terraform.aws-baseline-infra/modules/security_identity_compliance/cloudtrail_cwlogs/cloudtrail.tf
2021-01-26 21:40:02 +08:00

81 lines
2.1 KiB
HCL

resource "aws_iam_role" "iam_cloudtrial_cloudwatch_role" {
name = "${local.resource-prefix}-cwl-role"
assume_role_policy = data.aws_iam_policy_document.ct-role-assumerole-policy.json
description = "Enables AWS CloudTrail to deliver log to CloudWatch log"
tags = var.default-tags
}
resource "aws_iam_role_policy" "iam_cloudtrial_cloudwatach_role_policy" {
name = "${local.resource-prefix}-cwl-role-policy"
role = aws_iam_role.iam_cloudtrial_cloudwatch_role.id
policy = data.aws_iam_policy_document.ct-role-pdoc.json
}
data "aws_iam_policy_document" "ct-role-assumerole-policy" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["cloudtrail.amazonaws.com"]
}
}
}
data "aws_iam_policy_document" "ct-role-pdoc" {
statement {
effect = "Allow"
actions = ["logs:CreateLogStream"]
resources = [
"${aws_cloudwatch_log_group.ct-cwl.arn}:log-stream:*",
]
}
statement {
effect = "Allow"
actions = ["logs:PutLogEvents"]
resources = [
"${aws_cloudwatch_log_group.ct-cwl.arn}:log-stream:*",
]
}
}
resource "aws_cloudtrail" "default" {
name = "${local.resource-prefix}-trail-001"
enable_logging = true
s3_bucket_name = local.ct-bucket-name
enable_log_file_validation = true
is_multi_region_trail = true
include_global_service_events = true
cloud_watch_logs_role_arn = aws_iam_role.iam_cloudtrial_cloudwatch_role.arn
cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.ct-cwl.arn}:*"
tags = var.default-tags
kms_key_id = aws_kms_key.ctbucket-key.arn
is_organization_trail = false
event_selector {
read_write_type = "All"
include_management_events = true
data_resource {
type = "AWS::S3::Object"
values = ["arn:aws:s3:::"]
}
data_resource {
type = "AWS::Lambda::Function"
values = ["arn:aws:lambda"]
}
}
#insight_selector {
# insight_type = "ApiCallRateInsight"
#}
}