Skip to content

Commit

Permalink
Add kms_key_id to CloudTrail resource to enable encryption.
Browse files Browse the repository at this point in the history
  • Loading branch information
Matthew-Grayson committed Sep 26, 2023
1 parent da5be16 commit 9e91b05
Showing 1 changed file with 9 additions and 8 deletions.
17 changes: 9 additions & 8 deletions infrastructure/cloudtrail.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
resource "aws_cloudtrail" "all-events" {
name = "all-events"
s3_bucket_name = var.cloudtrail_bucket_name
kms_key_id = aws_kms_key.key.arn
cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.cloudtrail.arn}:*"
cloud_watch_logs_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.cloudtrail_role_name}"
tags = {
Expand Down Expand Up @@ -71,19 +72,19 @@ resource "aws_s3_bucket_policy" "cloudtrail_bucket" {
}

resource "aws_iam_role" "cloudtrail_role" {
name = var.cloudtrail_role_name
name = var.cloudtrail_role_name
assume_role_policy = jsonencode({
Version: "2012-10-17",
Statement: [
Version : "2012-10-17",
Statement : [
{
Action: "sts:AssumeRole",
Principal: {
Service: [
Action : "sts:AssumeRole",
Principal : {
Service : [
"cloudtrail.amazonaws.com"
]
},
Effect: "Allow",
Sid: "CloudTrailServiceRole"
Effect : "Allow",
Sid : "CloudTrailServiceRole"
}
]
})
Expand Down

0 comments on commit 9e91b05

Please sign in to comment.