We help companies build, run, deploy and scale software and infrastructure by embracing the right technologies and principles. Check out our website at https://lablabs.io/
A terraform module to create AWS CloudTrail resource.
Check out other terraform modules.
| Name | Version |
|---|---|
| terraform | >= 1.3.0 |
| aws | >= 4.19 |
| Name | Source | Version |
|---|---|---|
| cloudtrail | cloudposse/cloudtrail/aws | 0.22.0 |
| cloudtrail-s3-bucket | cloudposse/s3-log-storage/aws | 1.4.2 |
| kms-key | cloudposse/kms-key/aws | 0.12.1 |
| label | cloudposse/label/null | 0.25.0 |
| Name | Type |
|---|---|
| aws_caller_identity.kms | data source |
| aws_iam_policy_document.default | data source |
| aws_iam_policy_document.trail_kms | data source |
| aws_partition.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| trail_kms_account_ids | Specifies all account ids where organization trail will resides | list(any) |
n/a | yes |
| attributes | Additional attributes (e.g. 1) |
list(string) |
[] |
no |
| bucket_acl | The canned ACL to apply. We recommend log-delivery-write for compatibility with AWS services | string |
"log-delivery-write" |
no |
| bucket_allow_ssl_requests_only | Set to true to require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests |
bool |
false |
no |
| bucket_enabled | Set to false to prevent the module from creating s3 bucket |
bool |
false |
no |
| bucket_force_destroy | (Optional, Default:false ) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable | bool |
false |
no |
| bucket_kms_master_key_arn | The AWS KMS master key ARN used for the SSE-KMS encryption. This can only be used when you set the value of sse_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse_algorithm is aws:kms | string |
"" |
no |
| bucket_lifecycle_configuration_rules | A list of S3 bucket v2 lifecycle rules | list(object({ |
[] |
no |
| bucket_lifecycle_rule_enabled | Enable lifecycle events on this bucket | bool |
false |
no |
| bucket_sse_algorithm | The server-side encryption algorithm to use. Valid values are AES256 and aws:kms | string |
"AES256" |
no |
| bucket_versioning_enabled | Enable object versioning, keeping multiple variants of an object in the same bucket | bool |
false |
no |
| environment | Environment, e.g. 'prod', 'staging', 'dev', 'pre-prod', 'UAT' | string |
"" |
no |
| name | Solution name, e.g. 'app' or 'jenkins' | string |
"" |
no |
| namespace | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | string |
"" |
no |
| stage | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | string |
null |
no |
| tags | Additional tags (e.g. map('BusinessUnit','XYZ') |
map(string) |
{} |
no |
| trail_bucket | Set bucket name for the Organization trail, meaningful only if bucket_enabled is set to false | string |
"" |
no |
| trail_cloud_watch_logs_group_arn | Specifies a log group name using an Amazon Resource Name (ARN), that represents the log group to which CloudTrail logs will be delivered | string |
"" |
no |
| trail_cloud_watch_logs_role_arn | Specifies the role for the CloudWatch Logs endpoint to assume to write to a user’s log group | string |
"" |
no |
| trail_enable_log_file_validation | Specifies whether log file integrity validation is enabled. Creates signed digest for validated contents of logs | bool |
false |
no |
| trail_enable_logging | Enable logging for the trail | bool |
false |
no |
| trail_enabled | Set to false to prevent the module from creating the Organization trail | bool |
true |
no |
| trail_include_global_service_events | Specifies whether the trail is publishing events from global services such as IAM to the log files | bool |
false |
no |
| trail_is_multi_region_trail | Specifies whether the trail is created in the current region or in all regions | bool |
false |
no |
| trail_is_organization_trail | The trail is an AWS Organizations trail | bool |
false |
no |
| trail_kms_alias | The display name of the alias. The name must start with the word alias followed by a forward slash, leave default for auto generated alias |
string |
"" |
no |
| trail_kms_customer_master_key_spec | Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. |
string |
"SYMMETRIC_DEFAULT" |
no |
| trail_kms_description | The description of the key as viewed in AWS console | string |
"KMS key to encrypt the logs delivered by CloudTrail" |
no |
| trail_kms_enable_key_rotation | Specifies whether key rotation is enabled | bool |
false |
no |
| trail_kms_enabled | Set to false to prevent the module from automatic KMS key creation | bool |
false |
no |
| trail_kms_key_arn | Specifies the KMS key ARN to use to encrypt the logs delivered by CloudTrail, meaningful only if trail_kms_enabled is set to false | string |
"" |
no |
| trail_kms_key_usage | Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT or SIGN_VERIFY. |
string |
"ENCRYPT_DECRYPT" |
no |
| trail_kms_multi_region | Indicates whether the KMS key is a multi-Region (true) or regional (false) key. | bool |
false |
no |
| Name | Description |
|---|---|
| bucket_arn | CloudTrail bucket ARN |
| bucket_domain_name | CloudTrail bucket FQDN |
| bucket_id | CloudTrail bucket ID |
| kms_key_alias_arn | CloudTrail KMS key alias ARN |
| kms_key_alias_name | CloudTrail KMS key alias name |
| kms_key_arn | CloudTrail KMS key ARN |
| kms_key_id | CloudTrail KMS key ID |
| trail_arn | CloudTrail ARN |
| trail_home_region | CloudTrail region in which the trail was created |
| trail_id | CloudTrail name |
Feel free to create an issue in this repository if you have questions, suggestions or feature requests.
We want to provide high quality code and modules. For this reason we are using several pre-commit hooks and GitHub Actions workflow. A pull-request to the master branch will trigger these validations and lints automatically. Please check your code before you will create pull-requests. See pre-commit documentation and GitHub Actions documentation for further details.
See LICENSE for full details.
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.