This module creates following resources.
aws_cloudtrail_event_data_storeaws_iam_role(optional)aws_iam_role_policy(optional)aws_iam_role_policy_attachment(optional)
| Name | Version |
|---|---|
| terraform | >= 1.6 |
| aws | >= 5.25 |
| Name | Version |
|---|---|
| aws | 5.48.0 |
| Name | Source | Version |
|---|---|---|
| resource_group | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 |
| role | tedilabs/account/aws//modules/iam-role | ~> 0.23.0 |
| Name | Type |
|---|---|
| aws_cloudtrail_event_data_store.this | resource |
| aws_caller_identity.this | data source |
| aws_iam_policy_document.s3 | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| management_event_selector | (Optional) A configuration of management event selector to use to select the events for the event data store. Only used if event_type is CLOUDTRAIL_EVENTS. management_event_selector block as defined below.(Optional) enabled - Whether to capture management events. Defaults to false.(Optional) scope - The type of events to log. Valid values are ALL, READ and WRITE. Defaults to ALL.(Optional) exclude_event_sources - A set of event sources to exclude. Valid values are kms.amazonaws.com and rdsdata.amazonaws.com. management_event_selector.enabled must be set to true to allow this. |
object({ |
n/a | yes |
| name | (Required) The name of the event data store. | string |
n/a | yes |
| data_event_selectors | (Optional) A configuration of event selectors to use to select the data events for the event data store. Each item of data_event_selectors block as defined below.(Optional) name - A name of the advanced event selector.(Optional) resource_type - A resource type to log data events to log. Valid values are one of the following:- AWS::DynamoDB::Table- AWS::Lambda::Function- AWS::S3::Object- AWS::AppConfig::Configuration- AWS::B2BI::Transformer- AWS::Bedrock::AgentAlias- AWS::Bedrock::KnowledgeBase- AWS::Cassandra::Table- AWS::CloudFront::KeyValueStore- AWS::CloudTrail::Channel- AWS::CodeWhisperer::Customization- AWS::CodeWhisperer::Profile- AWS::Cognito::IdentityPool- AWS::DynamoDB::Stream- AWS::EC2::Snapshot- AWS::EMRWAL::Workspace- AWS::FinSpace::Environment- AWS::Glue::Table- AWS::GreengrassV2::ComponentVersion- AWS::GreengrassV2::Deployment- AWS::GuardDuty::Detector- AWS::IoT::Certificate- AWS::IoT::Thing- AWS::IoTSiteWise::Asset- AWS::IoTSiteWise::TimeSeries- AWS::IoTTwinMaker::Entity- AWS::IoTTwinMaker::Workspace- AWS::KendraRanking::ExecutionPlan- AWS::KinesisVideo::Stream- AWS::ManagedBlockchain::Network- AWS::ManagedBlockchain::Node- AWS::MedicalImaging::Datastore- AWS::NeptuneGraph::Graph- AWS::PCAConnectorAD::Connector- AWS::QBusiness::Application- AWS::QBusiness::DataSource- AWS::QBusiness::Index- AWS::QBusiness::WebExperience- AWS::RDS::DBCluster- AWS::S3::AccessPoint- AWS::S3ObjectLambda::AccessPoint- AWS::S3Outposts::Object- AWS::SageMaker::Endpoint- AWS::SageMaker::ExperimentTrialComponent- AWS::SageMaker::FeatureGroup- AWS::ServiceDiscovery::Namespace- AWS::ServiceDiscovery::Service- AWS::SCN::Instance- AWS::SNS::PlatformEndpoint- AWS::SNS::Topic- AWS::SWF::Domain- AWS::SQS::Queue- AWS::SSMMessages::ControlChannel- AWS::ThinClient::Device- AWS::ThinClient::Environment- AWS::Timestream::Database- AWS::Timestream::Table- AWS::VerifiedPermissions::PolicyStore(Optional) scope - The type of events to log. Valid values are ALL, READ and WRITE. Defaults to WRITE.(Optional) conditions - A configuration of field conditions to filter events by the ARN of resource and the event name. Each item of conditions as defined below.(Required) field - A field to compare by the field condition. Valid values are event_name and resource_arn.(Required) operator - An operator of the field condition. Valid values are equals, not_equals, starts_with, not_starts_with, ends_with, not_ends_with.(Required) values - A set of values of the field condition to compare. |
list(object({ |
[] |
no |
| encryption | (Optional) A configuration to encrypt the events delivered by CloudTrail. By default, the event data store is encrypted with a KMS key that AWS owns and manages.encryption as defined below.(Optional) kms_key - The ID of AWS KMS key to use to encrypt the events delivered by CloudtTrail. The value can be an alias name prefixed by 'alias/', a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier. |
object({ |
{} |
no |
| event_type | (Required) A type of event to be collected by the event data store. Valid values are CLOUDTRAIL_EVENTS, CONFIG_CONFIGURATION_ITEMS. Defaults to CLOUDTRAIL_EVENTS. |
string |
"CLOUDTRAIL_EVENTS" |
no |
| import_trail_events_iam_role | (Optional) A configuration of IAM Role for importing CloudTrail events from S3 Bucket. import_trail_events_iam_role as defined below.(Optional) enabled - Indicates whether you want to create IAM Role to import trail events. Defaults to true.(Optional) source_s3_buckets - A list of source S3 buckets to import events from. Each item of source_s3_buckets as defined below.(Required) name - A name of source S3 bucket.(Optional) key_prefix - A key prefix of source S3 bucket. |
object({ |
{} |
no |
| level | (Optional) The level of the event data store to decide whether the event data store collects events logged for an organization in AWS Organizations. Can be created in the management account or delegated administrator account. Valid values are ACCOUNT and ORGANIZATION. Defaults to ACCOUNT. |
string |
"ACCOUNT" |
no |
| module_tags_enabled | (Optional) Whether to create AWS Resource Tags for the module informations. | bool |
true |
no |
| resource_group_description | (Optional) The description of Resource Group. | string |
"Managed by Terraform." |
no |
| resource_group_enabled | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | bool |
true |
no |
| resource_group_name | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with AWS or aws. |
string |
"" |
no |
| retention_in_days | (Optional) The retention period of the event data store, in days. You can set a retention period of up to 2557 days. Defaults to 2555 days (7 years). |
number |
2555 |
no |
| scope | (Optional) The scope of the event data store to decide whether the event data store includes events from all regions, or only from the region in which the event data store is created. Supported values are REGIONAL or ALL. Defaults to ALL. |
string |
"ALL" |
no |
| tags | (Optional) A map of tags to add to all resources. | map(string) |
{} |
no |
| termination_protection_enabled | (Optional) Whether termination protection is enabled for the event data store. If termination protection is enabled, you cannot delete the event data store until termination protection is disabled. Defaults to true. |
bool |
true |
no |
| Name | Description |
|---|---|
| arn | The Amazon Resource Name (ARN) of the event data store. |
| data_event_selectors | The event selectors to use to select the data events for the event data store. |
| encryption | The configuration for the encryption of the event data store. |
| event_type | The type of event to be collected by the event data store. |
| id | The ID of the event data store. |
| import_trail_events_iam_role | A configuration of IAM Role for importing CloudTrail events from S3 Bucket. |
| level | The level of the event data store to decide whether the event data store collects events logged for an organization in AWS Organizations. |
| management_event_selector | The event selector to use to select the management events for the event data store. |
| name | The name of the event data store. |
| retention_in_days | The retention period of the event data store, in days. |
| scope | The scope of the event data store to decide whether the event data store includes events from all regions, or only from the region in which the event data store is created. |
| termination_protection_enabled | Whether termination protection is enabled for the event data store. |