Terraform module to provision CloudTrail on AWS.
- This module should be used when bootstrapping a new AWS account, to set up a CloudTrail that monitors the activity in the account. It is not meant to be used as part of every terraform deployment in the account.
- See CloudTrail Best Practices for more information on how to configure CloudTrail.
- Provides the choice for the user to either provide an S3 bucket or create a new one with sensible defaults.
- Simplifies the creation of the CloudTrail by using opinionated configuration. If you need more customizability please open an issue so we can add it.
Name | Version |
---|---|
terraform | >= 1.0.0 |
aws | >= 4.62.0 |
Name | Version |
---|---|
aws | >= 4.62.0 |
Name | Type |
---|---|
aws_cloudtrail.this | resource |
aws_iam_policy.cloudtrail_cloudwatch_logs | resource |
aws_iam_policy_attachment.main | resource |
aws_iam_role.cloudtrail_cloudwatch_role | resource |
aws_caller_identity.current | data source |
aws_iam_policy_document.cloudtrail_assume_role | data source |
aws_iam_policy_document.cloudtrail_cloudwatch_logs | data source |
aws_iam_policy_document.s3_bucket | data source |
aws_iam_session_context.current | data source |
aws_partition.current | data source |
aws_region.current | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
advanced_event_selectors | Specifies an advanced event selector for fine-grained event logging. Includes name and field_selectors. See: https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for details on this variable and https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_EventSelector.html for details on the underlying API. |
any |
[] |
no |
attach_bucket_policy | Controls if S3 bucket should have bucket policy attached (set to true to use value of policy as bucket policy) |
bool |
true |
no |
attach_public_bucket_policy | Controls if S3 bucket should have public bucket policy attached (set to true to use value of public_policy as bucket policy) |
bool |
true |
no |
block_public_acls | (Optional) Whether Amazon S3 should block public ACLs for this bucket. Defaults to true. | bool |
true |
no |
block_public_policy | (Optional) Whether Amazon S3 should block public bucket policies for this bucket. Defaults to true. | bool |
true |
no |
bucket_policy | (Optional) A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide. | string |
null |
no |
cloudtrail_iam_policy_name | The name of the IAM policy to be created for the CloudTrail to send logs to CloudWatch. | string |
"" |
no |
cloudtrail_iam_policy_name_prefix | The prefix to use for the IAM policy name. | string |
"" |
no |
cloudtrail_iam_policy_name_use_prefix | Determines whether to use the CloudTrail name as a prefix for the IAM policy name. | bool |
true |
no |
cloudtrail_iam_role_name | The name of the IAM role to be created for the CloudTrail to send logs to CloudWatch. | string |
"" |
no |
cloudtrail_iam_role_name_prefix | The prefix to use for the IAM role name. | string |
"" |
no |
cloudtrail_iam_role_name_use_prefix | Determines whether to use the CloudTrail name as a prefix for the IAM role name. | bool |
true |
no |
cloudwatch_logs_group_arn | The ARN of the existing CloudWatch Log Group to be used if 'create_cloudwatch_log_group' is set to false. | string |
"" |
no |
cloudwatch_logs_group_name | The name of the CloudWatch Log Group to which CloudTrail events will be delivered. | string |
"" |
no |
cloudwatch_logs_group_name_prefix | The prefix to use for the CloudWatch Log Group name. | string |
"" |
no |
cloudwatch_logs_group_retention_in_days | The number of days log events are kept in CloudWatch Logs. When an object expires, CloudWatch Logs automatically deletes it. If you don't specify a value, the default retention period is never expire. | number |
90 |
no |
cloudwatch_logs_group_use_name_prefix | Determines whether to use the CloudTrail name as a prefix for the CloudWatch Log Group name. | bool |
true |
no |
cloudwatch_logs_role_arn | The ARN of the role that the CloudTrail will assume to write to CloudWatch logs. | string |
"" |
no |
create_cloudtrail_iam_role | Determines whether to create an IAM role for the CloudTrail. If not, an existing role name must be provided. | bool |
true |
no |
create_cloudwatch_logs_group | Determines whether to create a CloudWatch Log Group for CloudTrail logs. If not, an existing log group ARN must be provided. | bool |
true |
no |
create_kms_key | Determines whether to create a KMS key for encrypting CloudTrail logs. If not, an existing key ARN must be provided. | bool |
true |
no |
create_s3_bucket | Determines whether to create an S3 bucket for storing CloudTrail logs. If not, an existing bucket name must be provided. | bool |
true |
no |
enable_kms_key_rotation | Specifies whether key rotation is enabled. Defaults to true |
bool |
true |
no |
enable_log_file_validation | Specifies whether log file integrity validation is enabled. | bool |
true |
no |
enable_logging | Enables logging for the trail. Defaults to true. | bool |
true |
no |
enable_s3_bucket_server_side_encryption_configuration | Whether to enable server-side encryption configuration. | bool |
true |
no |
event_selectors | Specifies an event selector for enabling data event logging. Fields include include_management_events, read_write_type, exclude_management_event_sources, and data_resources. See: https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for details on this variable and https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_EventSelector.html for details on the underlying API. |
any |
[] |
no |
ignore_public_acls | (Optional) Whether Amazon S3 should ignore public ACLs for this bucket. Defaults to true. | bool |
true |
no |
include_global_service_events | Specifies whether the trail is publishing events from global services such as IAM to the log files. | bool |
true |
no |
insight_selectors | List of insight types, such as ApiCallRateInsight and ApiErrorRateInsight, to log on the trail. | list(string) |
[] |
no |
is_multi_region_trail | Specifies whether the trail applies only to the current region or to all regions. | bool |
true |
no |
is_organization_trail | Whether the trail is an AWS Organizations trail. Defaults to false. | bool |
false |
no |
kms_key_administrators | A list of IAM ARNs for key administrators. If no value is provided, the current caller identity is used to ensure at least one key admin is available | list(string) |
[] |
no |
kms_key_aliases | A list of aliases to create. Note - due to the use of toset() , values must be static strings and not computed values |
list(string) |
[] |
no |
kms_key_arn | The KMS key ARN to use for encrypting CloudTrail logs. | string |
"" |
no |
kms_key_deletion_window_in_days | The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30 , inclusive. If you do not specify a value, it defaults to 30 |
number |
null |
no |
kms_key_description | The description of the key as viewed in AWS console | string |
null |
no |
kms_key_enable_default_policy | Specifies whether to enable the default key policy. Defaults to false |
bool |
false |
no |
kms_key_id | The KMS key ID to use for encrypting CloudTrail logs. | string |
"" |
no |
kms_key_override_policy_documents | List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sid s will override statements with the same sid |
list(string) |
[] |
no |
kms_key_owners | A list of IAM ARNs for those who will have full key permissions (kms:* ) |
list(string) |
[] |
no |
kms_key_service_users | A list of IAM ARNs for key service users | list(string) |
[] |
no |
kms_key_source_policy_documents | List of IAM policy documents that are merged together into the exported document. Statements must have unique sid s |
list(string) |
[] |
no |
kms_key_statements | A map of IAM policy statements for custom permission usage | any |
[] |
no |
kms_key_users | A list of IAM ARNs for key users | list(string) |
[] |
no |
name | The name of the CloudTrail. | string |
n/a | yes |
restrict_public_buckets | (Optional) Whether Amazon S3 should restrict public bucket policies for this bucket. Defaults to true. | bool |
true |
no |
s3_bucket_force_destroy | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | bool |
false |
no |
s3_bucket_lifecycle_rules | List of maps containing configuration of object lifecycle management. | any |
[ |
no |
s3_bucket_name | The name of the existing S3 bucket to be used if 'create_s3_bucket' is set to false. | string |
"" |
no |
s3_bucket_name_prefix | The prefix to use for the S3 bucket name. | string |
"" |
no |
s3_bucket_name_use_prefix | Determines whether to use the CloudTrail name as a prefix for the S3 bucket name. | bool |
true |
no |
s3_bucket_server_side_encryption_configuration | Map containing server-side encryption configuration. | any |
{} |
no |
s3_bucket_versioning | Map containing versioning configuration. | map(string) |
{ |
no |
s3_key_prefix | S3 key prefix that follows the name of the bucket designated for log file delivery. | string |
"cloudtrail" |
no |
sns_topic_name | Name of the Amazon SNS topic defined for notification of log file delivery. | string |
null |
no |
tags | A map of tags to add to all taggable resources | map(string) |
{} |
no |
Name | Description |
---|---|
cloudtrail_arn | ARN of the cloudtrail |
cloudtrail_home_region | The region in which the cloudtrail was created |
cloudtrail_id | The name of the cloudtrail |
cloudwatch_log_group_arn | The ARN of the CloudWatch log group. |
cloudwatch_log_group_name | The name of the CloudWatch log group. |
s3_bucket_arn | The ARN of the bucket. |
s3_bucket_id | The name of the bucket. |
s3_bucket_region | The AWS region this bucket resides in. |