Pattern: Cloudtrail should be enabled in all regions regardless of where your AWS resources are generally homed
Issue: -
When creating Cloudtrail in the AWS Management Console the trail is configured by default to be multi-region, this isn't the case with the Terraform resource. Cloudtrail should cover the full AWS account to ensure you can track changes in regions you are not actively operting in.
Resolution: Enable Cloudtrail in all regions.
Example of incorrect code:
resource "aws_cloudtrail" "bad_example" {
event_selector {
read_write_type = "All"
include_management_events = true
data_resource {
type = "AWS::S3::Object"
values = ["${data.aws_s3_bucket.important-bucket.arn}/"]
}
}
}
Example of correct code:
resource "aws_cloudtrail" "good_example" {
is_multi_region_trail = true
event_selector {
read_write_type = "All"
include_management_events = true
data_resource {
type = "AWS::S3::Object"
values = ["${data.aws_s3_bucket.important-bucket.arn}/"]
}
}
}