Creates an AWS Cloudtrail
At the moment, testing is manual:
# Replace "xxx" with an actual AWS profile, then execute the integration tests.
AWS_PROFILE=xxx make terraform/pytest PYTEST_ARGS="-v --nomock"
| Name | Version |
|---|---|
| terraform | >= 0.12 |
| aws | >= 3.0.0 |
| Name | Version |
|---|---|
| aws | >= 3.0.0 |
| Name | Type |
|---|---|
| aws_caller_identity.current | data source |
| aws_cloudwatch_log_group.this | data source |
| aws_iam_policy_document.assume_role | data source |
| aws_iam_policy_document.kms_key_policy | data source |
| aws_iam_policy_document.write_logs | data source |
| aws_partition.current | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| advanced_event_selectors | Specifies an advanced event selector for enabling data event logging. Contains an options name for the selector and a list of maps specifying field_selectors. See https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for more information regarding the field selectors | list(any) |
[] |
no |
| cloud_watch_logs_group_name | (Optional) Name of preexisting log group to use; by default the module will create a log group | string |
null |
no |
| cloud_watch_logs_role_arn | (Optional) Specifies the role for the CloudWatch Logs endpoint to assume to write to a user’s log group. | string |
null |
no |
| cloudtrail_bucket | Name of S3 bucket to send CloudTrail logs; bucket must already exist | string |
null |
no |
| cloudtrail_name | Name of the trail to create | string |
null |
no |
| create_kms_key | Controls whether to create a kms key that Cloudtrail will use to encrypt the logs | bool |
true |
no |
| enable_log_file_validation | Specifies whether log file integrity validation is enabled | bool |
true |
no |
| enable_logging | Specifies whether to enable logging if it is configured | bool |
true |
no |
| event_selectors | List of maps specifying read_write_type, include_management_events, type, and values. See https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for more information regarding the map vales |
list(any) |
[] |
no |
| include_global_service_events | Specifies whether the trail is publishing events from global services such as IAM to the log files | bool |
true |
no |
| is_multi_region_trail | Specifies whether the trail is created in the current region or in all regions | bool |
true |
no |
| kms_key_alias | (Optional) The display name of the alias | string |
"terraform-cloudtrail-kms-key" |
no |
| kms_key_id | (Optional) ARN of the kms key used to encrypt the CloudTrail logs. | string |
null |
no |
| retention_in_days | (Optional) Specifies the number of days to retain log events in the log group. Only works if module creates the log group | number |
7 |
no |
| s3_key_prefix | S3 key prefix that follows the name of the bucket you have designated for log file delivery | string |
null |
no |
| tags | A map of tags to add to the cloudtrail resource | map(string) |
{} |
no |
| use_cloud_watch_logs | Specifies whether to use a CloudWatch log group for this trail | bool |
true |
no |
| Name | Description |
|---|---|
| cloudtrail_arn | The Amazon Resource Name of the trail |
| cloudtrail_home_region | The region in which the trail was created |
| cloudtrail_id | The name of the trail |
| kms_key_id | The KMS Key ARN used to encrypt the logs |
| log_group | The CloudWatch log group object created when no previous log group is declared |