Terraform module which creates an AWS S3 Bucket for Multi-Account Cloudtrail logs.
This is an opinionated tool for setting up a central bucket in an audit account to house multiple cloudtrail logs streams. Not recommended for trails with data events due to cost.
Features:
- AWS S3 default encryption for data at rest
- 365 day object lock in GOVERNANCE mode to prevent source file issues
- 366 day auto expiration
module "cloudtrail_s3" {
source = "platformod/cloudtrail-s3"
version = 0.CHANGE_ME
# will get '-cloudtrail' appended
name = "my-org-all-accounts"
# Needs a list of maps with the accounts and trail arn that will write to this bucket.
account_trails = [
{account = 111111111111, arn = "arn:aws:cloudtrail:us-east-99:111111111111:trail/trail-name"},
{account = 222222222222, arn = "arn:aws:cloudtrail:us-westish-42:222222222222:trail/trailier-name"},
]
}
Name | Version |
---|---|
terraform | >= 1.0 |
aws | >= 4.0 |
Name | Version |
---|---|
aws | 5.41.0 |
Name | Source | Version |
---|---|---|
bucket | terraform-aws-modules/s3-bucket/aws | 4.1.1 |
Name | Type |
---|---|
aws_iam_policy_document.bucket | data source |
aws_partition.current | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
account_trails | Mapping of AWS account id's to trail arns to allow write access for | list( |
n/a | yes |
name | A name prefix for the bucket, will have '-cloudtrail' appended | string |
n/a | yes |
Name | Description |
---|---|
s3_bucket_arn | The AWS ARN of the bucket |
s3_bucket_id | The name of the bucket |
The tests in this repo will create and destroy real resources at AWS and incur cost. Please be careful when running them.
Heavily inspired from the following repos
- https://github.com/cloudposse/terraform-aws-s3-log-storage
- https://github.com/terraform-aws-modules/terraform-aws-s3-bucket
MPL-2.0 Licensed. See LICENSE.