diff --git a/README.md b/README.md
index f4f1ab3..846c50e 100644
--- a/README.md
+++ b/README.md
@@ -207,6 +207,23 @@ module "composite_alarm" {
}
```
+### Log Account Policy
+
+```hcl
+module "log_account_policy" {
+ source = "terraform-aws-modules/cloudwatch/aws//modules/log-account-policy"
+ version = "~> 4.0"
+
+ log_account_policy_name = "account-data-protection"
+ log_account_policy_type = "DATA_PROTECTION_POLICY"
+ create_log_data_protection_policy = true
+ log_data_protection_policy_name = "redact-addresses"
+
+ data_identifiers = ["arn:aws:dataprotection::aws:data-identifier/Address"]
+ findings_destination_cloudwatch_log_group = "my-cloudwatch-audit-log-group"
+}
+```
+
## Examples
- [Complete Cloudwatch log metric filter and alarm](https://github.com/terraform-aws-modules/terraform-aws-cloudwatch/tree/master/examples/complete-log-metric-filter-and-alarm)
@@ -217,6 +234,7 @@ module "composite_alarm" {
- [Cloudwatch query definition](https://github.com/terraform-aws-modules/terraform-aws-cloudwatch/tree/master/examples/query-definition)
- [Cloudwatch Metric Stream](https://github.com/terraform-aws-modules/terraform-aws-cloudwatch/tree/master/examples/metric-stream)
- [Cloudwatch Composite Alarm](https://github.com/terraform-aws-modules/terraform-aws-cloudwatch/tree/master/examples/composite-alarm)
+- [Cloudwatch Log Account Policy](https://github.com/terraform-aws-modules/terraform-aws-cloudwatch/tree/master/examples/log-account-policy)
diff --git a/examples/cis-alarms/README.md b/examples/cis-alarms/README.md
index 52aceae..f403065 100644
--- a/examples/cis-alarms/README.md
+++ b/examples/cis-alarms/README.md
@@ -20,7 +20,7 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [aws](#requirement\_aws) | >= 5.58 |
## Providers
diff --git a/examples/cis-alarms/versions.tf b/examples/cis-alarms/versions.tf
index ddfcb0e..2c346da 100644
--- a/examples/cis-alarms/versions.tf
+++ b/examples/cis-alarms/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.58"
}
}
}
diff --git a/examples/complete-log-metric-filter-and-alarm/README.md b/examples/complete-log-metric-filter-and-alarm/README.md
index 978902e..49e71de 100644
--- a/examples/complete-log-metric-filter-and-alarm/README.md
+++ b/examples/complete-log-metric-filter-and-alarm/README.md
@@ -20,7 +20,7 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.30 |
+| [aws](#requirement\_aws) | >= 5.58 |
## Providers
diff --git a/examples/complete-log-metric-filter-and-alarm/versions.tf b/examples/complete-log-metric-filter-and-alarm/versions.tf
index 22111ba..2c346da 100644
--- a/examples/complete-log-metric-filter-and-alarm/versions.tf
+++ b/examples/complete-log-metric-filter-and-alarm/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.30"
+ version = ">= 5.58"
}
}
}
diff --git a/examples/composite-alarm/README.md b/examples/composite-alarm/README.md
index 8f0447f..b56ade2 100644
--- a/examples/composite-alarm/README.md
+++ b/examples/composite-alarm/README.md
@@ -20,7 +20,7 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.12 |
+| [aws](#requirement\_aws) | >= 5.58 |
## Providers
diff --git a/examples/composite-alarm/versions.tf b/examples/composite-alarm/versions.tf
index 41dc10d..2c346da 100644
--- a/examples/composite-alarm/versions.tf
+++ b/examples/composite-alarm/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.12"
+ version = ">= 5.58"
}
}
}
diff --git a/examples/fixtures/aws_cloudwatch_log_group/versions.tf b/examples/fixtures/aws_cloudwatch_log_group/versions.tf
index 3836522..f469629 100644
--- a/examples/fixtures/aws_cloudwatch_log_group/versions.tf
+++ b/examples/fixtures/aws_cloudwatch_log_group/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.58"
}
random = {
diff --git a/examples/fixtures/aws_kms_key/versions.tf b/examples/fixtures/aws_kms_key/versions.tf
index 3836522..f469629 100644
--- a/examples/fixtures/aws_kms_key/versions.tf
+++ b/examples/fixtures/aws_kms_key/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.58"
}
random = {
diff --git a/examples/fixtures/aws_lambda_function/versions.tf b/examples/fixtures/aws_lambda_function/versions.tf
index 92cb1f1..4e4857d 100644
--- a/examples/fixtures/aws_lambda_function/versions.tf
+++ b/examples/fixtures/aws_lambda_function/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.58"
}
random = {
diff --git a/examples/fixtures/aws_sns_topic/versions.tf b/examples/fixtures/aws_sns_topic/versions.tf
index 3836522..f469629 100644
--- a/examples/fixtures/aws_sns_topic/versions.tf
+++ b/examples/fixtures/aws_sns_topic/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.58"
}
random = {
diff --git a/examples/lambda-metric-alarm/README.md b/examples/lambda-metric-alarm/README.md
index c9fa7de..bfa2913 100644
--- a/examples/lambda-metric-alarm/README.md
+++ b/examples/lambda-metric-alarm/README.md
@@ -20,7 +20,7 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [aws](#requirement\_aws) | >= 5.58 |
## Providers
diff --git a/examples/lambda-metric-alarm/versions.tf b/examples/lambda-metric-alarm/versions.tf
index ddfcb0e..2c346da 100644
--- a/examples/lambda-metric-alarm/versions.tf
+++ b/examples/lambda-metric-alarm/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.58"
}
}
}
diff --git a/examples/log-account-policy/README.md b/examples/log-account-policy/README.md
new file mode 100644
index 0000000..0ec8a43
--- /dev/null
+++ b/examples/log-account-policy/README.md
@@ -0,0 +1,56 @@
+# Complete Cloudwatch log account policy
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.0 |
+| [aws](#requirement\_aws) | >= 5.58 |
+| [random](#requirement\_random) | >= 3.5 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 5.58 |
+| [random](#provider\_random) | >= 3.5 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [audit\_destination\_group](#module\_audit\_destination\_group) | ../../modules/log-group | n/a |
+| [cw\_logs\_to\_firehose](#module\_cw\_logs\_to\_firehose) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | ~> 5.0 |
+| [cw\_logs\_to\_firehose\_policy](#module\_cw\_logs\_to\_firehose\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | ~> 5.0 |
+| [excluded\_log\_group](#module\_excluded\_log\_group) | ../../modules/log-group | n/a |
+| [firehose\_to\_s3](#module\_firehose\_to\_s3) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | ~> 5.0 |
+| [firehose\_to\_s3\_policy](#module\_firehose\_to\_s3\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | ~> 5.0 |
+| [log\_account\_data\_retention\_policy](#module\_log\_account\_data\_retention\_policy) | ../../modules/log-account-policy | n/a |
+| [log\_account\_subscription\_filter\_policy](#module\_log\_account\_subscription\_filter\_policy) | ../../modules/log-account-policy | n/a |
+| [log\_group](#module\_log\_group) | ../../modules/log-group | n/a |
+| [logs\_bucket](#module\_logs\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 4.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_kinesis_firehose_delivery_stream.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream) | resource |
+| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.custom_trust_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cw_logs_to_firehose](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.firehose_to_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [log\_account\_data\_retention\_policy\_name](#output\_log\_account\_data\_retention\_policy\_name) | Name of Cloudwatch log account policy |
+| [log\_account\_subscription\_filter\_retention\_policy\_name](#output\_log\_account\_subscription\_filter\_retention\_policy\_name) | Name of Cloudwatch log account policy |
+
diff --git a/examples/log-account-policy/main.tf b/examples/log-account-policy/main.tf
new file mode 100644
index 0000000..a32201d
--- /dev/null
+++ b/examples/log-account-policy/main.tf
@@ -0,0 +1,202 @@
+provider "aws" {
+ region = "eu-west-1"
+}
+
+data "aws_region" "current" {}
+
+data "aws_caller_identity" "current" {}
+
+module "log_group" {
+ source = "../../modules/log-group"
+
+ name_prefix = "my-log-group-"
+ retention_in_days = 7
+}
+
+module "excluded_log_group" {
+ source = "../../modules/log-group"
+
+ name_prefix = "my-excluded-log-group-"
+ retention_in_days = 7
+}
+
+module "audit_destination_group" {
+ source = "../../modules/log-group"
+
+ name_prefix = "audit-destination-log-group-"
+ retention_in_days = 7
+}
+
+module "log_account_data_retention_policy" {
+ source = "../../modules/log-account-policy"
+
+ log_account_policy_name = "account-data-protection"
+ log_account_policy_type = "DATA_PROTECTION_POLICY"
+
+ # custom data identifier not yet supported by the data source for aws_cloudwatch_log_data_protection_policy within the module
+ # specify your own json policy document if this is needed using policy_document argument
+ create_log_data_protection_policy = true
+ log_data_protection_policy_name = "redact-addresses"
+
+ data_identifiers = ["arn:aws:dataprotection::aws:data-identifier/Address"]
+ findings_destination_cloudwatch_log_group = module.audit_destination_group.cloudwatch_log_group_name
+}
+
+# This example requires two terraform applies and will error on the first run due to firehose stream not in ACTIVE state even with depends_on set
+# Related: https://github.com/hashicorp/terraform-provider-aws/issues/17049
+module "log_account_subscription_filter_policy" {
+ source = "../../modules/log-account-policy"
+
+ log_account_policy_name = "account-subscription-filter"
+ log_account_policy_type = "SUBSCRIPTION_FILTER_POLICY"
+ policy_document = jsonencode(
+ {
+ DestinationArn = aws_kinesis_firehose_delivery_stream.logs.arn
+ FilterPattern = "%test%"
+ RoleArn = module.cw_logs_to_firehose.iam_role_arn
+ }
+ )
+ log_account_policy_selection_criteria = "LogGroupName NOT IN [\"${module.excluded_log_group.cloudwatch_log_group_name}\"]"
+
+ depends_on = [
+ aws_kinesis_firehose_delivery_stream.logs,
+ module.cw_logs_to_firehose,
+ module.cw_logs_to_firehose_policy
+ ]
+}
+
+################################################################################
+# Supporting Resources
+################################################################################
+
+resource "random_pet" "this" {
+ length = 2
+}
+
+module "logs_bucket" {
+ source = "terraform-aws-modules/s3-bucket/aws"
+ version = "~> 4.0"
+
+ bucket_prefix = "${random_pet.this.id}-logs"
+
+ force_destroy = true
+}
+
+resource "aws_kinesis_firehose_delivery_stream" "logs" {
+ name = "${random_pet.this.id}-logs"
+ destination = "extended_s3"
+
+ extended_s3_configuration {
+ role_arn = module.firehose_to_s3.iam_role_arn
+ bucket_arn = module.logs_bucket.s3_bucket_arn
+ prefix = "from-firehose-logs/"
+ }
+}
+
+module "firehose_to_s3" {
+ source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
+ version = "~> 5.0"
+
+ trusted_role_services = [
+ "firehose.amazonaws.com"
+ ]
+
+ create_role = true
+
+ role_name_prefix = "${random_pet.this.id}-firehose-to-s3-"
+ role_requires_mfa = false
+
+ custom_role_policy_arns = [
+ module.firehose_to_s3_policy.arn
+ ]
+}
+
+module "firehose_to_s3_policy" {
+ source = "terraform-aws-modules/iam/aws//modules/iam-policy"
+ version = "~> 5.0"
+
+ name = "${random_pet.this.id}-firehose-to-s3"
+ path = "/"
+ description = "Pipes logging firehose to s3 policy"
+
+ policy = data.aws_iam_policy_document.firehose_to_s3.json
+}
+
+data "aws_iam_policy_document" "firehose_to_s3" {
+ statement {
+ effect = "Allow"
+
+ actions = [
+ "s3:AbortMultipartUpload",
+ "s3:GetBucketLocation",
+ "s3:GetObject",
+ "s3:ListBucket",
+ "s3:ListBucketMultipartUploads",
+ "s3:PutObject",
+ ]
+
+ resources = [
+ module.logs_bucket.s3_bucket_arn,
+ "${module.logs_bucket.s3_bucket_arn}/*",
+ ]
+ }
+}
+
+module "cw_logs_to_firehose" {
+ source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
+ version = "~> 5.0"
+
+ create_role = true
+
+ role_name_prefix = "${random_pet.this.id}-cw-logs-to-firehose-"
+ role_requires_mfa = false
+ create_custom_role_trust_policy = true
+ custom_role_trust_policy = data.aws_iam_policy_document.custom_trust_policy.json
+
+ custom_role_policy_arns = [
+ module.cw_logs_to_firehose_policy.arn
+ ]
+}
+
+data "aws_iam_policy_document" "custom_trust_policy" {
+ statement {
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+
+ condition {
+ test = "StringLike"
+ variable = "aws:SourceArn"
+ values = ["arn:aws:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:*"]
+ }
+
+ principals {
+ identifiers = ["logs.amazonaws.com"]
+ type = "Service"
+ }
+ }
+}
+
+module "cw_logs_to_firehose_policy" {
+ source = "terraform-aws-modules/iam/aws//modules/iam-policy"
+ version = "~> 5.0"
+
+ name = "${random_pet.this.id}-cw-logs-to-firehose"
+ path = "/"
+ description = "Cloudwatch logs to firehose policy"
+
+ policy = data.aws_iam_policy_document.cw_logs_to_firehose.json
+}
+
+data "aws_iam_policy_document" "cw_logs_to_firehose" {
+ statement {
+ effect = "Allow"
+
+ actions = [
+ "firehose:PutRecord",
+ ]
+
+ resources = [
+ aws_kinesis_firehose_delivery_stream.logs.arn,
+ ]
+ }
+}
diff --git a/examples/log-account-policy/outputs.tf b/examples/log-account-policy/outputs.tf
new file mode 100644
index 0000000..76b8edf
--- /dev/null
+++ b/examples/log-account-policy/outputs.tf
@@ -0,0 +1,9 @@
+output "log_account_data_retention_policy_name" {
+ description = "Name of Cloudwatch log account policy"
+ value = module.log_account_data_retention_policy.log_account_policy_name
+}
+
+output "log_account_subscription_filter_retention_policy_name" {
+ description = "Name of Cloudwatch log account policy"
+ value = module.log_account_subscription_filter_policy.log_account_policy_name
+}
diff --git a/examples/log-account-policy/variables.tf b/examples/log-account-policy/variables.tf
new file mode 100644
index 0000000..e69de29
diff --git a/examples/log-account-policy/versions.tf b/examples/log-account-policy/versions.tf
new file mode 100644
index 0000000..bc79575
--- /dev/null
+++ b/examples/log-account-policy/versions.tf
@@ -0,0 +1,14 @@
+terraform {
+ required_version = ">= 1.0"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 5.58"
+ }
+ random = {
+ source = "hashicorp/random"
+ version = ">= 3.5"
+ }
+ }
+}
diff --git a/examples/log-group-with-log-stream/README.md b/examples/log-group-with-log-stream/README.md
index 04d6c96..009173f 100644
--- a/examples/log-group-with-log-stream/README.md
+++ b/examples/log-group-with-log-stream/README.md
@@ -20,7 +20,7 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.30 |
+| [aws](#requirement\_aws) | >= 5.58 |
## Providers
diff --git a/examples/log-group-with-log-stream/versions.tf b/examples/log-group-with-log-stream/versions.tf
index 22111ba..2c346da 100644
--- a/examples/log-group-with-log-stream/versions.tf
+++ b/examples/log-group-with-log-stream/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.30"
+ version = ">= 5.58"
}
}
}
diff --git a/examples/log-subscription-filter/versions.tf b/examples/log-subscription-filter/versions.tf
index 3a07cce..bc79575 100644
--- a/examples/log-subscription-filter/versions.tf
+++ b/examples/log-subscription-filter/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.58"
}
random = {
source = "hashicorp/random"
diff --git a/examples/metric-stream/README.md b/examples/metric-stream/README.md
index f4a9eea..2878a7d 100644
--- a/examples/metric-stream/README.md
+++ b/examples/metric-stream/README.md
@@ -20,14 +20,14 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [aws](#requirement\_aws) | >= 5.58 |
| [random](#requirement\_random) | >= 3.5 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.0 |
+| [aws](#provider\_aws) | >= 5.58 |
| [random](#provider\_random) | >= 3.5 |
## Modules
diff --git a/examples/metric-stream/versions.tf b/examples/metric-stream/versions.tf
index 3a07cce..bc79575 100644
--- a/examples/metric-stream/versions.tf
+++ b/examples/metric-stream/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.58"
}
random = {
source = "hashicorp/random"
diff --git a/examples/multiple-lambda-metric-alarm/README.md b/examples/multiple-lambda-metric-alarm/README.md
index 13811ae..e07ab54 100644
--- a/examples/multiple-lambda-metric-alarm/README.md
+++ b/examples/multiple-lambda-metric-alarm/README.md
@@ -20,7 +20,7 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [aws](#requirement\_aws) | >= 5.58 |
## Providers
diff --git a/examples/multiple-lambda-metric-alarm/versions.tf b/examples/multiple-lambda-metric-alarm/versions.tf
index ddfcb0e..2c346da 100644
--- a/examples/multiple-lambda-metric-alarm/versions.tf
+++ b/examples/multiple-lambda-metric-alarm/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.58"
}
}
}
diff --git a/examples/query-definition/README.md b/examples/query-definition/README.md
index c394339..5ca20e6 100644
--- a/examples/query-definition/README.md
+++ b/examples/query-definition/README.md
@@ -20,7 +20,7 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [aws](#requirement\_aws) | >= 5.58 |
## Providers
diff --git a/examples/query-definition/versions.tf b/examples/query-definition/versions.tf
index ddfcb0e..2c346da 100644
--- a/examples/query-definition/versions.tf
+++ b/examples/query-definition/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.58"
}
}
}
diff --git a/modules/cis-alarms/README.md b/modules/cis-alarms/README.md
index e179832..a70f27a 100644
--- a/modules/cis-alarms/README.md
+++ b/modules/cis-alarms/README.md
@@ -8,14 +8,14 @@ Read more about [CIS AWS Foundations Controls](https://docs.aws.amazon.com/secur
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [aws](#requirement\_aws) | >= 5.58 |
| [random](#requirement\_random) | >= 2.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.0 |
+| [aws](#provider\_aws) | >= 5.58 |
| [random](#provider\_random) | >= 2.0 |
## Modules
diff --git a/modules/cis-alarms/versions.tf b/modules/cis-alarms/versions.tf
index 3836522..f469629 100644
--- a/modules/cis-alarms/versions.tf
+++ b/modules/cis-alarms/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.58"
}
random = {
diff --git a/modules/composite-alarm/README.md b/modules/composite-alarm/README.md
index 81e01f4..53b9050 100644
--- a/modules/composite-alarm/README.md
+++ b/modules/composite-alarm/README.md
@@ -6,13 +6,13 @@
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.12 |
+| [aws](#requirement\_aws) | >= 5.58 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.12 |
+| [aws](#provider\_aws) | >= 5.58 |
## Modules
diff --git a/modules/composite-alarm/versions.tf b/modules/composite-alarm/versions.tf
index 41dc10d..2c346da 100644
--- a/modules/composite-alarm/versions.tf
+++ b/modules/composite-alarm/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.12"
+ version = ">= 5.58"
}
}
}
diff --git a/modules/log-account-policy/README.md b/modules/log-account-policy/README.md
new file mode 100644
index 0000000..cc65d69
--- /dev/null
+++ b/modules/log-account-policy/README.md
@@ -0,0 +1,53 @@
+# log-data-protection-policy
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.0 |
+| [aws](#requirement\_aws) | >= 5.58 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 5.58 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_log_account_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_account_policy) | resource |
+| [aws_cloudwatch_log_data_protection_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudwatch_log_data_protection_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [audit\_statement\_sid](#input\_audit\_statement\_sid) | Name of the audit statement. | `string` | `"audit-policy"` | no |
+| [create](#input\_create) | Whether to create the cloudwatch log data protection policy. | `bool` | `true` | no |
+| [create\_log\_data\_protection\_policy](#input\_create\_log\_data\_protection\_policy) | Whether to create the cloudwatch log data protection policy. | `bool` | `false` | no |
+| [data\_identifiers](#input\_data\_identifiers) | Set of at least 1 sensitive data identifiers that you want to mask. | `list(string)` | `null` | no |
+| [deidentify\_statement\_sid](#input\_deidentify\_statement\_sid) | Name of the deidentify statement. | `string` | `"redact-policy"` | no |
+| [findings\_destination\_cloudwatch\_log\_group](#input\_findings\_destination\_cloudwatch\_log\_group) | Configures CloudWatch Logs as a findings destination. | `string` | `null` | no |
+| [findings\_destination\_firehose\_delivery\_stream](#input\_findings\_destination\_firehose\_delivery\_stream) | Configures Kinesis Firehose as a findings destination. | `string` | `null` | no |
+| [findings\_destination\_s3\_bucket](#input\_findings\_destination\_s3\_bucket) | Configures S3 as a findings destination. | `string` | `null` | no |
+| [log\_account\_policy\_name](#input\_log\_account\_policy\_name) | The name of the log group under which the log stream is to be created. | `string` | `null` | no |
+| [log\_account\_policy\_scope](#input\_log\_account\_policy\_scope) | Currently defaults to and only accepts the value: ALL. | `string` | `null` | no |
+| [log\_account\_policy\_selection\_criteria](#input\_log\_account\_policy\_selection\_criteria) | Criteria for applying a subscription filter policy to a selection of log groups. The only allowable criteria selector is LogGroupName NOT IN []. | `string` | `null` | no |
+| [log\_account\_policy\_type](#input\_log\_account\_policy\_type) | Type of account policy. Either DATA\_PROTECTION\_POLICY or SUBSCRIPTION\_FILTER\_POLICY. You can have one account policy per type in an account. | `string` | `"audit-policy"` | no |
+| [log\_data\_protection\_description](#input\_log\_data\_protection\_description) | The description of the data protection policy document. | `string` | `null` | no |
+| [log\_data\_protection\_policy\_name](#input\_log\_data\_protection\_policy\_name) | The name of the data protection policy document. | `string` | `null` | no |
+| [policy\_document](#input\_policy\_document) | Specifies the data protection policy in JSON. | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [log\_account\_policy\_name](#output\_log\_account\_policy\_name) | Name of Cloudwatch log account policy |
+
diff --git a/modules/log-account-policy/main.tf b/modules/log-account-policy/main.tf
new file mode 100644
index 0000000..4c40d7c
--- /dev/null
+++ b/modules/log-account-policy/main.tf
@@ -0,0 +1,63 @@
+resource "aws_cloudwatch_log_account_policy" "this" {
+ count = var.create ? 1 : 0
+
+ policy_document = var.create_log_data_protection_policy ? data.aws_cloudwatch_log_data_protection_policy_document.this[0].json : var.policy_document
+ policy_type = var.log_account_policy_type
+ policy_name = var.log_account_policy_name
+ scope = var.log_account_policy_scope
+ selection_criteria = var.log_account_policy_selection_criteria
+}
+
+data "aws_cloudwatch_log_data_protection_policy_document" "this" {
+ count = var.create && var.create_log_data_protection_policy ? 1 : 0
+
+ name = var.log_data_protection_policy_name
+ description = var.log_data_protection_description
+
+ statement {
+ sid = var.audit_statement_sid
+ data_identifiers = var.data_identifiers
+
+ operation {
+ audit {
+ findings_destination {
+
+ dynamic "cloudwatch_logs" {
+ for_each = var.findings_destination_cloudwatch_log_group != null ? [true] : []
+
+ content {
+ log_group = var.findings_destination_cloudwatch_log_group
+ }
+ }
+
+ dynamic "firehose" {
+ for_each = var.findings_destination_firehose_delivery_stream != null ? [true] : []
+
+ content {
+ delivery_stream = var.findings_destination_firehose_delivery_stream
+ }
+ }
+
+ dynamic "s3" {
+ for_each = var.findings_destination_s3_bucket != null ? [true] : []
+
+ content {
+ bucket = var.findings_destination_s3_bucket
+ }
+ }
+ }
+ }
+ }
+ }
+
+ statement {
+ sid = var.deidentify_statement_sid
+ data_identifiers = var.data_identifiers
+
+ operation {
+ deidentify {
+ mask_config {}
+ }
+ }
+ }
+}
diff --git a/modules/log-account-policy/outputs.tf b/modules/log-account-policy/outputs.tf
new file mode 100644
index 0000000..4183e36
--- /dev/null
+++ b/modules/log-account-policy/outputs.tf
@@ -0,0 +1,4 @@
+output "log_account_policy_name" {
+ description = "Name of Cloudwatch log account policy"
+ value = var.log_account_policy_name
+}
diff --git a/modules/log-account-policy/variables.tf b/modules/log-account-policy/variables.tf
new file mode 100644
index 0000000..e66c297
--- /dev/null
+++ b/modules/log-account-policy/variables.tf
@@ -0,0 +1,89 @@
+variable "create" {
+ description = "Whether to create the cloudwatch log data protection policy."
+ type = bool
+ default = true
+}
+
+variable "create_log_data_protection_policy" {
+ description = "Whether to create the cloudwatch log data protection policy."
+ type = bool
+ default = false
+}
+
+variable "log_account_policy_name" {
+ description = "The name of the log group under which the log stream is to be created."
+ type = string
+ default = null
+}
+
+variable "log_account_policy_scope" {
+ description = "Currently defaults to and only accepts the value: ALL."
+ type = string
+ default = null
+}
+
+variable "log_account_policy_type" {
+ description = "Type of account policy. Either DATA_PROTECTION_POLICY or SUBSCRIPTION_FILTER_POLICY. You can have one account policy per type in an account."
+ type = string
+ default = "audit-policy"
+}
+
+variable "log_account_policy_selection_criteria" {
+ description = "Criteria for applying a subscription filter policy to a selection of log groups. The only allowable criteria selector is LogGroupName NOT IN []."
+ type = string
+ default = null
+}
+
+variable "policy_document" {
+ description = "Specifies the data protection policy in JSON."
+ type = string
+ default = null
+}
+
+variable "log_data_protection_policy_name" {
+ description = "The name of the data protection policy document."
+ type = string
+ default = null
+}
+
+variable "log_data_protection_description" {
+ description = "The description of the data protection policy document."
+ type = string
+ default = null
+}
+
+variable "audit_statement_sid" {
+ description = "Name of the audit statement."
+ type = string
+ default = "audit-policy"
+}
+
+variable "deidentify_statement_sid" {
+ description = "Name of the deidentify statement."
+ type = string
+ default = "redact-policy"
+}
+
+variable "data_identifiers" {
+ description = "Set of at least 1 sensitive data identifiers that you want to mask."
+ type = list(string)
+ default = null
+}
+
+variable "findings_destination_cloudwatch_log_group" {
+ description = "Configures CloudWatch Logs as a findings destination."
+ type = string
+ default = null
+}
+
+variable "findings_destination_firehose_delivery_stream" {
+ description = "Configures Kinesis Firehose as a findings destination."
+ type = string
+ default = null
+}
+
+variable "findings_destination_s3_bucket" {
+ description = "Configures S3 as a findings destination."
+ type = string
+ default = null
+}
diff --git a/modules/log-account-policy/versions.tf b/modules/log-account-policy/versions.tf
new file mode 100644
index 0000000..2c346da
--- /dev/null
+++ b/modules/log-account-policy/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+ required_version = ">= 1.0"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 5.58"
+ }
+ }
+}
diff --git a/modules/log-group/README.md b/modules/log-group/README.md
index 5bbfc55..e7ee000 100644
--- a/modules/log-group/README.md
+++ b/modules/log-group/README.md
@@ -6,13 +6,13 @@
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.30 |
+| [aws](#requirement\_aws) | >= 5.58 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.30 |
+| [aws](#provider\_aws) | >= 5.58 |
## Modules
diff --git a/modules/log-group/versions.tf b/modules/log-group/versions.tf
index 22111ba..2c346da 100644
--- a/modules/log-group/versions.tf
+++ b/modules/log-group/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.30"
+ version = ">= 5.58"
}
}
}
diff --git a/modules/log-metric-filter/README.md b/modules/log-metric-filter/README.md
index fe09ca6..a0edea4 100644
--- a/modules/log-metric-filter/README.md
+++ b/modules/log-metric-filter/README.md
@@ -6,13 +6,13 @@
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [aws](#requirement\_aws) | >= 5.58 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.0 |
+| [aws](#provider\_aws) | >= 5.58 |
## Modules
diff --git a/modules/log-metric-filter/versions.tf b/modules/log-metric-filter/versions.tf
index ddfcb0e..2c346da 100644
--- a/modules/log-metric-filter/versions.tf
+++ b/modules/log-metric-filter/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.58"
}
}
}
diff --git a/modules/log-stream/README.md b/modules/log-stream/README.md
index 69678cb..f5eed1f 100644
--- a/modules/log-stream/README.md
+++ b/modules/log-stream/README.md
@@ -6,13 +6,13 @@
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [aws](#requirement\_aws) | >= 5.58 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.0 |
+| [aws](#provider\_aws) | >= 5.58 |
## Modules
diff --git a/modules/log-stream/versions.tf b/modules/log-stream/versions.tf
index ddfcb0e..2c346da 100644
--- a/modules/log-stream/versions.tf
+++ b/modules/log-stream/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.58"
}
}
}
diff --git a/modules/log-subscription-filter/README.md b/modules/log-subscription-filter/README.md
index 6390dfb..493456e 100644
--- a/modules/log-subscription-filter/README.md
+++ b/modules/log-subscription-filter/README.md
@@ -6,13 +6,13 @@
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [aws](#requirement\_aws) | >= 5.58 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.0 |
+| [aws](#provider\_aws) | >= 5.58 |
## Modules
diff --git a/modules/log-subscription-filter/versions.tf b/modules/log-subscription-filter/versions.tf
index ddfcb0e..2c346da 100644
--- a/modules/log-subscription-filter/versions.tf
+++ b/modules/log-subscription-filter/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.58"
}
}
}
diff --git a/modules/metric-alarm/README.md b/modules/metric-alarm/README.md
index ae54947..3672bfa 100644
--- a/modules/metric-alarm/README.md
+++ b/modules/metric-alarm/README.md
@@ -6,13 +6,13 @@
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [aws](#requirement\_aws) | >= 5.58 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.0 |
+| [aws](#provider\_aws) | >= 5.58 |
## Modules
diff --git a/modules/metric-alarm/versions.tf b/modules/metric-alarm/versions.tf
index ddfcb0e..2c346da 100644
--- a/modules/metric-alarm/versions.tf
+++ b/modules/metric-alarm/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.58"
}
}
}
diff --git a/modules/metric-alarms-by-multiple-dimensions/README.md b/modules/metric-alarms-by-multiple-dimensions/README.md
index 99f8b2d..795790f 100644
--- a/modules/metric-alarms-by-multiple-dimensions/README.md
+++ b/modules/metric-alarms-by-multiple-dimensions/README.md
@@ -6,13 +6,13 @@
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [aws](#requirement\_aws) | >= 5.58 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.0 |
+| [aws](#provider\_aws) | >= 5.58 |
## Modules
diff --git a/modules/metric-alarms-by-multiple-dimensions/versions.tf b/modules/metric-alarms-by-multiple-dimensions/versions.tf
index ddfcb0e..2c346da 100644
--- a/modules/metric-alarms-by-multiple-dimensions/versions.tf
+++ b/modules/metric-alarms-by-multiple-dimensions/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.58"
}
}
}
diff --git a/modules/metric-stream/README.md b/modules/metric-stream/README.md
index 44cd77e..20793b7 100644
--- a/modules/metric-stream/README.md
+++ b/modules/metric-stream/README.md
@@ -6,13 +6,13 @@
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [aws](#requirement\_aws) | >= 5.58 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.0 |
+| [aws](#provider\_aws) | >= 5.58 |
## Modules
diff --git a/modules/metric-stream/versions.tf b/modules/metric-stream/versions.tf
index ddfcb0e..2c346da 100644
--- a/modules/metric-stream/versions.tf
+++ b/modules/metric-stream/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.58"
}
}
}
diff --git a/modules/query-definition/README.md b/modules/query-definition/README.md
index aba4910..95af48f 100644
--- a/modules/query-definition/README.md
+++ b/modules/query-definition/README.md
@@ -6,13 +6,13 @@
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [aws](#requirement\_aws) | >= 5.58 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.0 |
+| [aws](#provider\_aws) | >= 5.58 |
## Modules
diff --git a/modules/query-definition/versions.tf b/modules/query-definition/versions.tf
index ddfcb0e..2c346da 100644
--- a/modules/query-definition/versions.tf
+++ b/modules/query-definition/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.58"
}
}
}
diff --git a/wrappers/log-account-policy/README.md b/wrappers/log-account-policy/README.md
new file mode 100644
index 0000000..1ba1f3e
--- /dev/null
+++ b/wrappers/log-account-policy/README.md
@@ -0,0 +1,100 @@
+# Wrapper for module: `modules/log-account-policy`
+
+The configuration in this directory contains an implementation of a single module wrapper pattern, which allows managing several copies of a module in places where using the native Terraform 0.13+ `for_each` feature is not feasible (e.g., with Terragrunt).
+
+You may want to use a single Terragrunt configuration file to manage multiple resources without duplicating `terragrunt.hcl` files for each copy of the same module.
+
+This wrapper does not implement any extra functionality.
+
+## Usage with Terragrunt
+
+`terragrunt.hcl`:
+
+```hcl
+terraform {
+ source = "tfr:///terraform-aws-modules/cloudwatch/aws//wrappers/log-account-policy"
+ # Alternative source:
+ # source = "git::git@github.com:terraform-aws-modules/terraform-aws-cloudwatch.git//wrappers/log-account-policy?ref=master"
+}
+
+inputs = {
+ defaults = { # Default values
+ create = true
+ tags = {
+ Terraform = "true"
+ Environment = "dev"
+ }
+ }
+
+ items = {
+ my-item = {
+ # omitted... can be any argument supported by the module
+ }
+ my-second-item = {
+ # omitted... can be any argument supported by the module
+ }
+ # omitted...
+ }
+}
+```
+
+## Usage with Terraform
+
+```hcl
+module "wrapper" {
+ source = "terraform-aws-modules/cloudwatch/aws//wrappers/log-account-policy"
+
+ defaults = { # Default values
+ create = true
+ tags = {
+ Terraform = "true"
+ Environment = "dev"
+ }
+ }
+
+ items = {
+ my-item = {
+ # omitted... can be any argument supported by the module
+ }
+ my-second-item = {
+ # omitted... can be any argument supported by the module
+ }
+ # omitted...
+ }
+}
+```
+
+## Example: Manage multiple S3 buckets in one Terragrunt layer
+
+`eu-west-1/s3-buckets/terragrunt.hcl`:
+
+```hcl
+terraform {
+ source = "tfr:///terraform-aws-modules/s3-bucket/aws//wrappers"
+ # Alternative source:
+ # source = "git::git@github.com:terraform-aws-modules/terraform-aws-s3-bucket.git//wrappers?ref=master"
+}
+
+inputs = {
+ defaults = {
+ force_destroy = true
+
+ attach_elb_log_delivery_policy = true
+ attach_lb_log_delivery_policy = true
+ attach_deny_insecure_transport_policy = true
+ attach_require_latest_tls_policy = true
+ }
+
+ items = {
+ bucket1 = {
+ bucket = "my-random-bucket-1"
+ }
+ bucket2 = {
+ bucket = "my-random-bucket-2"
+ tags = {
+ Secure = "probably"
+ }
+ }
+ }
+}
+```
diff --git a/wrappers/log-account-policy/main.tf b/wrappers/log-account-policy/main.tf
new file mode 100644
index 0000000..89e2017
--- /dev/null
+++ b/wrappers/log-account-policy/main.tf
@@ -0,0 +1,21 @@
+module "wrapper" {
+ source = "../../modules/log-account-policy"
+
+ for_each = var.items
+
+ audit_statement_sid = try(each.value.audit_statement_sid, var.defaults.audit_statement_sid, "audit-policy")
+ create = try(each.value.create, var.defaults.create, true)
+ create_log_data_protection_policy = try(each.value.create_log_data_protection_policy, var.defaults.create_log_data_protection_policy, false)
+ data_identifiers = try(each.value.data_identifiers, var.defaults.data_identifiers, null)
+ deidentify_statement_sid = try(each.value.deidentify_statement_sid, var.defaults.deidentify_statement_sid, "redact-policy")
+ findings_destination_cloudwatch_log_group = try(each.value.findings_destination_cloudwatch_log_group, var.defaults.findings_destination_cloudwatch_log_group, null)
+ findings_destination_firehose_delivery_stream = try(each.value.findings_destination_firehose_delivery_stream, var.defaults.findings_destination_firehose_delivery_stream, null)
+ findings_destination_s3_bucket = try(each.value.findings_destination_s3_bucket, var.defaults.findings_destination_s3_bucket, null)
+ log_account_policy_name = try(each.value.log_account_policy_name, var.defaults.log_account_policy_name, null)
+ log_account_policy_scope = try(each.value.log_account_policy_scope, var.defaults.log_account_policy_scope, null)
+ log_account_policy_selection_criteria = try(each.value.log_account_policy_selection_criteria, var.defaults.log_account_policy_selection_criteria, null)
+ log_account_policy_type = try(each.value.log_account_policy_type, var.defaults.log_account_policy_type, "audit-policy")
+ log_data_protection_description = try(each.value.log_data_protection_description, var.defaults.log_data_protection_description, null)
+ log_data_protection_policy_name = try(each.value.log_data_protection_policy_name, var.defaults.log_data_protection_policy_name, null)
+ policy_document = try(each.value.policy_document, var.defaults.policy_document, null)
+}
diff --git a/wrappers/log-account-policy/outputs.tf b/wrappers/log-account-policy/outputs.tf
new file mode 100644
index 0000000..ec6da5f
--- /dev/null
+++ b/wrappers/log-account-policy/outputs.tf
@@ -0,0 +1,5 @@
+output "wrapper" {
+ description = "Map of outputs of a wrapper."
+ value = module.wrapper
+ # sensitive = false # No sensitive module output found
+}
diff --git a/wrappers/log-account-policy/variables.tf b/wrappers/log-account-policy/variables.tf
new file mode 100644
index 0000000..a6ea096
--- /dev/null
+++ b/wrappers/log-account-policy/variables.tf
@@ -0,0 +1,11 @@
+variable "defaults" {
+ description = "Map of default values which will be used for each item."
+ type = any
+ default = {}
+}
+
+variable "items" {
+ description = "Maps of items to create a wrapper from. Values are passed through to the module."
+ type = any
+ default = {}
+}
diff --git a/wrappers/log-account-policy/versions.tf b/wrappers/log-account-policy/versions.tf
new file mode 100644
index 0000000..51cad10
--- /dev/null
+++ b/wrappers/log-account-policy/versions.tf
@@ -0,0 +1,3 @@
+terraform {
+ required_version = ">= 0.13.1"
+}