Skip to content
Creates and configures AWS CloudTrail
HCL Go Makefile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Terraform AWS CloudTrail

This module creates AWS CloudTrail and configures it so that logs go to cloudwatch.

Terraform Versions

Terraform 0.12. Pin module version to ~> 2.X. Submit pull-requests to master branch.

Terraform 0.11. Pin module version to ~> 1.X. Submit pull-requests to terraform011 branch.


module "aws_cloudtrail" {
    source             = "trussworks/cloudtrail/aws"
    s3_bucket_name     = "my-company-cloudtrail-logs"
    log_retention_days = 90


Name Description Type Default Required
cloudwatch_log_group_name The name of the CloudWatch Log Group that receives CloudTrail events. string "cloudtrail-events" no
encrypt_cloudtrail Whether or not to use a custom KMS key to encrypt CloudTrail logs. string "false" no
key_deletion_window_in_days Duration in days after which the key is deleted after destruction of the resource, must be 7-30 days. Default 30 days. string "30" no
log_retention_days Number of days to keep AWS logs around in specific log group. string "90" no
org_trail Whether or not this is an organization trail. Only valid in master account. string "false" no
s3_bucket_name The name of the AWS S3 bucket. string n/a yes


Name Description
cloudtrail_arn CloudTrail ARN
cloudtrail_home_region CloudTrail Home Region
cloudtrail_id CloudTrail ID

Developer Setup

Install dependencies (macOS)

brew install pre-commit go terraform terraform-docs


Terratest is being used for automated testing with this module. Tests in the test folder can be run locally by running the following command:

make test

Or with aws-vault:

AWS_VAULT_KEYCHAIN_NAME=<NAME> aws-vault exec <PROFILE> -- make test
You can’t perform that action at this time.