resource "aws_iam_role" "iam_cloudtrial_cloudwatch_role" { name = "${var.resource-prefix}-cwl-role" assume_role_policy = data.aws_iam_policy_document.ct-role-assumerole-policy.json description = "Enables AWS CloudTrail to deliver log to CloudWatch log" tags = var.default-tags } resource "aws_iam_role_policy" "iam_cloudtrial_cloudwatach_role_policy" { name = "${var.resource-prefix}-cwl-role-policy" role = aws_iam_role.iam_cloudtrial_cloudwatch_role.id policy = data.aws_iam_policy_document.ct-role-pdoc.json } data "aws_iam_policy_document" "ct-role-assumerole-policy" { statement { effect = "Allow" actions = ["sts:AssumeRole"] principals { type = "Service" identifiers = ["cloudtrail.amazonaws.com"] } } } data "aws_iam_policy_document" "ct-role-pdoc" { statement { effect = "Allow" actions = ["logs:CreateLogStream"] resources = [ "${aws_cloudwatch_log_group.ct-cwl.arn}:log-stream:*", ] } statement { effect = "Allow" actions = ["logs:PutLogEvents"] resources = [ "${aws_cloudwatch_log_group.ct-cwl.arn}:log-stream:*", ] } } resource "aws_cloudtrail" "default" { name = "${var.resource-prefix}-trail-001" enable_logging = true s3_bucket_name = local.ct-bucket-name enable_log_file_validation = true is_multi_region_trail = true include_global_service_events = true cloud_watch_logs_role_arn = aws_iam_role.iam_cloudtrial_cloudwatch_role.arn cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.ct-cwl.arn}:*" tags = var.default-tags kms_key_id = aws_kms_key.ctbucket-key.arn is_organization_trail = false event_selector { read_write_type = "All" include_management_events = true data_resource { type = "AWS::S3::Object" values = ["arn:aws:s3:::"] } data_resource { type = "AWS::Lambda::Function" values = ["arn:aws:lambda"] } } #insight_selector { # insight_type = "ApiCallRateInsight" #} }