forked from cloudposse/terraform-aws-cloudtrail
-
Notifications
You must be signed in to change notification settings - Fork 1
/
README.yaml
110 lines (98 loc) · 4.16 KB
/
README.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
#
# This is the canonical configuration for the `README.md`
# Run `make readme` to rebuild the `README.md`
#
# Name of this project
name: terraform-aws-cloudtrail
# Logo for this project
#logo: docs/logo.png
# License of this project
license: "APACHE2"
# Canonical GitHub repo
github_repo: cloudposse/terraform-aws-cloudtrail
# Badges to display
badges:
- name: "Latest Release"
image: "https://img.shields.io/github/release/cloudposse/terraform-aws-cloudtrail.svg"
url: "https://travis-ci.org/cloudposse/terraform-aws-cloudtrail/releases"
- name: "Slack Community"
image: "https://slack.cloudposse.com/badge.svg"
url: "https://slack.cloudposse.com"
related:
- name: "terraform-aws-cloudtrail-cloudwatch-alarms"
description: "Terraform module for creating alarms for tracking important changes and occurances from cloudtrail."
url: "https://github.com/cloudposse/terraform-aws-cloudtrail-cloudwatch-alarms"
- name: "terraform-aws-cloudtrail-s3-bucket"
description: "S3 bucket with built in IAM policy to allow CloudTrail logs"
url: "https://github.com/cloudposse/terraform-aws-cloudtrail-s3-bucket"
- name: "terraform-aws-s3-log-storage"
description: "This module creates an S3 bucket suitable for receiving logs from other AWS services such as S3, CloudFront, and CloudTrail"
url: "https://github.com/cloudposse/terraform-aws-s3-log-storage"
# Short description of this project
description: |-
Terraform module to provision an AWS [CloudTrail](https://aws.amazon.com/cloudtrail/).
The module accepts an encrypted S3 bucket with versioning to store CloudTrail logs.
The bucket could be from the same AWS account or from a different account.
This is useful if an organization uses a number of separate AWS accounts to isolate the Audit environment from other environments (production, staging, development).
In this case, you create CloudTrail in the production environment (production AWS account),
while the S3 bucket to store the CloudTrail logs is created in the Audit AWS account, restricting access to the logs only to the users/groups from the Audit account.
# How to use this project
usage: |-
```hcl
module "cloudtrail" {
source = "appzen-oss/cloudtrail/aws"
# Recommends pinning every module to a specific version
# version = "x.x.x"
name = "dev-account-cloudtrail"
enable_log_file_validation = true
include_global_service_events = true
insight_selector = [ {insight_type = "ApiCallRateInsight"} ]
is_multi_region_trail = false
enable_logging = true
s3_bucket_name = "s3-log-storage"
s3_key_prefix = "cloudtrail"
}
```
__NOTE:__ To create an S3 bucket for CloudTrail logs, use [terraform-aws-cloudtrail-s3-bucket](https://github.com/cloudposse/terraform-aws-cloudtrail-s3-bucket) module.
It creates an S3 bucket and an IAM policy to allow CloudTrail logs.
```hcl
module "cloudtrail" {
source = "appzen-oss/cloudtrail/aws"
# Recommends pinning every module to a specific version
# version = "x.x.x"
namespace = "eg"
stage = "dev"
name = "cluster"
enable_log_file_validation = true
include_global_service_events = true
is_multi_region_trail = false
enable_logging = true
s3_bucket_name = module.cloudtrail_s3_bucket.bucket_id
}
module "cloudtrail_s3_bucket" {
source = "cloudposse/cloudtrail-s3-bucket/aws"
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
namespace = "eg"
stage = "dev"
name = "cluster"
}
```
For a complete example, see [examples/complete](examples/complete).
include:
- "docs/targets.md"
- "docs/terraform.md"
# Contributors to this project
contributors:
- name: "Erik Osterman"
github: "osterman"
- name: "Andriy Knysh"
github: "aknysh"
- name: "Sergey Vasilyev"
github: "s2504s"
- name: "Valeriy"
github: "drama17"
- name: "Jamie Nelson"
github: "Jamie-BitFlight"
- name: "Pravinsingh Rajput"
github: "pravinrajput"