advanced_event_selectors |
Specifies an advanced event selector for fine-grained event logging. Includes name and field_selectors. See: https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for details on this variable and https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_EventSelector.html for details on the underlying API. |
any |
[] |
no |
attach_bucket_policy |
Controls if S3 bucket should have bucket policy attached (set to true to use value of policy as bucket policy) |
bool |
true |
no |
attach_public_bucket_policy |
Controls if S3 bucket should have public bucket policy attached (set to true to use value of public_policy as bucket policy) |
bool |
true |
no |
block_public_acls |
(Optional) Whether Amazon S3 should block public ACLs for this bucket. Defaults to true. |
bool |
true |
no |
block_public_policy |
(Optional) Whether Amazon S3 should block public bucket policies for this bucket. Defaults to true. |
bool |
true |
no |
bucket_policy |
(Optional) A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide. |
string |
null |
no |
cloudtrail_iam_policy_name |
The name of the IAM policy to be created for the CloudTrail to send logs to CloudWatch. |
string |
"" |
no |
cloudtrail_iam_policy_name_prefix |
The prefix to use for the IAM policy name. |
string |
"" |
no |
cloudtrail_iam_policy_name_use_prefix |
Determines whether to use the CloudTrail name as a prefix for the IAM policy name. |
bool |
true |
no |
cloudtrail_iam_role_name |
The name of the IAM role to be created for the CloudTrail to send logs to CloudWatch. |
string |
"" |
no |
cloudtrail_iam_role_name_prefix |
The prefix to use for the IAM role name. |
string |
"" |
no |
cloudtrail_iam_role_name_use_prefix |
Determines whether to use the CloudTrail name as a prefix for the IAM role name. |
bool |
true |
no |
cloudwatch_logs_group_arn |
The ARN of the existing CloudWatch Log Group to be used if 'create_cloudwatch_log_group' is set to false. |
string |
"" |
no |
cloudwatch_logs_group_name |
The name of the CloudWatch Log Group to which CloudTrail events will be delivered. |
string |
"" |
no |
cloudwatch_logs_group_name_prefix |
The prefix to use for the CloudWatch Log Group name. |
string |
"" |
no |
cloudwatch_logs_group_retention_in_days |
The number of days log events are kept in CloudWatch Logs. When an object expires, CloudWatch Logs automatically deletes it. If you don't specify a value, the default retention period is never expire. |
number |
90 |
no |
cloudwatch_logs_group_use_name_prefix |
Determines whether to use the CloudTrail name as a prefix for the CloudWatch Log Group name. |
bool |
true |
no |
cloudwatch_logs_role_arn |
The ARN of the role that the CloudTrail will assume to write to CloudWatch logs. |
string |
"" |
no |
create_cloudtrail_iam_role |
Determines whether to create an IAM role for the CloudTrail. If not, an existing role name must be provided. |
bool |
true |
no |
create_cloudwatch_logs_group |
Determines whether to create a CloudWatch Log Group for CloudTrail logs. If not, an existing log group ARN must be provided. |
bool |
true |
no |
create_kms_key |
Determines whether to create a KMS key for encrypting CloudTrail logs. If not, an existing key ARN must be provided. |
bool |
true |
no |
create_s3_bucket |
Determines whether to create an S3 bucket for storing CloudTrail logs. If not, an existing bucket name must be provided. |
bool |
true |
no |
enable_kms_key_rotation |
Specifies whether key rotation is enabled. Defaults to true |
bool |
true |
no |
enable_log_file_validation |
Specifies whether log file integrity validation is enabled. |
bool |
true |
no |
enable_logging |
Enables logging for the trail. Defaults to true. |
bool |
true |
no |
enable_s3_bucket_server_side_encryption_configuration |
Whether to enable server-side encryption configuration. |
bool |
true |
no |
event_selectors |
Specifies an event selector for enabling data event logging. Fields include include_management_events, read_write_type, exclude_management_event_sources, and data_resources. See: https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for details on this variable and https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_EventSelector.html for details on the underlying API. |
any |
[] |
no |
ignore_public_acls |
(Optional) Whether Amazon S3 should ignore public ACLs for this bucket. Defaults to true. |
bool |
true |
no |
include_global_service_events |
Specifies whether the trail is publishing events from global services such as IAM to the log files. |
bool |
true |
no |
insight_selectors |
List of insight types, such as ApiCallRateInsight and ApiErrorRateInsight, to log on the trail. |
list(string) |
[] |
no |
is_multi_region_trail |
Specifies whether the trail applies only to the current region or to all regions. |
bool |
true |
no |
is_organization_trail |
Whether the trail is an AWS Organizations trail. Defaults to false. |
bool |
false |
no |
kms_key_administrators |
A list of IAM ARNs for key administrators. If no value is provided, the current caller identity is used to ensure at least one key admin is available |
list(string) |
[] |
no |
kms_key_aliases |
A list of aliases to create. Note - due to the use of toset() , values must be static strings and not computed values |
list(string) |
[] |
no |
kms_key_arn |
The KMS key ARN to use for encrypting CloudTrail logs. |
string |
"" |
no |
kms_key_deletion_window_in_days |
The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30 , inclusive. If you do not specify a value, it defaults to 30 |
number |
null |
no |
kms_key_description |
The description of the key as viewed in AWS console |
string |
null |
no |
kms_key_enable_default_policy |
Specifies whether to enable the default key policy. Defaults to false |
bool |
false |
no |
kms_key_id |
The KMS key ID to use for encrypting CloudTrail logs. |
string |
"" |
no |
kms_key_override_policy_documents |
List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sid s will override statements with the same sid |
list(string) |
[] |
no |
kms_key_owners |
A list of IAM ARNs for those who will have full key permissions (kms:* ) |
list(string) |
[] |
no |
kms_key_service_users |
A list of IAM ARNs for key service users |
list(string) |
[] |
no |
kms_key_source_policy_documents |
List of IAM policy documents that are merged together into the exported document. Statements must have unique sid s |
list(string) |
[] |
no |
kms_key_statements |
A map of IAM policy statements for custom permission usage |
any |
[] |
no |
kms_key_users |
A list of IAM ARNs for key users |
list(string) |
[] |
no |
name |
The name of the CloudTrail. |
string |
n/a |
yes |
restrict_public_buckets |
(Optional) Whether Amazon S3 should restrict public bucket policies for this bucket. Defaults to true. |
bool |
true |
no |
s3_bucket_force_destroy |
A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. |
bool |
false |
no |
s3_bucket_lifecycle_rules |
List of maps containing configuration of object lifecycle management. |
any |
[ { "abort_incomplete_multipart_upload_days": 7, "expiration": { "days": 365 }, "id": "whatever", "status": "Enabled", "transition": [ { "days": 30, "storage_class": "STANDARD_IA" }, { "days": 60, "storage_class": "GLACIER" }, { "days": 180, "storage_class": "DEEP_ARCHIVE" } ] } ] |
no |
s3_bucket_name |
The name of the existing S3 bucket to be used if 'create_s3_bucket' is set to false. |
string |
"" |
no |
s3_bucket_name_prefix |
The prefix to use for the S3 bucket name. |
string |
"" |
no |
s3_bucket_name_use_prefix |
Determines whether to use the CloudTrail name as a prefix for the S3 bucket name. |
bool |
true |
no |
s3_bucket_server_side_encryption_configuration |
Map containing server-side encryption configuration. |
any |
{} |
no |
s3_bucket_versioning |
Map containing versioning configuration. |
map(string) |
{ "enabled": false, "mfa_delete": false } |
no |
s3_key_prefix |
S3 key prefix that follows the name of the bucket designated for log file delivery. |
string |
"cloudtrail" |
no |
sns_topic_name |
Name of the Amazon SNS topic defined for notification of log file delivery. |
string |
null |
no |
tags |
A map of tags to add to all taggable resources |
map(string) |
{} |
no |