ACAI ACF Module: terraform-aws-acf-org-cloudtrail
GitHub Repository | Terraform Registry
Solution
This module will deploy the AWS Organization CloudTrail and the S3 bucket to store the logs encrypted with a KMS CMK. Optionally the CloudTrail Logs can be stored in a CloudWatch LogGroup in the CloudTrail Admin Account.
Architecture
Usage
locals {
org_cloudtrail_settings = {
ct_name = "PlatformOrgTrail"
cloudwatch_loggroup = {
loggroup_name = "platform-org-cloudtrail-mgmt"
iam_role_name = "platform-security-org-cloudtrail-role"
iam_role_path = "/"
retention_in_days = 7
}
s3_bucket = {
bucket_name = "platform-org-cloudtrail-mgmt-s3-${local.core_account_ids.log_archive}"
days_to_glacier = -1
days_to_expiration = 90
bucket_access_s3_id = ""
}
account_baseline = {
athena_bucket_name = "platform-athena-queries-cloudtrail-mgmt-s3"
athena_workgroup_name = "platform-cloudtrail-mgmt-s3"
athena_database_name = "platform-cloudtrail-mgmt-s3-athena"
athena_table_name = "platform-cloudtrail_logs"
}
}
}
# ---------------------------------------------------------------------------------------------------------------------
# ¦ ORG CLOUDTRAIL
# ---------------------------------------------------------------------------------------------------------------------
module "org_cloudtrail" {
source = "git::https://github.com/acai-solutions/terraform-aws-acf-org-cloudtrail.git?ref=1.1.0"
org_cloudtrail_name = local.org_cloudtrail_settings.ct_name
cloudwatch_loggroup = local.org_cloudtrail_settings.cloudwatch_loggroup
s3_bucket = local.org_cloudtrail_settings.s3_bucket
providers = {
aws.org_cloudtrail_admin = aws.Act_CloudTrailAdmin
aws.org_cloudtrail_bucket = aws.Act_CloudTrailBucket
}
}