Skip to content

ACAI ACF Module: terraform-aws-acf-org-cloudtrail

GitHub Repository | Terraform Registry

Solution

This module will deploy the AWS Organization CloudTrail and the S3 bucket to store the logs encrypted with a KMS CMK. Optionally the CloudTrail Logs can be stored in a CloudWatch LogGroup in the CloudTrail Admin Account.

Architecture

architecture

Usage

locals {
    org_cloudtrail_settings = {
        ct_name = "PlatformOrgTrail"
        cloudwatch_loggroup = {
          loggroup_name     = "platform-org-cloudtrail-mgmt"
          iam_role_name     = "platform-security-org-cloudtrail-role"
          iam_role_path     = "/"
          retention_in_days = 7
        }
        s3_bucket = {
          bucket_name         = "platform-org-cloudtrail-mgmt-s3-${local.core_account_ids.log_archive}"
          days_to_glacier     = -1
          days_to_expiration  = 90
          bucket_access_s3_id = ""
        }
        account_baseline = {
          athena_bucket_name    = "platform-athena-queries-cloudtrail-mgmt-s3"
          athena_workgroup_name = "platform-cloudtrail-mgmt-s3"
          athena_database_name  = "platform-cloudtrail-mgmt-s3-athena"
          athena_table_name     = "platform-cloudtrail_logs"
        }
    }
}

# ---------------------------------------------------------------------------------------------------------------------
# ¦ ORG CLOUDTRAIL 
# ---------------------------------------------------------------------------------------------------------------------
module "org_cloudtrail" {
  source = "git::https://github.com/acai-solutions/terraform-aws-acf-org-cloudtrail.git?ref=1.1.0"

  org_cloudtrail_name = local.org_cloudtrail_settings.ct_name
  cloudwatch_loggroup = local.org_cloudtrail_settings.cloudwatch_loggroup
  s3_bucket           = local.org_cloudtrail_settings.s3_bucket
  providers = {
    aws.org_cloudtrail_admin  = aws.Act_CloudTrailAdmin
    aws.org_cloudtrail_bucket = aws.Act_CloudTrailBucket
  }
}