AWS Cloud Trail Terraform Module
Terraform module to provision CloudTrail on AWS.
Usage
Simple setup
Create a simple AWS CloudTrail with default log delivery to a S3 bucket.
module "cloudtrail" {
source = "app.terraform.io/ncodelibrary/cloudtrail/aws"
version = "0.1.2"
aws_account_id = 123456789
cloudtrail_name = "example-cloudtrail"
cloudtrail_sns_topic_enabled = false
cloudwatch_logs_enabled = false
region = "us-east-1"
s3_bucket_name = "example-s3-bucket"
is_organization_trail = false
tags = {
Owner = "sysops"
env = "dev"
Cost_Center = "XYZ"
}
}
For more details on a working example, please visit examples/simple
Advanced Setup
If you want to enable enhanced options like log delivery to a SNS topic and Cloudwatch Log Group etc., you can use the module like this:
module "cloudtrail" {
source = "app.terraform.io/ncodelibrary/cloudtrail/aws"
version = "0.1.2"
aws_account_id = 123456789
cloudtrail_name = "example-cloudtrail"
cloudtrail_sns_topic_enabled = true
cloudtrail_sns_topic_name = "example-cloudtrail-sns-topic"
cloudwatch_logs_enabled = true
cloudwatch_logs_group_name = "example-cloudtrail-log-group"
cloudwatch_logs_retention_in_days = 3
iam_role_name = "example-cloudtrail-CloudWatch-Delivery-Role"
iam_role_policy_name = "example-cloudtrail-CloudWatch-Delivery-Policy"
key_deletion_window_in_days = 7
region = "us-east-1"
s3_bucket_name = "example-s3-bucket"
is_organization_trail = false
tags = {
Owner = "sysops"
env = "dev"
Cost_Center = "XYZ"
}
}
For more options refer to a working example at examples/advanced
Examples
Here are some working examples of using this module:
Requirements
No requirements.
Providers
| Name | Version |
|---|---|
| aws | n/a |
Modules
No Modules.
Resources
| Name |
|---|
| aws_cloudtrail |
| aws_cloudwatch_log_group |
| aws_iam_policy_document |
| aws_iam_role |
| aws_iam_role_policy |
| aws_kms_key |
| aws_sns_topic |
| aws_sns_topic_policy |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| aws_account_id | The AWS Account ID number of the account. | any |
n/a | yes |
| cloudtrail_name | The name of the trail. | string |
"cloudtrail-multi-region" |
no |
| cloudtrail_sns_topic_enabled | Specifies whether the trail is delivered to a SNS topic. | bool |
true |
no |
| cloudtrail_sns_topic_name | The SNS topic linked to the CloudTrail | string |
"cloudtrail-multi-region-sns-topic" |
no |
| cloudwatch_logs_enabled | Specifies whether the trail is delivered to CloudWatch Logs. | bool |
true |
no |
| cloudwatch_logs_group_name | The name of CloudWatch Logs group to which CloudTrail events are delivered. | string |
"cloudtrail-multi-region" |
no |
| cloudwatch_logs_retention_in_days | Number of days to retain logs for. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely. | number |
365 |
no |
| iam_role_name | The name of the IAM Role to be used by CloudTrail to delivery logs to CloudWatch Logs group. | string |
"CloudTrail-CloudWatch-Delivery-Role" |
no |
| iam_role_policy_name | The name of the IAM Role Policy to be used by CloudTrail to delivery logs to CloudWatch Logs group. | string |
"CloudTrail-CloudWatch-Delivery-Policy" |
no |
| is_organization_trail | Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. | bool |
false |
no |
| key_deletion_window_in_days | Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days. | number |
10 |
no |
| region | The AWS region in which CloudTrail is set up. | any |
n/a | yes |
| s3_bucket_name | The name of the S3 bucket which will store configuration snapshots. | any |
n/a | yes |
| s3_key_prefix | The prefix for the specified S3 bucket. | string |
"" |
no |
| tags | Specifies object tags key and value. This applies to all resources created by this module. | map |
{} |
no |
Outputs
| Name | Description |
|---|---|
| cloudtrail | The trail for recording events in all regions. |
| cloudtrail_sns_topic | The sns topic linked to the cloudtrail. |
| kms_key | The KMS key used for encrypting CloudTrail events. |
| log_delivery_iam_role | The IAM role used for delivering CloudTrail events to CloudWatch Logs. |
| log_group | The CloudWatch Logs log group which stores CloudTrail events. |
Contributing
If you want to contribute to this repository check all the guidelines specified here before submitting a new PR.
Authors
Module managed by nClouds.