awscc_cloudtrail_trail (Resource)

Creates a trail that specifies the settings for delivery of log data to an Amazon S3 bucket. A maximum of five trails can exist in a region, irrespective of the region in which they were created.

Example Usage

Basic Trail

Creates a Cloudtrail with an S3 bucket as the log destination.

resource "awscc_cloudtrail_trail" "example" {
  trail_name     = "example"
  is_logging     = true
  s3_bucket_name = awscc_s3_bucket.example.id

  tags = [{
    key   = "Managed By"
    value = "AWSCC"
  }]
}

resource "awscc_s3_bucket_policy" "example" {
  bucket = awscc_s3_bucket.example.id
  policy_document = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Sid    = "AllowSSLRequestsOnly",
        Effect = "Deny",
        Principal = {
          AWS = "*"
        }
        Action = "s3:*",
        Resource = [
          "${awscc_s3_bucket.example.arn}",
          "${awscc_s3_bucket.example.arn}/*"
        ]
        Condition = {
          Bool = {
            "aws:SecureTransport" = "false"
          }
        }
      },
      {
        Sid    = "AWSBucketPermissionsCheck",
        Effect = "Allow",
        Principal = {
          Service = "cloudtrail.amazonaws.com"
        },
        Action   = ["s3:GetBucketAcl", "s3:ListBucket"],
        Resource = "${awscc_s3_bucket.example.arn}"
      },
      {
        Sid    = "AWSCloudTrailWrite",
        Effect = "Allow",
        Principal = {
          Service = "cloudtrail.amazonaws.com"
        },
        Action   = "s3:PutObject",
        Resource = "${awscc_s3_bucket.example.arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/*"
      }
    ]
  })
}

resource "awscc_s3_bucket" "example" {
  bucket_name = "example-cloudtrail-${data.aws_caller_identity.current.account_id}"
}

data "aws_caller_identity" "current" {}

Complex Trail

Creates a Cloudtrail encrypted with a KMS key and advanced event selectors enabled.

resource "awscc_cloudtrail_trail" "example" {
  trail_name                    = "example"
  is_logging                    = true
  enable_log_file_validation    = true
  s3_bucket_name                = awscc_s3_bucket.example.id
  s3_key_prefix                 = "prefix"
  include_global_service_events = false
  kms_key_id                    = awscc_kms_key.example.id

  advanced_event_selectors = [{
    name = "Log all S3 objects events"
    field_selectors = [
      {
        field  = "eventCategory"
        equals = ["Data"]
      },
      {
        field  = "resources.type"
        equals = ["AWS::S3::Object"]
      }
    ]
  }]

  tags = [{
    key   = "Managed By"
    value = "AWSCC"
  }]
}

resource "awscc_s3_bucket_policy" "example" {
  bucket = awscc_s3_bucket.example.id
  policy_document = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Sid    = "AllowSSLRequestsOnly",
        Effect = "Deny",
        Principal = {
          AWS = "*"
        }
        Action = "s3:*",
        Resource = [
          "${awscc_s3_bucket.example.arn}",
          "${awscc_s3_bucket.example.arn}/*"
        ]
        Condition = {
          Bool = {
            "aws:SecureTransport" = "false"
          }
        }
      },
      {
        Sid    = "AWSBucketPermissionsCheck",
        Effect = "Allow",
        Principal = {
          Service = "cloudtrail.amazonaws.com"
        },
        Action   = ["s3:GetBucketAcl", "s3:ListBucket"],
        Resource = "${awscc_s3_bucket.example.arn}"
      },
      {
        Sid    = "AWSCloudTrailWrite",
        Effect = "Allow",
        Principal = {
          Service = "cloudtrail.amazonaws.com"
        },
        Action   = "s3:PutObject",
        Resource = "${awscc_s3_bucket.example.arn}/prefix/AWSLogs/${data.aws_caller_identity.current.account_id}/*"
      }
    ]
  })
}

resource "awscc_s3_bucket" "example" {
  bucket_name = "example-cloudtrail-${data.aws_caller_identity.current.account_id}"

  bucket_encryption = {
    server_side_encryption_configuration = [{
      server_side_encryption_by_default = {
        sse_algorithm     = "aws:kms"
        kms_master_key_id = awscc_kms_key.example.arn
      }
    }]
  }
}

resource "awscc_kms_key" "example" {
  description         = "S3 KMS key"
  enable_key_rotation = true
  key_policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Sid    = "Enable IAM User Permissions",
        Effect = "Allow",
        Principal = {
          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
        },
        Action   = "kms:*",
        Resource = "*"
      },
      {
        Sid    = "Allow CloudTrail to encrypt and decrypt trail",
        Effect = "Allow",
        Principal = {
          Service = "cloudtrail.amazonaws.com"
        },
        Action = [
          "kms:GenerateDataKey*",
          "kms:Decrypt"
        ]
        Resource = "*"
      }
    ]
  })
}

data "aws_caller_identity" "current" {}

Sending Events to CloudWatch Logs

Creates a Cloudtrail that sends events to a CloudWatch log group.

resource "awscc_cloudtrail_trail" "example" {
  trail_name                    = "example"
  is_logging                    = true
  s3_bucket_name                = awscc_s3_bucket.example.id
  cloudwatch_logs_log_group_arn = awscc_logs_log_group.example.arn
  cloudwatch_logs_role_arn      = awscc_iam_role.example.arn

  tags = [{
    key   = "Managed By"
    value = "AWSCC"
  }]
}

resource "awscc_logs_log_group" "example" {
  log_group_name = "example"
}

resource "awscc_iam_role" "example" {
  role_name = "cloudtrail_logs_role"
  assume_role_policy_document = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Principal = {
          Service = "cloudtrail.amazonaws.com"
        }
      },
    ]
  })
}
resource "awscc_iam_role_policy" "example" {
  policy_name = "cloudtrail_cloudwatch_logs_policy"
  role_name   = awscc_iam_role.example.role_name
  policy_document = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "logs:CreateLogStream",
          "logs:PutLogEvents"
        ]
        Effect   = "Allow"
        Resource = "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:${awscc_logs_log_group.example.id}:log-stream:${data.aws_caller_identity.current.account_id}_CloudTrail_${data.aws_region.current.name}*"
      }
    ]
  })
}

data "aws_caller_identity" "current" {}

data "aws_region" "current" {}

Schema

Required

Optional

Read-Only

Nested Schema for advanced_event_selectors

Required:

Optional:

Nested Schema for advanced_event_selectors.field_selectors

Required:

Optional:

Nested Schema for event_selectors

Optional:

Nested Schema for event_selectors.data_resources

Required:

Optional:

Nested Schema for insight_selectors

Optional:

Nested Schema for tags

Required:

Import

Import is supported using the following syntax:

$ terraform import awscc_cloudtrail_trail.example <resource ID>