HUB Account
module "hub_cloudtrail" {
source = "oozou/cloudtrail/aws"
version = "<version>"
prefix = "<customer_name>"
environment = "devops"
account_mode = "hub"
spoke_account_ids = [
"<spoke_account_id_1>",
"<spoke_account_id_2>",
"<spoke_account_id_3>"
]
event_selector = [{
data_resource = [
{
type = "AWS::S3::Object"
values = ["arn:aws:s3:::"]
},
{
type = "AWS::Lambda::Function"
values = ["arn:aws:lambda"]
}
]
include_management_events = true
read_write_type = "All"
}]
centralize_trail_bucket_lifecycle_rule = [
{
id = "TrailLogLifecyclePolicy"
transition = [
{
days = 31
storage_class = "STANDARD_IA"
},
{
days = 366
storage_class = "GLACIER"
}
]
expiration_days = 3660
}
]
enable_cloudwatch_log_metric_filters = ["authorization_failures"] # SELECT THE DEFUALT SETTING
additional_cloudwatch_log_metric_filters = {
authorization_failures = { # SAME KEY WILL OVERRIDE THE DEFAULT ONE
comparison_operator = ">="
threshold = "50"
evaluation_periods = "1"
period = "300"
pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }"
alarm_actions = []
}
custome_metric_filter = {
comparison_operator = ">="
threshold = "10"
evaluation_periods = "1"
period = "60"
pattern = "<pattern>"
alarm_actions = ["arn:aws:sns:ap-southeast-1:557291035693:alarm"]
}
}
tags = var.generics_info["custom_tags"]
}
SPOKE Account
module "spoke_cloudtrail" {
source = "oozou/cloudtrail/aws"
version = "<version>"
prefix = "<customer_name>"
environment = "dev"
tags = {
"Workspace" = "<workspace_name>"
}
account_mode = "spoke"
centralize_trail_bucket_name = "<hub_centralize_trail_logs_bucket_name>"
kms_key_id = "<hub_centralize_trail_kms_arn>"
event_selector = [{
data_resource = [
{
type = "AWS::S3::Object"
values = ["arn:aws:s3:::"]
},
{
type = "AWS::Lambda::Function"
values = ["arn:aws:lambda"]
}
]
include_management_events = true
read_write_type = "All"
}]
}| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| aws | >= 4.0.0 |
| Name | Version |
|---|---|
| aws | 4.23.0 |
| Name | Source | Version |
|---|---|---|
| alarm | oozou/cloudwatch-alarm/aws | 1.0.0 |
| centralize_log_bucket | oozou/s3/aws | 1.1.3 |
| cloudtrail_kms | oozou/kms-key/aws | 1.0.0 |
| Name | Type |
|---|---|
| aws_cloudtrail.this | resource |
| aws_cloudwatch_log_group.trail_log | resource |
| aws_cloudwatch_log_metric_filter.this | resource |
| aws_iam_policy.cloudtrail_put_log_cw | resource |
| aws_iam_role.cloudtrail_put_log_cw | resource |
| aws_caller_identity.this | data source |
| aws_iam_policy_document.force_ssl_s3_communication | data source |
| aws_iam_policy_document.kms_cloudtrail | data source |
| aws_iam_policy_document.s3_cloudtrail | data source |
| aws_region.this | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_mode | Account mode for provision cloudtrail, if account_mode is hub, will provision S3, KMS, CloudTrail. if account_mode is spoke, will provision only CloudTrail | string |
n/a | yes |
| additional_cloudwatch_log_metric_filters | (optional) Additional cloudwatch log filter | any |
{} |
no |
| centralize_trail_bucket_lifecycle_rule | List of lifecycle rules to transition the data. Leave empty to disable this feature. storage_class can be STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER, or DEEP_ARCHIVE | list(object({ |
[] |
no |
| centralize_trail_bucket_name | S3 bucket for store Cloudtrail log (long terms), leave this default if account_mode is hub. If account_mode is SPOKE, please provide centrailize S3 bucket name (hub). | string |
"" |
no |
| cloudwatch_log_retention_in_days | (optional) describe your variable | number |
365 |
no |
| default_alarm_actions | The list of actions to execute when this alarm transitions into an ALARM state from any other state. Each action is specified as an Amazon Resource Name (ARN). | list(string) |
[] |
no |
| enable_cloudwatch_log_metric_filters | (optional) list of metrics filter to enable | list(string) |
[] |
no |
| enable_log_file_validation | Specifies whether log file integrity validation is enabled. Creates signed digest for validated contents of logs | bool |
true |
no |
| enable_logging | Enable logging for the trail | bool |
true |
no |
| environment | Environment name used as environment resources name. | string |
n/a | yes |
| event_selector | Specifies an event selector for enabling data event logging. See: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#event_selector for details on this variable | list(object({ |
[] |
no |
| include_global_service_events | Specifies whether the trail is publishing events from global services such as IAM to the log files | bool |
true |
no |
| is_cloudtrail_encrypted | Whether Cloudtrail encryption enable or not. | bool |
true |
no |
| is_create_monitor_trail | Whether to create monitor trails. | bool |
true |
no |
| is_multi_region_trail | Specifies whether the trail is created in the current region or in all regions | bool |
true |
no |
| kms_key_id | The ARN for the KMS encryption key. Leave this default if account_mode is hub. If account_mode is SPOKE, please provide centrailize kms key arn (hub). | string |
"" |
no |
| prefix | The prefix name of customer to be displayed in AWS console and resource | string |
n/a | yes |
| spoke_account_ids | Spoke account Ids, if mode is hub. | list(string) |
[] |
no |
| tags | Tags to add more; default tags contian {terraform=true, environment=var.environment} | map(string) |
{} |
no |
| Name | Description |
|---|---|
| centralize_bucket_arn | S3 Bucket ARN |
| centralize_bucket_name | S3 Bucket Name |
| centralize_key_arn | KMS key arn |
| centralize_key_id | KMS key id |
| cloudtrail_arn | S3 Bucket ARN |
| cloudtrail_id | S3 Bucket Id |