Module: cloudtrail
Terraform module to provision an AWS CloudTrail.
The module accepts an encrypted S3 bucket with versioning to store CloudTrail logs.
The bucket could be from the same AWS account or from a different account.
This is useful if an organization uses a number of separate AWS accounts to isolate the Audit environment from other environments (production, staging, development).
In this case, you create CloudTrail in the production environment (production AWS account), while the S3 bucket to store the CloudTrail logs is created in the Audit AWS account, restricting access to the logs only to the users/groups from the Audit account.
Usage
module "cloudtrail" {
source = "cloudposse/cloudtrail/aws"
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
namespace = "eg"
stage = "dev"
name = "cluster"
enable_log_file_validation = true
include_global_service_events = true
is_multi_region_trail = false
enable_logging = true
s3_bucket_name = "my-cloudtrail-logs-bucket"
}
NOTE: To create an S3 bucket for CloudTrail logs, use terraform-aws-cloudtrail-s3-bucket module. It creates an S3 bucket and an IAM policy to allow CloudTrail logs.
module "cloudtrail" {
source = "cloudposse/cloudtrail/aws"
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
namespace = "eg"
stage = "dev"
name = "cluster"
enable_log_file_validation = true
include_global_service_events = true
is_multi_region_trail = false
enable_logging = true
s3_bucket_name = module.cloudtrail_s3_bucket.bucket_id
}
module "cloudtrail_s3_bucket" {
source = "cloudposse/cloudtrail-s3-bucket/aws"
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
namespace = "eg"
stage = "dev"
name = "cluster"
}
For a complete example, see examples/complete.