Skip to content

defenseunicorns/terraform-aws-cloudtrail

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

46 Commits

.github

.github

 
 

examples/complete

examples/complete

 
 

test/e2e

test/e2e

 
 

.checkov.yml

.checkov.yml

 
 

.editorconfig

.editorconfig

 
 

.env

.env

 
 

.gitignore

.gitignore

 
 

.golangci.yml

.golangci.yml

 
 

.pre-commit-config.yaml

.pre-commit-config.yaml

 
 

.release-please-manifest.json

.release-please-manifest.json

 
 

.tflint.hcl

.tflint.hcl

 
 

CHANGELOG.md

CHANGELOG.md

 
 

CODEOWNERS

CODEOWNERS

 
 

CONTRIBUTING.md

CONTRIBUTING.md

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

main.tf

main.tf

 
 

outputs.tf

outputs.tf

 
 

providers.tf

providers.tf

 
 

release-please-config.json

release-please-config.json

 
 

renovate.json5

renovate.json5

 
 

variables.tf

variables.tf

 
 

Repository files navigation

terraform-aws-cloudtrail

Terraform module to provision CloudTrail on AWS.

Notes

  • This module should be used when bootstrapping a new AWS account, to set up a CloudTrail that monitors the activity in the account. It is not meant to be used as part of every terraform deployment in the account.
  • See CloudTrail Best Practices for more information on how to configure CloudTrail.
  • Provides the choice for the user to either provide an S3 bucket or create a new one with sensible defaults.
  • Simplifies the creation of the CloudTrail by using opinionated configuration. If you need more customizability please open an issue so we can add it.

Requirements

Name Version
terraform >= 1.0.0
aws >= 4.62.0

Providers

Name Version
aws >= 4.62.0

Modules

Name Source Version
cloudwatch_logs_group git::https://github.com/terraform-aws-modules/terraform-aws-cloudwatch.git//modules/log-group v5.3.1
kms git::https://github.com/terraform-aws-modules/terraform-aws-kms.git v2.2.1
s3_bucket git::https://github.com/terraform-aws-modules/terraform-aws-s3-bucket.git v4.1.2

Resources

Name Type
aws_cloudtrail.this resource
aws_iam_policy.cloudtrail_cloudwatch_logs resource
aws_iam_policy_attachment.main resource
aws_iam_role.cloudtrail_cloudwatch_role resource
aws_caller_identity.current data source
aws_iam_policy_document.cloudtrail_assume_role data source
aws_iam_policy_document.cloudtrail_cloudwatch_logs data source
aws_iam_policy_document.s3_bucket data source
aws_iam_session_context.current data source
aws_partition.current data source
aws_region.current data source

Inputs

Name Description Type Default Required
advanced_event_selectors Specifies an advanced event selector for fine-grained event logging. Includes name and field_selectors.
See: https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for details on this variable and https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_EventSelector.html for details on the underlying API.		 any [] no
attach_bucket_policy Controls if S3 bucket should have bucket policy attached (set to true to use value of policy as bucket policy) bool true no
attach_public_bucket_policy Controls if S3 bucket should have public bucket policy attached (set to true to use value of public_policy as bucket policy) bool true no
block_public_acls (Optional) Whether Amazon S3 should block public ACLs for this bucket. Defaults to true. bool true no
block_public_policy (Optional) Whether Amazon S3 should block public bucket policies for this bucket. Defaults to true. bool true no
bucket_policy (Optional) A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide. string null no
cloudtrail_iam_policy_name The name of the IAM policy to be created for the CloudTrail to send logs to CloudWatch. string "" no
cloudtrail_iam_policy_name_prefix The prefix to use for the IAM policy name. string "" no
cloudtrail_iam_policy_name_use_prefix Determines whether to use the CloudTrail name as a prefix for the IAM policy name. bool true no
cloudtrail_iam_role_name The name of the IAM role to be created for the CloudTrail to send logs to CloudWatch. string "" no
cloudtrail_iam_role_name_prefix The prefix to use for the IAM role name. string "" no
cloudtrail_iam_role_name_use_prefix Determines whether to use the CloudTrail name as a prefix for the IAM role name. bool true no
cloudwatch_logs_group_arn The ARN of the existing CloudWatch Log Group to be used if 'create_cloudwatch_log_group' is set to false. string "" no
cloudwatch_logs_group_name The name of the CloudWatch Log Group to which CloudTrail events will be delivered. string "" no
cloudwatch_logs_group_name_prefix The prefix to use for the CloudWatch Log Group name. string "" no
cloudwatch_logs_group_retention_in_days The number of days log events are kept in CloudWatch Logs. When an object expires, CloudWatch Logs automatically deletes it. If you don't specify a value, the default retention period is never expire. number 90 no
cloudwatch_logs_group_use_name_prefix Determines whether to use the CloudTrail name as a prefix for the CloudWatch Log Group name. bool true no
cloudwatch_logs_role_arn The ARN of the role that the CloudTrail will assume to write to CloudWatch logs. string "" no
create_cloudtrail_iam_role Determines whether to create an IAM role for the CloudTrail. If not, an existing role name must be provided. bool true no
create_cloudwatch_logs_group Determines whether to create a CloudWatch Log Group for CloudTrail logs. If not, an existing log group ARN must be provided. bool true no
create_kms_key Determines whether to create a KMS key for encrypting CloudTrail logs. If not, an existing key ARN must be provided. bool true no
create_s3_bucket Determines whether to create an S3 bucket for storing CloudTrail logs. If not, an existing bucket name must be provided. bool true no
enable_kms_key_rotation Specifies whether key rotation is enabled. Defaults to true bool true no
enable_log_file_validation Specifies whether log file integrity validation is enabled. bool true no
enable_logging Enables logging for the trail. Defaults to true. bool true no
enable_s3_bucket_server_side_encryption_configuration Whether to enable server-side encryption configuration. bool true no
event_selectors Specifies an event selector for enabling data event logging. Fields include include_management_events, read_write_type, exclude_management_event_sources, and data_resources.
See: https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for details on this variable and https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_EventSelector.html for details on the underlying API.		 any [] no
ignore_public_acls (Optional) Whether Amazon S3 should ignore public ACLs for this bucket. Defaults to true. bool true no
include_global_service_events Specifies whether the trail is publishing events from global services such as IAM to the log files. bool true no
insight_selectors List of insight types, such as ApiCallRateInsight and ApiErrorRateInsight, to log on the trail. list(string) [] no
is_multi_region_trail Specifies whether the trail applies only to the current region or to all regions. bool true no
is_organization_trail Whether the trail is an AWS Organizations trail. Defaults to false. bool false no
kms_key_administrators A list of IAM ARNs for key administrators. If no value is provided, the current caller identity is used to ensure at least one key admin is available list(string) [] no
kms_key_aliases A list of aliases to create. Note - due to the use of toset(), values must be static strings and not computed values list(string) [] no
kms_key_arn The KMS key ARN to use for encrypting CloudTrail logs. string "" no
kms_key_deletion_window_in_days The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30 number null no
kms_key_description The description of the key as viewed in AWS console string null no
kms_key_enable_default_policy Specifies whether to enable the default key policy. Defaults to false bool false no
kms_key_id The KMS key ID to use for encrypting CloudTrail logs. string "" no
kms_key_override_policy_documents List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid list(string) [] no
kms_key_owners A list of IAM ARNs for those who will have full key permissions (kms:*) list(string) [] no
kms_key_service_users A list of IAM ARNs for key service users list(string) [] no
kms_key_source_policy_documents List of IAM policy documents that are merged together into the exported document. Statements must have unique sids list(string) [] no
kms_key_statements A map of IAM policy statements for custom permission usage any [] no
kms_key_users A list of IAM ARNs for key users list(string) [] no
name The name of the CloudTrail. string n/a yes
restrict_public_buckets (Optional) Whether Amazon S3 should restrict public bucket policies for this bucket. Defaults to true. bool true no
s3_bucket_force_destroy A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. bool false no
s3_bucket_lifecycle_rules List of maps containing configuration of object lifecycle management. any 
[
  {
    "abort_incomplete_multipart_upload_days": 7,
    "expiration": {
      "days": 365
    },
    "id": "whatever",
    "status": "Enabled",
    "transition": [
      {
        "days": 30,
        "storage_class": "STANDARD_IA"
      },
      {
        "days": 60,
        "storage_class": "GLACIER"
      },
      {
        "days": 180,
        "storage_class": "DEEP_ARCHIVE"
      }
    ]
  }
]
 no
s3_bucket_name The name of the existing S3 bucket to be used if 'create_s3_bucket' is set to false. string "" no
s3_bucket_name_prefix The prefix to use for the S3 bucket name. string "" no
s3_bucket_name_use_prefix Determines whether to use the CloudTrail name as a prefix for the S3 bucket name. bool true no
s3_bucket_server_side_encryption_configuration Map containing server-side encryption configuration. any {} no
s3_bucket_versioning Map containing versioning configuration. map(string) 
{
  "enabled": false,
  "mfa_delete": false
}
 no
s3_key_prefix S3 key prefix that follows the name of the bucket designated for log file delivery. string "cloudtrail" no
sns_topic_name Name of the Amazon SNS topic defined for notification of log file delivery. string null no
tags A map of tags to add to all taggable resources map(string) {} no

Outputs

Name Description
cloudtrail_arn ARN of the cloudtrail
cloudtrail_home_region The region in which the cloudtrail was created
cloudtrail_id The name of the cloudtrail
cloudwatch_log_group_arn The ARN of the CloudWatch log group.
cloudwatch_log_group_name The name of the CloudWatch log group.
s3_bucket_arn The ARN of the bucket.
s3_bucket_id The name of the bucket.
s3_bucket_region The AWS region this bucket resides in.

About

Terraform module for provisioning a CloudTrail on AWS

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

7 watching

Forks

0 forks
Report repository

Releases 2

v0.0.1 Latest
Dec 12, 2023
+ 1 release

Packages

No packages published

Contributors 8

Languages