terraform-aws-cloudtrail-bucket

Create and manage a bucket suitable for encrypted CloudTrail logging. Supports inbound logging from multiple accounts through the allowed_account_ids var.

Usage

To create a bucket in this account that can be logged to from acct 12345678 and the current account

# in acct 23456789
module "cloudtrail-bucket" {
  source         = "git::https://github.com/rhythmictech/terraform-aws-cloudtrail-bucket"

  allowed_account_ids = [12345678]
  logging_bucket      = module.s3logging-bucket.s3logging_bucket_name
  region              = var.region
}

module "cloudtrail-logging" {
  source            = "git::https://github.com/rhythmictech/terraform-aws-cloudtrail-logging"
  cloudtrail_bucket = module.cloudtrail-bucket.s3_bucket_name
  kms_key_id        = module.cloudtrail-bucket.kms_key_id
  region            = var.region
}

Then in acct 12345678 you can log back to the bucket like this

# in acct 12345678
module "cloudtrail-logging" {
  source            = "git::https://github.com/rhythmictech/terraform-aws-cloudtrail-logging"
  cloudtrail_bucket = "23456789-us-east-1-cloudtrail"
  kms_key_id        = "arn:aws:kms:us-east-1:23456789:key/a53f476a-e691-4d19-9003-202e6fb9c5b4"
  region            = var.region
}

Requirements

Name	Version
terraform	>= 1.3
aws	>= 4

Providers

Name	Version
aws	4.48.0

Modules

No modules.

Resources

Name	Type
aws_kms_alias.this	resource
aws_kms_key.this	resource
aws_s3_bucket.this	resource
aws_s3_bucket_acl.this	resource
aws_s3_bucket_lifecycle_configuration.this	resource
aws_s3_bucket_logging.this	resource
aws_s3_bucket_policy.this	resource
aws_s3_bucket_public_access_block.this	resource
aws_s3_bucket_server_side_encryption_configuration.this	resource
aws_s3_bucket_versioning.this	resource
aws_caller_identity.current	data source
aws_iam_policy_document.key	data source
aws_iam_policy_document.key_empty	data source
aws_iam_policy_document.key_merged_policy	data source
aws_iam_policy_document.key_roles	data source
aws_iam_policy_document.this	data source
aws_partition.current	data source

Inputs

Name	Description	Type	Default	Required
allowed_account_ids	Optional list of AWS Account IDs that are permitted to write to the bucket	list(string)	[]	no
bucket_name	Name of the S3 bucket to create. Defaults to {account_id}-{region}-cloudtrail.	string	null	no
lifecycle_rules	lifecycle rules to apply to the bucket	list(object( { id = string enabled = optional(bool, true) expiration = optional(number) prefix = optional(number) noncurrent_version_expiration = optional(number) transition = optional(list(object({ days = number storage_class = string }))) }))	[ { "id": "expire-noncurrent-objects-after-ninety-days", "noncurrent_version_expiration": 90 }, { "id": "transition-to-IA-after-30-days", "transition": [ { "days": 30, "storage_class": "STANDARD_IA" } ] }, { "expiration": 2557, "id": "delete-after-seven-years" } ]	no
logging_bucket	S3 bucket with suitable access for logging requests to the cloudtrail bucket	string	n/a	yes
region	Region to create KMS key in	string	n/a	yes
roles_allowed_kms_decrypt	Optional list of roles that have access to KMS decrypt and are permitted to decrypt logs	list(string)	[]	no
tags	Mapping of any extra tags you want added to resources	map(string)	{}	no
versioning_enabled	Whether or not to use versioning on the bucket. This can be useful for audit purposes since objects in a logging bucket should not be updated.	bool	true	no

Outputs

Name	Description
kms_key_id	KMS key used by cloudtrail
s3_bucket_arn	The ARN of the bucket
s3_bucket_name	The name of the bucket

Related Projects

• CloudTrail Logging module
• S3 Logging Module