This module handles creation of AWS Cloudtrail and related resources. Cloudtrail S3 bucket is created outside of the module.
Before this module can be used, please ensure that the following pre-requisites are met:
- Create Cloudtrail S3 bucket. Please check examples.
Below is a complete example without the S3 bucket creation part. More examples can be found in the examples directory.
module "cloudtrail" {
source = "avlcloudtechnologies/cloudtrail/aws"
name = "${var.name}-${var.environment}"
s3_bucket_name = module.cloudtrail_bucket.this_s3_bucket_id
s3_key_prefix = "cloudtrail"
enable_cloudwatch_logs = true
cloudwatch_logs_retention_in_days = 365
enable_logging = true
enable_log_file_validation = true
include_global_service_events = true
is_multi_region_trail = true
is_organization_trail = true
enable_sns_notifications = true
create_kms_key = true
event_selectors = [
{
read_write_type = "All"
include_management_events = true
data_resource = {
type = "AWS::Lambda::Function"
values = ["arn:aws:lambda"]
}
},
{
read_write_type = "WriteOnly"
include_management_events = true
data_resource = {
type = "AWS::S3::Object"
values = ["arn:aws:s3:::"]
},
},
]
insight_selectors = [
{
insight_type = "ApiCallRateInsight"
}
]
tags = {
foo = "bar"
}
}| Name | Version |
|---|---|
| terraform | >= 0.12.26 |
| aws | >= 3.36 |
| Name | Version |
|---|---|
| aws | >= 3.36 |
No modules.
| Name | Type |
|---|---|
| aws_cloudtrail.this | resource |
| aws_cloudwatch_log_group.cloudtrail | resource |
| aws_iam_policy.cloudtrail_cloudwatch_logs | resource |
| aws_iam_role.cloudtrail_cloudwatch_role | resource |
| aws_iam_role_policy_attachment.cloudwatch_logs | resource |
| aws_kms_alias.cloudtrail | resource |
| aws_kms_key.cloudtrail | resource |
| aws_sns_topic.cloudtrail | resource |
| aws_sns_topic_policy.cloudtrail | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.cloudtrail_assume_role | data source |
| aws_iam_policy_document.cloudtrail_cloudwatch_logs | data source |
| aws_iam_policy_document.cloudtrail_kms_key | data source |
| aws_iam_policy_document.cloudtrail_sns | data source |
| aws_kms_key.cloudtrail | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cloudwatch_logs_retention_in_days | Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire. | number |
365 |
no |
| create_kms_key | Specifies whether to create kms key for cloudtrail and SNS. If 'kms_key_id' is set, need to set to 'false'. | bool |
true |
no |
| enable_cloudwatch_logs | Enables Cloudtrail logs to write to ceated log group. | bool |
false |
no |
| enable_log_file_validation | Specifies whether log file integrity validation is enabled. | bool |
false |
no |
| enable_logging | Enables logging for the trail. Defaults to true. Setting this to false will pause logging. | bool |
false |
no |
| enable_sns_notifications | Specifies whether to create SNS topic and send notification of log file delivery. | bool |
false |
no |
| event_selectors | Specifies a list of event selectors for enabling data event logging. See: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#event_selector. | list(object({ |
[] |
no |
| include_global_service_events | Specifies whether the trail is publishing events from global services such as IAM to the log files. | bool |
false |
no |
| insight_selectors | Specifies a list of insight selectors for identifying unusual operational activity. See: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#insight_selector. | list(object({ |
[] |
no |
| is_multi_region_trail | Specifies whether the trail is created in the current region or in all regions. | bool |
false |
no |
| is_organization_trail | Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. | bool |
false |
no |
| kms_key_deletion_window_in_days | Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days. | number |
7 |
no |
| kms_key_id | Specifies whether to use pre-created CMK. If used, set 'create_kms_key' to 'false'. | string |
null |
no |
| name | Namespace to be used on all resources | string |
n/a | yes |
| s3_bucket_name | Specifies the name of the S3 bucket designated for publishing log files. | string |
n/a | yes |
| s3_key_prefix | Specifies the S3 key prefix that follows the name of the bucket you have designated for log file delivery. | string |
null |
no |
| tags | A map of tags to assign to resources. | map(string) |
{} |
no |
| Name | Description |
|---|---|
| cloudtrail_arn | The Amazon Resource Name of the Cloudtrail. |
| cloudtrail_name | The name of the Cloudtrail. |
| cloudtrail_sns_topic_arn | Cloudtrail SNS topic ARN. |
| cloudwatch_logs_group_arn | The log group ARN to which CloudTrail logs are delivered |
| cloudwatch_logs_role_arn | The IAM role ARN for the CloudWatch Logs endpoint to assume to write to a log group. |
| kms_key_id | The KMS key id created for trail events and SNS. |