Skip to content

Commit

Permalink
Merge pull request #193 from schubergphilis/cloudtrail-event-selector
Browse files Browse the repository at this point in the history
feat: Add option to provide event_selector for CloudTrail
  • Loading branch information
sbkg0002 authored Nov 9, 2023
2 parents eb590f1 + f1e31a0 commit 15e8a86
Show file tree
Hide file tree
Showing 4 changed files with 129 additions and 1 deletion.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -534,7 +534,7 @@ module "landing_zone" {
|------|-------------|------|---------|:--------:|
| <a name="input_control_tower_account_ids"></a> [control\_tower\_account\_ids](#input\_control\_tower\_account\_ids) | Control Tower core account IDs | <pre>object({<br> audit = string<br> logging = string<br> })</pre> | n/a | yes |
| <a name="input_tags"></a> [tags](#input\_tags) | Map of tags | `map(string)` | n/a | yes |
| <a name="input_additional_auditing_trail"></a> [additional\_auditing\_trail](#input\_additional\_auditing\_trail) | CloudTrail configuration for additional auditing trail | <pre>object({<br> name = string<br> bucket = string<br> kms_key_id = string<br> })</pre> | `null` | no |
| <a name="input_additional_auditing_trail"></a> [additional\_auditing\_trail](#input\_additional\_auditing\_trail) | CloudTrail configuration for additional auditing trail | <pre>object({<br> name = string<br> bucket = string<br> kms_key_id = string<br><br> event_selector = optional(object({<br> data_resource = optional(object({<br> type = string<br> values = list(string)<br> }))<br> exclude_management_event_sources = optional(set(string), null)<br> include_management_events = optional(bool, true)<br> read_write_type = optional(string, "All")<br> }))<br> })</pre> | `null` | no |
| <a name="input_aws_account_password_policy"></a> [aws\_account\_password\_policy](#input\_aws\_account\_password\_policy) | AWS account password policy parameters for the audit, logging and master account | <pre>object({<br> allow_users_to_change = bool<br> max_age = number<br> minimum_length = number<br> require_lowercase_characters = bool<br> require_numbers = bool<br> require_symbols = bool<br> require_uppercase_characters = bool<br> reuse_prevention_history = number<br> })</pre> | <pre>{<br> "allow_users_to_change": true,<br> "max_age": 90,<br> "minimum_length": 14,<br> "require_lowercase_characters": true,<br> "require_numbers": true,<br> "require_symbols": true,<br> "require_uppercase_characters": true,<br> "reuse_prevention_history": 24<br>}</pre> | no |
| <a name="input_aws_config"></a> [aws\_config](#input\_aws\_config) | AWS Config settings | <pre>object({<br> aggregator_account_ids = optional(list(string), [])<br> aggregator_regions = optional(list(string), [])<br> delivery_channel_s3_bucket_name = optional(string, null)<br> delivery_channel_s3_key_prefix = optional(string, null)<br> delivery_frequency = optional(string, "TwentyFour_Hours")<br> rule_identifiers = optional(list(string), [])<br> })</pre> | <pre>{<br> "aggregator_account_ids": [],<br> "aggregator_regions": [],<br> "delivery_channel_s3_bucket_name": null,<br> "delivery_channel_s3_key_prefix": null,<br> "delivery_frequency": "TwentyFour_Hours",<br> "rule_identifiers": []<br>}</pre> | no |
| <a name="input_aws_config_sns_subscription"></a> [aws\_config\_sns\_subscription](#input\_aws\_config\_sns\_subscription) | Subscription options for the aws-controltower-AggregateSecurityNotifications (AWS Config) SNS topic | <pre>map(object({<br> endpoint = string<br> protocol = string<br> }))</pre> | `{}` | no |
Expand Down
19 changes: 19 additions & 0 deletions cloudtrail.tf
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,23 @@ resource "aws_cloudtrail" "additional_auditing_trail" {
s3_bucket_name = var.additional_auditing_trail.bucket
kms_key_id = var.additional_auditing_trail.kms_key_id
tags = var.tags

dynamic "event_selector" {
for_each = var.additional_auditing_trail.event_selector != null ? { create = true } : {}

content {
dynamic "data_resource" {
for_each = var.additional_auditing_trail.event_selector.data_resource != null ? { create = true } : {}

content {
type = var.additional_auditing_trail.event_selector.data_resource.type
values = var.additional_auditing_trail.event_selector.data_resource.values
}
}

include_management_events = var.additional_auditing_trail.event_selector.include_management_events
exclude_management_event_sources = var.additional_auditing_trail.event_selector.exclude_management_event_sources
read_write_type = var.additional_auditing_trail.event_selector.read_write_type
}
}
}
99 changes: 99 additions & 0 deletions examples/basic/.terraform.lock.hcl

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 10 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,16 @@ variable "additional_auditing_trail" {
name = string
bucket = string
kms_key_id = string

event_selector = optional(object({
data_resource = optional(object({
type = string
values = list(string)
}))
exclude_management_event_sources = optional(set(string), null)
include_management_events = optional(bool, true)
read_write_type = optional(string, "All")
}))
})
default = null
description = "CloudTrail configuration for additional auditing trail"
Expand Down

0 comments on commit 15e8a86

Please sign in to comment.