lacework · dmurray-lacework · Apr 25, 2023 · Apr 17, 2023 · Apr 24, 2023 · Apr 24, 2023
@@ -85,6 +85,7 @@ Terraform module for configuring an integration with Lacework and AWS for CloudT
 | <a name="input_consolidated_trail"></a> [consolidated\_trail](#input\_consolidated\_trail) | Set this to true to configure a consolidated cloudtrail | `bool` | `false` | no |
 | <a name="input_create_lacework_integration"></a> [create\_lacework\_integration](#input\_create\_lacework\_integration) | Set this to `false` if you don't want the module to automatically create a corresponding Lacework integration. | `bool` | `true` | no |
 | <a name="input_cross_account_policy_name"></a> [cross\_account\_policy\_name](#input\_cross\_account\_policy\_name) | n/a | `string` | `""` | no |
+| <a name="input_enable_cloudtrail_s3_management_events"></a> [enable\_cloudtrail\_s3\_management\_events](#input\_enable\_cloudtrail\_s3\_management\_events) | Enable CloudTrail Object-level logging | `bool` | `false` | no |
 | <a name="input_enable_log_file_validation"></a> [enable\_log\_file\_validation](#input\_enable\_log\_file\_validation) | Specifies whether cloudtrail log file integrity validation is enabled | `bool` | `true` | no |
 | <a name="input_external_id_length"></a> [external\_id\_length](#input\_external\_id\_length) | The length of the external ID to generate. Max length is 1224. Ignored when use\_existing\_iam\_role is set to true | `number` | `16` | no |
 | <a name="input_iam_role_arn"></a> [iam\_role\_arn](#input\_iam\_role\_arn) | The IAM role ARN is required when setting use\_existing\_iam\_role to true | `string` | `""` | no |
@@ -98,6 +99,7 @@ Terraform module for configuring an integration with Lacework and AWS for CloudT
 | <a name="input_lacework_integration_name"></a> [lacework\_integration\_name](#input\_lacework\_integration\_name) | The name of the integration in Lacework. | `string` | `"TF cloudtrail"` | no |
 | <a name="input_log_bucket_name"></a> [log\_bucket\_name](#input\_log\_bucket\_name) | Name of the S3 bucket for access logs. Is required when setting `use_existing_access_log_bucket` to true | `string` | `""` | no |
 | <a name="input_org_account_mappings"></a> [org\_account\_mappings](#input\_org\_account\_mappings) | Mapping of AWS accounts to Lacework accounts within a Lacework organization | <pre>list(object({<br>    default_lacework_account = string<br>    mapping = list(object({<br>      lacework_account = string<br>      aws_accounts     = list(string)<br>    }))<br>  }))</pre> | `[]` | no |
+| <a name="input_permission_boundary_arn"></a> [permission\_boundary\_arn](#input\_permission\_boundary\_arn) | Optional - ARN of the policy that is used to set the permissions boundary for the role. | `string` | `null` | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix that will be use at the beginning of every generated resource | `string` | `"lacework-ct"` | no |
 | <a name="input_s3_notification_log_prefix"></a> [s3\_notification\_log\_prefix](#input\_s3\_notification\_log\_prefix) | The object prefix for which to create S3 notifications | `string` | `"AWSLogs/"` | no |
 | <a name="input_s3_notification_type"></a> [s3\_notification\_type](#input\_s3\_notification\_type) | The destination type that should be used for S3 notifications: `SNS` or `SQS`. Defaults to `SQS` | `string` | `"SQS"` | no |
@@ -113,7 +115,8 @@ Terraform module for configuring an integration with Lacework and AWS for CloudT
 | <a name="input_use_existing_access_log_bucket"></a> [use\_existing\_access\_log\_bucket](#input\_use\_existing\_access\_log\_bucket) | Set this to `true` to use an existing bucket for access logging. Default behavior creates a new access log bucket if logging is enabled | `bool` | `false` | no |
 | <a name="input_use_existing_cloudtrail"></a> [use\_existing\_cloudtrail](#input\_use\_existing\_cloudtrail) | Set this to true to use an existing cloudtrail. Default behavior enables new cloudtrail | `bool` | `false` | no |
 | <a name="input_use_existing_iam_role"></a> [use\_existing\_iam\_role](#input\_use\_existing\_iam\_role) | Set this to true to use an existing IAM role | `bool` | `false` | no |
-| <a name="input_use_existing_iam_role_policy"></a> [use\_existing\_iam\_role\_policy](#input\_use\_existing\_iam\_role\_policy) | Set this to `true` to use an existing policy on the IAM role | `bool` | `false` | no |
+| <a name="input_use_existing_iam_role_policy"></a> [use\_existing\_iam\_role\_policy](#input\_use\_existing\_iam\_role\_policy) | Set this to `true` to use an existing policy on the IAM role, rather than attaching a new one | `bool` | `false` | no |
+| <a name="input_use_existing_kms_key"></a> [use\_existing\_kms\_key](#input\_use\_existing\_kms\_key) | Set this to true to use an existing KMS key. | `bool` | `false` | no |
 | <a name="input_use_existing_sns_topic"></a> [use\_existing\_sns\_topic](#input\_use\_existing\_sns\_topic) | Set this to true to use an existing SNS topic. Default behavior creates a new SNS topic | `bool` | `false` | no |
 | <a name="input_use_s3_bucket_notification"></a> [use\_s3\_bucket\_notification](#input\_use\_s3\_bucket\_notification) | Set this to `true` to use S3 bucket notifications instead of CloudTrail. When set to `false` CloudTrail will be used. Defaults to `false` | `bool` | `false` | no |
 | <a name="input_wait_time"></a> [wait\_time](#input\_wait\_time) | Amount of time to wait before the next resource is provisioned. | `string` | `"10s"` | no |

@@ -0,0 +1,28 @@
+# Enable Cloudtrail S3 Management Events
+
+This example adds a dynamic event selector in order to enable Object-level logging in CloudTrail.
+
+## Inputs
+
+| Name                                     | Description                                                        | Type   |
+| ---------------------------------------- | ------------------------------------------------------------------ | ------ |
+| `enable_cloudtrail_s3_management_events` | Set this to `true` to enable CloudTrail Object-level logging.      | `bool` |
+
+## Sample Code
+
+```hcl
+provider "lacework" {}
+
+provider "aws" {
+  region = "us-west-2"
+}
+
+module "aws_cloudtrail" {
+  source  = "lacework/cloudtrail/aws"
+  version = "~> 1.0"
+
+  enable_cloudtrail_s3_management_events = true
+}
+```
+
+For detailed information on integrating Lacework with AWS see [AWS Config and CloudTrail Integration with Terraform](https://support.lacework.com/hc/en-us/articles/360057092034-AWS-Config-and-CloudTrail-Integration-with-Terraform)
@@ -0,0 +1,11 @@
+provider "lacework" {}
+
+provider "aws" {
+  region = "us-west-2"
+}
+
+module "aws_cloudtrail" {
+  source = "../../"
+
+  enable_cloudtrail_s3_management_events = true
+}
@@ -0,0 +1,8 @@
+# required for Terraform 13
+terraform {
+  required_providers {
+    lacework = {
+      source = "lacework/lacework"
+    }
+  }
+}
@@ -59,6 +59,21 @@ resource "aws_cloudtrail" "lacework_cloudtrail" {
   sns_topic_name             = var.use_s3_bucket_notification ? null : local.sns_topic_arn
   tags                       = var.tags
   enable_log_file_validation = var.enable_log_file_validation
+
+  dynamic "event_selector" {
+    for_each = var.enable_cloudtrail_s3_management_events ? [1] : []
+    # If enable_cloudtrail_s3_management_events is enabled, create one of the below
+    # blocks. Otherwise, create zero of the below blocks.
+    content {
+      read_write_type           = "All"
+      include_management_events = true
+
+      data_resource {
+        type   = "AWS::S3::Object"
+        values = ["${aws_s3_bucket.cloudtrail_bucket[0].arn}/*"]
+      }
+    }
+  }
   depends_on                 = [aws_s3_bucket.cloudtrail_bucket]
 }
 

@@ -13,6 +13,7 @@ TEST_CASES=(
   examples/complete-cloudtrail-unencrypted
   examples/complete-cloudtrail-versioning
   examples/complete-cloudtrail
+  examples/complete-cloudtrail-access-logs-with-object-level-logging
   examples/cloudtrail-existing-kms-key
   examples/consolidated-cloudtrail-multiple-lacework-tenants
   examples/consolidated-cloudtrail

@@ -295,3 +295,9 @@ variable "kms_key_multi_region" {
   default     = true
   description = "Whether the KMS key is a multi-region or regional key"
 }
+
+variable "enable_cloudtrail_s3_management_events" {
+  type        = bool
+  default     = false
+  description = "Enable CloudTrail Object-level logging"
+}