terraform.aws-baseline-infra/modules/security_identity_compliance/cloudtrail_cwlogs/cloudtrail.tf

resource "aws_iam_role" "iam_cloudtrial_cloudwatch_role" {
  name               = "${var.resource-prefix}-cwl-role"
  assume_role_policy = data.aws_iam_policy_document.ct-role-assumerole-policy.json
  description        = "Enables AWS CloudTrail to deliver log to CloudWatch log"
  tags               = var.default-tags
}

resource "aws_iam_role_policy" "iam_cloudtrial_cloudwatach_role_policy" {
  name   = "${var.resource-prefix}-cwl-role-policy"
  role   = aws_iam_role.iam_cloudtrial_cloudwatch_role.id
  policy = data.aws_iam_policy_document.ct-role-pdoc.json
}

data "aws_iam_policy_document" "ct-role-assumerole-policy" {
  statement {
    effect  = "Allow"
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["cloudtrail.amazonaws.com"]
    }
  }
}

data "aws_iam_policy_document" "ct-role-pdoc" {
  statement {
    effect  = "Allow"
    actions = ["logs:CreateLogStream"]

    resources = [
      "${aws_cloudwatch_log_group.ct-cwl.arn}:log-stream:*",
    ]
  }

  statement {
    effect  = "Allow"
    actions = ["logs:PutLogEvents"]

    resources = [
      "${aws_cloudwatch_log_group.ct-cwl.arn}:log-stream:*",
    ]
  }
}


resource "aws_cloudtrail" "default" {
  name                          = "${var.resource-prefix}-trail-001"
  enable_logging                = true
  s3_bucket_name                = local.ct-bucket-name
  enable_log_file_validation    = true
  is_multi_region_trail         = true
  include_global_service_events = true
  cloud_watch_logs_role_arn     = aws_iam_role.iam_cloudtrial_cloudwatch_role.arn
  cloud_watch_logs_group_arn    = "${aws_cloudwatch_log_group.ct-cwl.arn}:*"
  tags                          = var.default-tags
  kms_key_id                    = aws_kms_key.ctbucket-key.arn
  is_organization_trail         = false

  event_selector {
    read_write_type           = "All"
    include_management_events = true

    data_resource {
      type   = "AWS::S3::Object"
      values = ["arn:aws:s3:::"]
    }

    data_resource {
      type   = "AWS::Lambda::Function"
      values = ["arn:aws:lambda"]
    }
  }

  #insight_selector {
  #  insight_type = "ApiCallRateInsight"
  #}
}
NEW: cloudtrail and cwl 2021-01-26 21:40:02 +08:00			`resource "aws_iam_role" "iam_cloudtrial_cloudwatch_role" {`
UPD: updated several modules to simplify input variables 2022-09-05 13:52:21 +08:00			`name = "${var.resource-prefix}-cwl-role"`
NEW: cloudtrail and cwl 2021-01-26 21:40:02 +08:00			`assume_role_policy = data.aws_iam_policy_document.ct-role-assumerole-policy.json`
			`description = "Enables AWS CloudTrail to deliver log to CloudWatch log"`
			`tags = var.default-tags`
			`}`

			`resource "aws_iam_role_policy" "iam_cloudtrial_cloudwatach_role_policy" {`
UPD: updated several modules to simplify input variables 2022-09-05 13:52:21 +08:00			`name = "${var.resource-prefix}-cwl-role-policy"`
NEW: cloudtrail and cwl 2021-01-26 21:40:02 +08:00			`role = aws_iam_role.iam_cloudtrial_cloudwatch_role.id`
			`policy = data.aws_iam_policy_document.ct-role-pdoc.json`
			`}`

			`data "aws_iam_policy_document" "ct-role-assumerole-policy" {`
			`statement {`
			`effect = "Allow"`
			`actions = ["sts:AssumeRole"]`

			`principals {`
			`type = "Service"`
			`identifiers = ["cloudtrail.amazonaws.com"]`
			`}`
			`}`
			`}`

			`data "aws_iam_policy_document" "ct-role-pdoc" {`
			`statement {`
			`effect = "Allow"`
			`actions = ["logs:CreateLogStream"]`

			`resources = [`
			`"${aws_cloudwatch_log_group.ct-cwl.arn}:log-stream:*",`
			`]`
			`}`

			`statement {`
			`effect = "Allow"`
			`actions = ["logs:PutLogEvents"]`

			`resources = [`
			`"${aws_cloudwatch_log_group.ct-cwl.arn}:log-stream:*",`
			`]`
			`}`
			`}`



			`resource "aws_cloudtrail" "default" {`
UPD: updated several modules to simplify input variables 2022-09-05 13:52:21 +08:00			`name = "${var.resource-prefix}-trail-001"`
NEW: cloudtrail and cwl 2021-01-26 21:40:02 +08:00			`enable_logging = true`
			`s3_bucket_name = local.ct-bucket-name`
			`enable_log_file_validation = true`
			`is_multi_region_trail = true`
			`include_global_service_events = true`
			`cloud_watch_logs_role_arn = aws_iam_role.iam_cloudtrial_cloudwatch_role.arn`
			`cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.ct-cwl.arn}:*"`
			`tags = var.default-tags`
			`kms_key_id = aws_kms_key.ctbucket-key.arn`
			`is_organization_trail = false`

			`event_selector {`
			`read_write_type = "All"`
			`include_management_events = true`

			`data_resource {`
			`type = "AWS::S3::Object"`
			`values = ["arn:aws:s3:::"]`
			`}`

			`data_resource {`
			`type = "AWS::Lambda::Function"`
			`values = ["arn:aws:lambda"]`
			`}`
			`}`

			`#insight_selector {`
			`# insight_type = "ApiCallRateInsight"`
			`#}`
			`}`