fix(cloudtrail): emit error if trailName is not set for organization trail

Author: sarisia

packages/aws-cdk-lib/aws-cloudtrail/lib/cloudtrail.ts

@@ -98,7 +98,9 @@ export interface TrailProps {
   readonly snsTopic?: sns.ITopic;
 
   /**
-   * The name of the trail. We recommend customers do not set an explicit name.
+   * The name of the trail.
+   *
+   * Required when `isOrganizationTrail` is set to true to attach the necessary permissions.
    *
    * @default - AWS CloudFormation generated name.
    */
@@ -272,6 +274,10 @@ export class Trail extends Resource {
 
     if (props.isOrganizationTrail) {
       if (props.orgId !== undefined) {
+        if (props.trailName === undefined) {
+          throw new Error('trailName is required for organization trail');
+        }
+
         this.s3bucket.addToResourcePolicy(new iam.PolicyStatement({
           resources: [this.s3bucket.arnForObjects(
             `AWSLogs/${props.orgId}/*`,

packages/aws-cdk-lib/aws-cloudtrail/test/cloudtrail.test.ts

@@ -470,6 +470,17 @@ describe('cloudtrail', () => {
       Annotations.fromStack(stack).hasWarning('/TestStack/Trail', 'Skipped attaching a policy to the bucket to allow organization trail to write logs to it because this is an organization trail but orgId is not specified. Consider specifying orgId to attach missing permissions [ack: @aws-cdk/aws-cloudtrail:missingOrgIdForOrganizationTrail]');
     });
 
+    test('organizationTrail with orgId but without trailName fails', () => {
+      // GIVEN
+      const stack = getTestStack();
+
+      // WHEN
+      expect(() => new Trail(stack, 'ErrorTrail', {
+        isOrganizationTrail: true,
+        orgId: 'o-xxxxxxxxx',
+      })).toThrow('trailName is required for organization trail');
+    });
+
     test('encryption keys', () => {
       const stack = new Stack();
       const key = new kms.Key(stack, 'key');