0577e7719b27d6d788eb8e7983604e3126bc8266 Mon Sep 17 00:00:00 2001
From: William Orr <william.orr@justice.gov.uk>
Date: Tue, 3 Dec 2024 14:01:04 +0000
Subject: [PATCH 3/3] the joy of yaml

---
 tests/test_config/cloudtrail_lookup_events.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/test_config/cloudtrail_lookup_events.yaml b/tests/test_config/cloudtrail_lookup_events.yaml
index 357d258..850d1fd 100644
--- a/tests/test_config/cloudtrail_lookup_events.yaml
+++ b/tests/test_config/cloudtrail_lookup_events.yaml
@@ -1 +1 @@
-cloudtrail_lookup_events: true
\ No newline at end of file
+cloudtrail_lookup_events: true